Edit tour

Windows Analysis Report
8F0oMWUhg7.exe

Overview

General Information

Sample name:	8F0oMWUhg7.exe renamed because original name is a hash value
Original sample name:	ac6323cfb95cc48955949b4d2e7f91a5.exe
Analysis ID:	1557672
MD5:	ac6323cfb95cc48955949b4d2e7f91a5
SHA1:	525a7271bef3988185b4f2be7d797b2dfab8bcd0
SHA256:	a681393f417174f96a6f0814677b28d81884fb836b501de132eb0003e4782eac
Tags:	exeMeduzaStealeruser-abuse_ch
Infos:

Detection

CredGrabber, Meduza Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected CredGrabber

Yara detected Meduza Stealer

AI detected suspicious sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to launch a program with higher privileges

Contains functionality to query locales information (e.g. system language)

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found evasive API chain checking for process token information

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Queries time zone information

Suricata IDS alerts with low severity for network traffic

Terminates after testing mutex exists (may check infected machine status)

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

8F0oMWUhg7.exe (PID: 4896 cmdline: "C:\Users\user\Desktop\8F0oMWUhg7.exe" MD5: AC6323CFB95CC48955949B4D2E7F91A5)

cleanup

Malware Configuration

Threatname: Meduza Stealer

{"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "enew", "links": "", "port": 15666}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
8F0oMWUhg7.exe	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: 8F0oMWUhg7.exe PID: 4896	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
Process Memory Space: 8F0oMWUhg7.exe PID: 4896	JoeSecurity_CredGrabber	Yara detected CredGrabber	Joe Security
Process Memory Space: 8F0oMWUhg7.exe PID: 4896	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.8F0oMWUhg7.exe.7ff6ebf50000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security
0.2.8F0oMWUhg7.exe.7ff6ebf50000.0.unpack	JoeSecurity_MeduzaStealer	Yara detected Meduza Stealer	Joe Security

Suricata Signatures

ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T14:28:30.771762+0100	2049441	1	A Network Trojan was detected	192.168.2.6	49710	193.3.19.151	15666	TCP

ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T14:28:30.771762+0100	2050806	1	A Network Trojan was detected	192.168.2.6	49710	193.3.19.151	15666	TCP
2024-11-18T14:28:30.776994+0100	2050806	1	A Network Trojan was detected	192.168.2.6	49710	193.3.19.151	15666	TCP

ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-18T14:28:30.771762+0100	2050807	1	A Network Trojan was detected	192.168.2.6	49710	193.3.19.151	15666	TCP
2024-11-18T14:28:30.776994+0100	2050807	1	A Network Trojan was detected	192.168.2.6	49710	193.3.19.151	15666	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 8F0oMWUhg7.exe

Malware Configuration Extractor: Meduza Stealer {"C2 url": "193.3.19.151", "grabber_max_size": 4194304, "anti_vm": true, "anti_dbg": true, "self_destruct": false, "extensions": ".txt", "build_name": "enew", "links": "", "port": 15666}

Multi AV Scanner detection for submitted file

Source: 8F0oMWUhg7.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 8F0oMWUhg7.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC7BA0 CryptUnprotectData,LocalFree,	0_2_00007FF6EBFC7BA0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC7EC0 CryptProtectData,LocalFree,	0_2_00007FF6EBFC7EC0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC8020 BCryptDecrypt,BCryptDecrypt,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6EBFC8020
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF83A30 BCryptDestroyKey,	0_2_00007FF6EBF83A30
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF87C20 CryptUnprotectData,LocalFree,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6EBF87C20
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC83C0 BCryptCloseAlgorithmProvider,_invalid_parameter_noinfo_noreturn,	0_2_00007FF6EBFC83C0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC8440 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,	0_2_00007FF6EBFC8440

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49711 version: TLS 1.2

Source: 8F0oMWUhg7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC00B5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6EC00B5B0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC00B500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6EC00B500

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFD73F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBFD73F0

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049441 - Severity 1 - ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt : 192.168.2.6:49710 -> 193.3.19.151:15666
Source: Network traffic	Suricata IDS: 2050806 - Severity 1 - ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2 : 192.168.2.6:49710 -> 193.3.19.151:15666

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 193.3.19.151:15666

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205
Source: Joe Sandbox View	IP Address: 104.26.12.205 104.26.12.205

Source: Joe Sandbox View

ASN Name: ARNES-NETAcademicandResearchNetworkofSloveniaSI ARNES-NETAcademicandResearchNetworkofSloveniaSI

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic

Suricata IDS: 2050807 - Severity 1 - ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP) : 192.168.2.6:49710 -> 193.3.19.151:15666

Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151
Source: unknown	TCP traffic detected without corresponding DNS query: 193.3.19.151

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFD4A30 recv,recv,closesocket,WSACleanup,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBFD4A30

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Accept: text/html; text/plain; */*Host: api.ipify.orgCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: api.ipify.org

Source: 8F0oMWUhg7.exe, 00000000.00000003.2189504933.00000170D0781000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2287442237.00000170D0790000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2287413441.00000170D0790000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2287552722.00000170D0794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ns.microsoft.t/Regi
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDFA1000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2190136548.00000170CDFB7000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.orgN
Source: 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: 8F0oMWUhg7.exe, 00000000.00000003.2208740371.00000170D0A48000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2210217485.00000170CDFDE000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: 8F0oMWUhg7.exe, 00000000.00000003.2208740371.00000170D0A48000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2210217485.00000170CDFDE000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 8F0oMWUhg7.exe, 00000000.00000003.2220956682.00000170CE008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.co
Source: 8F0oMWUhg7.exe, 00000000.00000003.2220956682.00000170CE008000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.coan
Source: 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFDE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: 8F0oMWUhg7.exe, 00000000.00000003.2208740371.00000170D0A48000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2210217485.00000170CDFDE000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: 8F0oMWUhg7.exe, 00000000.00000003.2206721017.00000170D1503000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFDE8000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2208386177.00000170D0B01000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFEBB000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFDE0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org#
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: 8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443

Source: unknown

HTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49711 version: TLS 1.2

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFD5B70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,GetDeviceCaps,GetDeviceCaps,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SHCreateMemStream,SelectObject,DeleteDC,ReleaseDC,DeleteObject,EnterCriticalSection,LeaveCriticalSection,IStream_Size,IStream_Reset,IStream_Read,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

0_2_00007FF6EBFD5B70

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD9D30 GetModuleHandleA,GetProcAddress,OpenProcess,NtQuerySystemInformation,NtQuerySystemInformation,GetCurrentProcess,NtQueryObject,GetFinalPathNameByHandleA,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,		0_2_00007FF6EBFD9D30
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFDA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,		0_2_00007FF6EBFDA430

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF7FE20	0_2_00007FF6EBF7FE20
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF2E3C	0_2_00007FF6EBFF2E3C
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF99F80	0_2_00007FF6EBF99F80
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFCF020	0_2_00007FF6EBFCF020
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFDD050	0_2_00007FF6EBFDD050
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFBD080	0_2_00007FF6EBFBD080
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF820B0	0_2_00007FF6EBF820B0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFB5970	0_2_00007FF6EBFB5970
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF8CA10	0_2_00007FF6EBF8CA10
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD5B70	0_2_00007FF6EBFD5B70
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF84B70	0_2_00007FF6EBF84B70
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF81B90	0_2_00007FF6EBF81B90
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF82CA0	0_2_00007FF6EBF82CA0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF8ECB0	0_2_00007FF6EBF8ECB0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF8D570	0_2_00007FF6EBF8D570
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC00B5B0	0_2_00007FF6EC00B5B0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFDC5CB	0_2_00007FF6EBFDC5CB
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF8E610	0_2_00007FF6EBF8E610
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC010658	0_2_00007FF6EC010658
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD76A0	0_2_00007FF6EBFD76A0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF7F730	0_2_00007FF6EBF7F730
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD6860	0_2_00007FF6EBFD6860
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE918C	0_2_00007FF6EBFE918C
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD5240	0_2_00007FF6EBFD5240
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF95310	0_2_00007FF6EBF95310
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD8330	0_2_00007FF6EBFD8330
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFB6350	0_2_00007FF6EBFB6350
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF80450	0_2_00007FF6EBF80450
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC4D40	0_2_00007FF6EBFC4D40
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE8D50	0_2_00007FF6EBFE8D50
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF55DB0	0_2_00007FF6EBF55DB0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFABDD0	0_2_00007FF6EBFABDD0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF8ADD0	0_2_00007FF6EBF8ADD0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF87E70	0_2_00007FF6EBF87E70
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF80E80	0_2_00007FF6EBF80E80
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD0E90	0_2_00007FF6EBFD0E90
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC5EF0	0_2_00007FF6EBFC5EF0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF8BF40	0_2_00007FF6EBF8BF40
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC00FFBC	0_2_00007FF6EC00FFBC
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF30B8	0_2_00007FF6EBFF30B8
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFEF0D8	0_2_00007FF6EBFEF0D8
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF570E0	0_2_00007FF6EBF570E0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFAC0F0	0_2_00007FF6EBFAC0F0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFFC128	0_2_00007FF6EBFFC128
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF83A30	0_2_00007FF6EBF83A30
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF6A68	0_2_00007FF6EBFF6A68
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF80A80	0_2_00007FF6EBF80A80
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFABAB0	0_2_00007FF6EBFABAB0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC5AB0	0_2_00007FF6EBFC5AB0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFB0AC0	0_2_00007FF6EBFB0AC0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFA1AF0	0_2_00007FF6EBFA1AF0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC8B00	0_2_00007FF6EBFC8B00
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFFBB90	0_2_00007FF6EBFFBB90
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFA7CEB	0_2_00007FF6EBFA7CEB
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE0D14	0_2_00007FF6EBFE0D14
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFD6540	0_2_00007FF6EBFD6540
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE5598	0_2_00007FF6EBFE5598
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF56610	0_2_00007FF6EBF56610
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF8674	0_2_00007FF6EBFF8674
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE666C	0_2_00007FF6EBFE666C
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF36A8	0_2_00007FF6EBFF36A8
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF46E4	0_2_00007FF6EBFF46E4
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFA4720	0_2_00007FF6EBFA4720
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFB2750	0_2_00007FF6EBFB2750
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFAB780	0_2_00007FF6EBFAB780
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFDA780	0_2_00007FF6EBFDA780
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE579C	0_2_00007FF6EBFE579C
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFEF7E6	0_2_00007FF6EBFEF7E6
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF898CD	0_2_00007FF6EBF898CD
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFCC8E0	0_2_00007FF6EBFCC8E0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFEA924	0_2_00007FF6EBFEA924
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE3150	0_2_00007FF6EBFE3150
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE6164	0_2_00007FF6EBFE6164
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF56180	0_2_00007FF6EBF56180
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF71D8	0_2_00007FF6EBFF71D8
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE1220	0_2_00007FF6EBFE1220
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC02C0	0_2_00007FF6EBFC02C0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFCE2F0	0_2_00007FF6EBFCE2F0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE5394	0_2_00007FF6EBFE5394
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFC63A6	0_2_00007FF6EBFC63A6
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF783D0	0_2_00007FF6EBF783D0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFFA3C8	0_2_00007FF6EBFFA3C8
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFAC420	0_2_00007FF6EBFAC420
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFCB420	0_2_00007FF6EBFCB420
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFDA430	0_2_00007FF6EBFDA430
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFFA44F	0_2_00007FF6EBFFA44F
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFAB480	0_2_00007FF6EBFAB480
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFF14E4	0_2_00007FF6EBFF14E4
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF76510	0_2_00007FF6EBF76510
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBF75520	0_2_00007FF6EBF75520

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: String function: 00007FF6EBF986B0 appears 54 times
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: String function: 00007FF6EBFE8254 appears 34 times
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: String function: 00007FF6EBF7E1D0 appears 33 times
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: String function: 00007FF6EBF86940 appears 41 times
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: String function: 00007FF6EBF7BA80 appears 32 times

Source: classification engine

Classification label: mal100.troj.spyw.winEXE@1/0@1/2

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFDB9B0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,

0_2_00007FF6EBFDB9B0

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBF8E610 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBF8E610

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFC4D40 CoInitializeEx,CoInitializeSecurity,CoCreateInstance,CoSetProxyBlanket,SysAllocStringByteLen,SysFreeString,SysAllocStringByteLen,SysFreeString,SysStringByteLen,SysStringByteLen,SysFreeString,SysFreeString,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBFC4D40

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Mutant created: \Sessions\1\BaseNamedObjects\Mmm-A33C734061CA11EE8C18806E6F6E6963E2D9E553

Source: 8F0oMWUhg7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 8F0oMWUhg7.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: 8F0oMWUhg7.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: 8F0oMWUhg7.exe

Static file information: File size 1292800 > 1048576

Source: 8F0oMWUhg7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 8F0oMWUhg7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 8F0oMWUhg7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 8F0oMWUhg7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 8F0oMWUhg7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 8F0oMWUhg7.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 8F0oMWUhg7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: 8F0oMWUhg7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 8F0oMWUhg7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 8F0oMWUhg7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 8F0oMWUhg7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 8F0oMWUhg7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 8F0oMWUhg7.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBF8D570 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBF8D570

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBF9CAB2 push rdi; retf 0004h

0_2_00007FF6EBF9CAB5

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFCC600 ExitProcess,OpenMutexA,ExitProcess,CreateMutexExA,ExitProcess,ReleaseMutex,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBFCC600

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-64527

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC00B5B0 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,		0_2_00007FF6EC00B5B0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EC00B500 FindClose,FindFirstFileExW,GetLastError,		0_2_00007FF6EC00B500

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFD73F0 GetLogicalDriveStringsW,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBFD73F0

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFE9038 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00007FF6EBFE9038

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\migration\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\migration\wtr\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\microsoft-activedirectory-webservices\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\microsoft-client-license-platform-service-migration\	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: D:\sources\replacementmanifests\hwvid-migration-2\	Jump to behavior

Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2285333586.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000002.2288727259.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2286913636.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sQESKgDDWxvI+5plRl0mqyGVpPublicSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: 8F0oMWUhg7.exe, 00000000.00000003.2200160738.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TvruvX0RyBJtK5EljSQn7R3Mf99TpJ62JbtngcXFAoOeSKwqFovFqlMk5T/ORnG0CJbjq+zs4uyPb2fXo+m3s4tvZ5PB00CRbdWw5IEyUBRpMrga6Kpm2wN1YH47k0DqL1lB+3dQqLKsaGhUZKl4YRi2BmateFY02zHxbIhn2dY1E60Ds3h2FFs3IcAoGGTLcNAdRBQUIJEVg/ovCXRTUepndOmYat2jrNqqBuWNgaGWfVqqYuH/A7XSSjYMFTLKZ4wZnSoDq3yWLctBu1VqqSoq0Tvls2kackMH2VC0hk6yY6kauAdK1YEOJdCBUz5rjqnXCsiOI9ty3S7bjmWQ0fkccAYVJE2NYXm7oaGpGZZBZqsZFINmRi/NhkE1JoKGaDoNszmOabSeDdNsdoAhqa2JxMTaA32gVAQwqd4QAI0UvWkTXdZhkfoZE6U0TaBamt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKg
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDFCD000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2190136548.00000170CDFCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDFCD000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2190136548.00000170CDFCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW'
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 8F0oMWUhg7.exe, 00000000.00000003.2285333586.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000002.2288727259.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2286913636.00000170D09F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3yHgGzY6tEzFmBea/UBzFhAmYb1oqHrA2HYnHoIDc0qDg5jN/iSm+UGwHYbQqqkRJVpdhCsWfEsDQs2YatlmgMvGsygRH9PIZM241n1Wg2QJriGdD15v8AEBGUz5wmlUAhSdeuRka5XGneIZTmGpDHsAMQJpeyqP8xYFGCRUAjTnqs8pnAw7ZfJaRM+v+EFLwrtaPnqkMBbgxavDBYWANPixOUg4B+VzjJUjJYCBsUJclzNAchyM4pexDM02OhsoxyzrVD0C6Arsg91oEjxRVPKLcNQkNKVbxTCUW6soC2egIZoCPA7t4NFXTGOgK4Ztqmq9iAIBoyJ0taxTdWMw6zUbRFVnX0UrMS8+qbjpa49lGwqehC3MjgPLqrkBUFpyDPwpFUfupRlk6QW9NIcWAwPgjCgxdK6okaC1DF0K1ohFZDl5jASmKR3itQzUXpUraHaACX6vQ/9XAsTV4DSBo7dk3QZrlT5uo4dswPOpnsJUzg7nmNYtWoEgESZWcUTH2xOwuFIKgJgfVnHTK+JLmAb/RowJPMKhAsCv3xIKp3A3J0bIrT6Kneikg7dvk+GJmkHFttaJEguSLSv129ueZxPU8u/jjbOh58SbK79gHC6fbyHtiXugGa2piEQXxG+bmG0Cus4t/nq2zXfIR5aooh8B19rBJQYmQ20FEfz4uFqfTRmf/+lM6Ex746uEtS7v0ouFUMm83c8HpZ5PQzRdxuv47EQAZ9PEP/ZL6ecyVbL+8hOSJm6+yF+1A6ySN83i+WdwHy5TP6AGa54yNOQDMt0K/OHXfg+kqThLIfk6QFsLDCjZdpZTGOzjUsCOwZe5C6Gi8Q8TVSedBLpSfsvQj8BDp18kmZ3ex54YP0+Gs0yuOc0oHyahpuklKSN9DNVuBZhWH/uMHS1PAuQ5a2Lju9F/SWeKm7prBc0jVP84iPJxdnHVJ/HDDDbXL54Z89qdU0Vcin6gqmwXrJjGgP4IA8IR19qewIwTnUCQdrTZp1GW0u9j1R6sUgPUrm2c5cvXl9oot3E2Yi+lA6TVxs+wzTv0RyoJlnAb/LVyrQ+JXXkt08JQiqZojt7zmAq6A6TMAI3d99XjZOb1H2Ej05cPkbrRi3jsQ/1cA/+FiEaSdYURoSjyCbui7SR58sFKCEAn3HKH4uwm3eDW6eeqSVnn3vRu5S+ZPUrZgKYs8lgl1/fYieGCfbdnVWn1in27qZ19Yfhv4WKpf3SAPgywfR4sYK3wdc8VGoHmK3TWFL5jmOUHB49Ogy2jYoedRvh3h9D96fGhUBv0WbVKW3Fxq4ViXVL2x9N
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 8F0oMWUhg7.exe, 00000000.00000003.2194132118.00000170D0ABA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

API call chain: ExitProcess graph end node

graph_0-64469

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFDA430 RtlAcquirePebLock,NtAllocateVirtualMemory,lstrcpyW,lstrcatW,NtAllocateVirtualMemory,lstrcpyW,RtlInitUnicodeString,RtlInitUnicodeString,LdrEnumerateLoadedModules,RtlReleasePebLock,_invalid_parameter_noinfo_noreturn,CoInitializeEx,lstrcpyW,lstrcatW,CoGetObject,lstrcpyW,lstrcatW,CoGetObject,CoUninitialize,

0_2_00007FF6EBFDA430

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFE7F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6EBFE7F68

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EC00D804 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF6EC00D804

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

0_2_00007FF6EBF8D570

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFF9EEC GetProcessHeap,

0_2_00007FF6EBFF9EEC

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFE7F68 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6EBFE7F68
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: 0_2_00007FF6EBFFEC08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00007FF6EBFFEC08

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFCB420 ShellExecuteW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF6EBFCB420

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6EBFF8F60
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: GetLocaleInfoW,	0_2_00007FF6EBFEE020
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6EBFF9030
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6EBFF90C8
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: EnumSystemLocalesW,	0_2_00007FF6EBFEDAE0
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF6EBFF8C04
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF6EBFF964C
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF6EC00B170
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: GetLocaleInfoW,	0_2_00007FF6EBFF9310
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF6EBFF9468
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Code function: GetLocaleInfoW,	0_2_00007FF6EBFF9518

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation TimeZoneKeyName

Jump to behavior

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFFF908 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6EBFFF908

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFD6150 GetUserNameW,

0_2_00007FF6EBFD6150

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Code function: 0_2_00007FF6EBFF2E3C _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF6EBFF2E3C

Stealing of Sensitive Information

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: 8F0oMWUhg7.exe PID: 4896, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 8F0oMWUhg7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8F0oMWUhg7.exe.7ff6ebf50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8F0oMWUhg7.exe.7ff6ebf50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8F0oMWUhg7.exe PID: 4896, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Electrum-LTC\wallets
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ElectronCash\config
Source: 8F0oMWUhg7.exe, 00000000.00000003.2234868057.00000170D318F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "software": "Ny1aaXAgMjMuMDEgKHg2NCkgWzIzLjAxXQpNb3ppbGxhIEZpcmVmb3ggKHg2NCBlbi1VUykgWzExOC4wLjFdCk1vemlsbGEgTWFpbnRlbmFuY2UgU2VydmljZSBbMTE4LjAuMV0KTWljcm9zb2Z0IE9mZmljZSBQcm9mZXNzaW9uYWwgUGx1cyAyMDE5IC0gZW4tdXMgWzE2LjAuMTY4MjcuMjAxMzBdCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMjIgWDY0IEFkZGl0aW9uYWwgUnVudGltZSAtIDE0LjM2LjMyNTMyIFsxNC4zNi4zMjUzMl0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBMaWNlbnNpbmcgQ29tcG9uZW50IFsxNi4wLjE2ODI3LjIwMTMwXQpPZmZpY2UgMTYgQ2xpY2stdG8tUnVuIEV4dGVuc2liaWxpdHkgQ29tcG9uZW50IDY0LWJpdCBSZWdpc3RyYXRpb24gWzE2LjAuMTY4MjcuMjAwNTZdCkFkb2JlIEFjcm9iYXQgKDY0LWJpdCkgWzIzLjAwNi4yMDMyMF0KTWljcm9zb2Z0IFZpc3VhbCBDKysgMjAyMiBYNjQgTWluaW11bSBSdW50aW1lIC0gMTQuMzYuMzI1MzIgWzE0LjM2LjMyNTMyXQpHb29nbGUgQ2hyb21lIFsxMTcuMC41OTM4LjEzNF0KTWljcm9zb2Z0IEVkZ2UgWzExNy4wLjIwNDUuNTVdCk1pY3Jvc29mdCBFZGdlIFVwZGF0ZSBbMS4zLjE3Ny4xMV0KTWljcm9zb2Z0IEVkZ2UgV2ViVmlldzIgUnVudGltZSBbMTE3LjAuMjA0NS40N10KSmF2YSBBdXRvIFVwZGF0ZXIgWzIuOC4zODEuOV0KSmF2YSA4IFVwZGF0ZSAzODEgWzguMC4zODEwLjldCk1pY3Jvc29mdCBWaXN1YWwgQysrIDIwMTUtMjAyMiBSZWRpc3RyaWJ1dGFibGUgKHg2NCkgLSAxNC4zNi4zMjUzMiBbMTQuMzYuMzI1MzIuMF0KT2ZmaWNlIDE2IENsaWNrLXRvLVJ1biBFeHRlbnNpYmlsaXR5IENvbXBvbmVudCBbMTYuMC4xNjgyNy4yMDEzMF0K",
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Exodus\exodus.wallet
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore
Source: 8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Ethereum\keystore

Tries to harvest and steal Bitcoin Wallet information

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOCK	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\8F0oMWUhg7.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\8F0oMWUhg7.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Yara match

File source: Process Memory Space: 8F0oMWUhg7.exe PID: 4896, type: MEMORYSTR

Remote Access Functionality

Yara detected CredGrabber

Source: Yara match

File source: Process Memory Space: 8F0oMWUhg7.exe PID: 4896, type: MEMORYSTR

Yara detected Meduza Stealer

Source: Yara match	File source: 8F0oMWUhg7.exe, type: SAMPLE
Source: Yara match	File source: 0.0.8F0oMWUhg7.exe.7ff6ebf50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.8F0oMWUhg7.exe.7ff6ebf50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 8F0oMWUhg7.exe PID: 4896, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Access Token Manipulation	1 OS Credential Dumping	12 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Email Collection	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Account Discovery	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
8F0oMWUhg7.exe	24%	ReversingLabs
8F0oMWUhg7.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://api.ipify.orgN	0%	Avira URL Cloud	safe
https://go.microsoft.coan	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
api.ipify.org	104.26.12.205	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.ipify.orgN	8F0oMWUhg7.exe, 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.microsoft.co	8F0oMWUhg7.exe, 00000000.00000003.2220956682.00000170CE008000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt	8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	8F0oMWUhg7.exe, 00000000.00000003.2208740371.00000170D0A48000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2210217485.00000170CDFDE000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.microsoft.coan	8F0oMWUhg7.exe, 00000000.00000003.2220956682.00000170CE008000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	8F0oMWUhg7.exe, 00000000.00000003.2208740371.00000170D0A48000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2210217485.00000170CDFDE000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFDE0000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ns.microsoft.t/Regi	8F0oMWUhg7.exe, 00000000.00000003.2189504933.00000170D0781000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2287442237.00000170D0790000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2287413441.00000170D0790000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2287552722.00000170D0794000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	8F0oMWUhg7.exe, 00000000.00000003.2201970579.00000170CFE44000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	8F0oMWUhg7.exe, 00000000.00000003.2208740371.00000170D0A48000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2210217485.00000170CDFDE000.00000004.00000020.00020000.00000000.sdmp, 8F0oMWUhg7.exe, 00000000.00000003.2209282971.00000170D0968000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.12.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
193.3.19.151	unknown	Denmark		2107	ARNES-NETAcademicandResearchNetworkofSloveniaSI	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1557672
Start date and time:	2024-11-18 14:27:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8F0oMWUhg7.exe renamed because original name is a hash value
Original Sample Name:	ac6323cfb95cc48955949b4d2e7f91a5.exe
Detection:	MAL
Classification:	mal100.troj.spyw.winEXE@1/0@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 93 Number of non-executed functions: 90
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 8F0oMWUhg7.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.12.205	Ransomware Mallox.exe	Get hash	malicious	Targeted Ransomware	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	6706e721f2c06.exe	Get hash	malicious	Remcos	Browse	api.ipify.org/
	perfcc.elf	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	SecuriteInfo.com.Win32.MalwareX-gen.16395.23732.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	hloRQZmlfg.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	[Inquiry] mv Palmela - CE replacement at your port, oa Nov. 22nd.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Ziraat_Bankasi_Swift_Mesaji_BXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
	Ziraat_Bankasi_Swift_Mesaji_DXB04958T.cmd	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	104.26.13.205
	SOA.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	PEACE SHIP PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	ZHENGHE 3_Q88 20241118.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	F8TXbAdG3G.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	EternalPredictor.exe	Get hash	malicious	Blank Grabber, Skuld Stealer, XWorm	Browse	172.67.74.152
	skuld.exe	Get hash	malicious	Skuld Stealer	Browse	104.26.13.205
	chelentano.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	172.67.74.152

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ARNES-NETAcademicandResearchNetworkofSloveniaSI	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	95.87.151.60
	yakuza.mips.elf	Get hash	malicious	Unknown	Browse	194.249.92.194
	HRU6b08mmd.exe	Get hash	malicious	Amadey, Healer AV Disabler, PureLog Stealer, RedLine	Browse	193.3.19.154
	Josho.x86.elf	Get hash	malicious	Unknown	Browse	95.87.138.87
	h0r0zx00x.x86.elf	Get hash	malicious	Mirai	Browse	141.255.194.230
	belks.ppc.elf	Get hash	malicious	Mirai	Browse	95.87.151.62
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	193.2.192.118
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	88.200.51.87
	https://zupimages.net/up/24/42/ol13.jpg?d6mSMvU0ZvpGwffnuqPHYMR7NvlxIzVjDfTD4YJjdRSCOcc	Get hash	malicious	Unknown	Browse	193.3.178.3
	l6G93s9XLN.elf	Get hash	malicious	Mirai	Browse	95.87.151.49
CLOUDFLARENETUS	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	104.16.123.96
	New Order Data sheet Page.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	https://tipicopisco.com/go/bebek.txt	Get hash	malicious	Unknown	Browse	1.1.1.1
	bPRQRIfbbq.exe	Get hash	malicious	Unknown	Browse	172.67.69.226
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	104.16.124.96
	phish_alert_sp1_1.0.0.0.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	AD6dpKQm7n.exe	Get hash	malicious	Unknown	Browse	104.16.124.96
	emes.bat	Get hash	malicious	Unknown	Browse	104.16.231.132
	PO 20495088.exe	Get hash	malicious	FormBook	Browse	104.21.74.79

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	P6uSqL3TTL.exe	Get hash	malicious	GhostRat, Mimikatz, Nitol	Browse	104.26.12.205
	Factura Honorarios 2024-11-17.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	JOSHHHHHH.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	Richiesta Proposta (MACHINES ITALIA) 18-11-2024#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	104.26.12.205
	Unlock_Tool_v2.6.5.exe	Get hash	malicious	Stealc, Vidar	Browse	104.26.12.205
	DHL_Shipping_Invoices_Awb_BL_000000000111820242247820020031808174Global180030011182024.vbs	Get hash	malicious	GuLoader, Remcos	Browse	104.26.12.205
	rBankRemittance_pdf.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	104.26.12.205
	rCEMG242598.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.12.205
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	104.26.12.205
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.26.12.205

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.519483490367315
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	8F0oMWUhg7.exe
File size:	1'292'800 bytes
MD5:	ac6323cfb95cc48955949b4d2e7f91a5
SHA1:	525a7271bef3988185b4f2be7d797b2dfab8bcd0
SHA256:	a681393f417174f96a6f0814677b28d81884fb836b501de132eb0003e4782eac
SHA512:	34bc32f1e5c578a4b0e438311828d390ba6b657aafc018294a22db16697e5313693cce40996cfb31d55eb5f25e0713f835b1933620b1f23b0ea5732e7518e9df
SSDEEP:	24576:W2hVX3mzctl0cJQEcUKs9MjemJ5gx1wj7h0lhSMXl54Tud:9TX3yctl0E1Ks+egCx+jKp4T6
TLSH:	B8555B65195C03E9D8BE9138DEAB8A12F575380903B1E7EB1AD147921FE37E09E3E350
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.7./.d./.d./.d.W.e./.d.W.e./.d...e./.d...e./.d...e./.d...e./.d.W.e8/.d.W.e./.d.W.e./.d./.d...d.W.e./.d...e./.d..>d./.d...e./.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1400af220
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x673B35F5 [Mon Nov 18 12:41:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	0095cfee1cdfcef936c4c086b6b4fe85

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBF94B49964h
dec eax
add esp, 28h
jmp 00007FBF94B490FFh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FBF94B49292h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FBF94B49295h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007FBF94B4928Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FBF94B48836h
int3
and dword ptr [00087639h], 00000000h
ret
dec eax
mov dword ptr [esp+08h], ebx
push ebp
dec eax
lea ebp, dword ptr [esp-000004C0h]
dec eax
sub esp, 000005C0h
mov ebx, ecx
mov ecx, 00000017h
call dword ptr [0002600Eh]
test eax, eax
je 00007FBF94B49286h
mov ecx, ebx
int 29h
mov ecx, 00000003h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12df68	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x13f000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x138000	0x6c18	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x140000	0xd3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1183c0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x118580	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x118280	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xd5000	0x778	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xd3290	0xd3400	1e7cc584bbe8c210fc8e52d1759b2f82	False	0.4169517381656805	zlib compressed data	6.321993088475943	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xd5000	0x5a878	0x5aa00	bacdbd3defa9877219334eb9a9ea5683	False	0.4009186422413793	data	6.306972634139164	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x130000	0x7ce4	0x5a00	6bc2f26b443764d2872d13f9d896878b	False	0.08211805555555556	data	4.536476287471787	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x138000	0x6c18	0x6e00	c6eecc837e87b0c200a192a62ab8b009	False	0.4799715909090909	data	5.967062390694732	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x13f000	0x1e0	0x200	3bdf73d69c827b52e4eecca5ab7e253d	False	0.533203125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x140000	0xd3c	0xe00	d6a7436fce611f2c2c78378799be5f90	False	0.48604910714285715	data	5.34163148644649	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x13f060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
WS2_32.dll	closesocket, inet_pton, WSAStartup, send, socket, connect, recv, WSACleanup, htons
CRYPT32.dll	CryptUnprotectData, CryptProtectData
WININET.dll	InternetOpenW, InternetCloseHandle, InternetReadFile, InternetQueryDataAvailable, HttpQueryInfoW, InternetOpenUrlA, InternetOpenA
ntdll.dll	NtQuerySystemInformation, RtlInitUnicodeString, LdrEnumerateLoadedModules, RtlAcquirePebLock, RtlReleasePebLock, NtQueryObject, NtAllocateVirtualMemory
RstrtMgr.DLL	RmGetList, RmStartSession, RmEndSession, RmRegisterResources
bcrypt.dll	BCryptCloseAlgorithmProvider, BCryptOpenAlgorithmProvider, BCryptDecrypt, BCryptDestroyKey, BCryptGenerateSymmetricKey, BCryptSetProperty
KERNEL32.dll	GetFileInformationByHandleEx, AreFileApisANSI, FindFirstFileW, FindNextFileW, FindClose, OpenProcess, CreateToolhelp32Snapshot, Process32NextW, LoadLibraryA, Process32FirstW, CloseHandle, GetSystemInfo, GetProcAddress, LocalFree, FreeLibrary, GetLastError, ExitProcess, MultiByteToWideChar, WideCharToMultiByte, VirtualAlloc, ReadFile, WriteFile, CreateFileW, GetFileSize, GetCurrentProcess, VirtualQuery, GetStdHandle, TerminateProcess, CreateMutexA, ReleaseMutex, OpenMutexA, GetModuleFileNameA, GetVolumeInformationW, GetGeoInfoA, HeapFree, EnterCriticalSection, GetModuleFileNameW, GetProcessId, LeaveCriticalSection, SetFilePointer, InitializeCriticalSectionEx, FreeEnvironmentStringsW, GetModuleHandleA, HeapSize, GetLogicalDriveStringsW, GetFinalPathNameByHandleA, GetTimeZoneInformation, lstrcatW, HeapReAlloc, HeapAlloc, GetComputerNameW, GetProcessHeap, GlobalMemoryStatusEx, GetModuleHandleW, lstrcpyW, GetEnvironmentStringsW, SetLastError, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, GetCurrentProcessId, GetSystemTimeAsFileTime, VirtualProtect, GetFileSizeEx, SetFilePointerEx, GetCurrentThreadId, GetFileType, GetStartupInfoW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetTempPathW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionAndSpinCount, LoadLibraryExW, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, SetEndOfFile, EnumSystemLocalesW, ReadConsoleW, RaiseException, GetModuleHandleExW, SetStdHandle, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetStringTypeW, WriteConsoleW, OutputDebugStringW, SetEnvironmentVariableW, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, QueryPerformanceCounter, InitializeSListHead, RtlUnwindEx, RtlUnwind, RtlPcToFileHeader, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetFileAttributesExW, GetFileAttributesW, FindFirstFileExW, GetCurrentDirectoryW, GetNativeSystemInfo, LCMapStringEx, CompareStringEx, DecodePointer, DeleteCriticalSection, GetCommandLineA, GetCommandLineW, GetUserGeoID, GetUserDefaultLCID, GetLocaleInfoEx, FormatMessageA
USER32.dll	GetWindowRect, ReleaseDC, GetDesktopWindow, EnumDisplayDevicesW, GetSystemMetrics, GetDC
GDI32.dll	BitBlt, CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, GetDeviceCaps, DeleteDC, GetObjectW, DeleteObject
ADVAPI32.dll	LookupPrivilegeValueW, AdjustTokenPrivileges, GetCurrentHwProfileW, RegCloseKey, RegGetValueA, RegQueryValueExA, RegOpenKeyExA, GetUserNameW, RegEnumKeyExA, RevertToSelf, ConvertSidToStringSidA, ImpersonateLoggedOnUser, OpenProcessToken, DuplicateTokenEx, GetTokenInformation, CredEnumerateA, CredFree
SHELL32.dll	SHGetKnownFolderPath, ShellExecuteW
ole32.dll	CoTaskMemFree, CoGetObject, CoCreateInstance, CoUninitialize, CoSetProxyBlanket, CoInitializeSecurity, CoInitializeEx
OLEAUT32.dll	SysStringByteLen, SysAllocStringByteLen, SysFreeString
SHLWAPI.dll
gdiplus.dll	GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdiplusShutdown, GdiplusStartup, GdipCloneImage, GdipAlloc, GdipCreateBitmapFromScan0, GdipCreateBitmapFromHBITMAP, GdipSaveImageToStream, GdipGetImageEncoders

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-18T14:28:30.771762+0100	2049441	ET MALWARE Win32/Unknown Grabber Base64 Data Exfiltration Attempt	1	192.168.2.6	49710	193.3.19.151	15666	TCP
2024-11-18T14:28:30.771762+0100	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.6	49710	193.3.19.151	15666	TCP
2024-11-18T14:28:30.771762+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.6	49710	193.3.19.151	15666	TCP
2024-11-18T14:28:30.776994+0100	2050806	ET MALWARE [ANY.RUN] Meduza Stealer Exfiltration M2	1	192.168.2.6	49710	193.3.19.151	15666	TCP
2024-11-18T14:28:30.776994+0100	2050807	ET MALWARE [ANY.RUN] Possible Meduza Stealer Exfiltration (TCP)	1	192.168.2.6	49710	193.3.19.151	15666	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 18, 2024 14:28:23.504689932 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:23.509773970 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:23.509849072 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:24.267546892 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:24.267592907 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:24.267687082 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:24.300579071 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:24.300621033 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:24.918097973 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:24.918395996 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.269002914 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.269031048 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:25.269510984 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:25.269649029 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.271302938 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.315336943 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:25.446847916 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:25.446948051 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:25.447026014 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.447058916 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.447921991 CET	49711	443	192.168.2.6	104.26.12.205
Nov 18, 2024 14:28:25.447952032 CET	443	49711	104.26.12.205	192.168.2.6
Nov 18, 2024 14:28:30.771761894 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.776866913 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.776892900 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.776911020 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.776920080 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.776993990 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.777012110 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.777029037 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.777070045 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.777077913 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.777110100 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.777133942 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.777158022 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.777168036 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.777221918 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.781980991 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.781994104 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782090902 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782108068 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782216072 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782265902 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782279015 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782289028 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782335997 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782339096 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782385111 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782407999 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782409906 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782428980 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782439947 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782440901 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782473087 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782490969 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782515049 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.782520056 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.782556057 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787167072 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787230015 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787239075 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787260056 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787298918 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787308931 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787334919 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787348032 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787379026 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787399054 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787422895 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787441969 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787488937 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787497997 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787502050 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787506104 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787517071 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787564039 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787586927 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787595987 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787604094 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787633896 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787636042 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787642956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787651062 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787676096 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787678957 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787687063 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787704945 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787715912 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787753105 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787761927 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787777901 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.787811041 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.787823915 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792222023 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792232990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792244911 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792253017 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792269945 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792279005 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792292118 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792294979 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792304993 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792308092 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792321920 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792324066 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792331934 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792362928 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792378902 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792382956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792397976 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792412043 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792421103 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792435884 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792439938 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792444944 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792454958 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792475939 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792484999 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792500973 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792516947 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792516947 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792526007 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792531967 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792567968 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792570114 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792582989 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792598009 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792607069 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792619944 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792654037 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792674065 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792691946 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792700052 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792715073 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792723894 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792732954 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792746067 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792747021 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792757988 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792768002 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792781115 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792789936 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792795897 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792800903 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792820930 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792824984 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792850018 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792871952 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792891979 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792902946 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792949915 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792956114 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.792958975 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792963982 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792984962 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.792996883 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793016911 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793025970 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793035030 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793050051 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793078899 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793096066 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793104887 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793112993 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793121099 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793132067 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793153048 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793157101 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793168068 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793178082 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793181896 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793203115 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793210030 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793211937 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793237925 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793256998 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793266058 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793320894 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793350935 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793359995 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793386936 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793395996 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793425083 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793436050 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793445110 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793452978 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793456078 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793468952 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793473005 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793483019 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793520927 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.793524981 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793534994 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.793586969 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797190905 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797207117 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797214985 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797229052 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797238111 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797240973 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797271967 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797282934 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797305107 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797317028 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797326088 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797353983 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797362089 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797370911 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797383070 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797388077 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797395945 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797395945 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797422886 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797466040 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797473907 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797477007 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797483921 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797487974 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797509909 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797519922 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797519922 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797540903 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797553062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797561884 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797565937 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797576904 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797585964 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797586918 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797627926 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797627926 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797642946 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797666073 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797691107 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797693014 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797708988 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797760010 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797772884 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797785044 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797797918 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797826052 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797842979 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797858953 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797868013 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797877073 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797888994 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797909975 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797920942 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797924042 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797941923 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797951937 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.797955990 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797969103 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.797993898 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798003912 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798006058 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798053026 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798055887 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798064947 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798085928 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798095942 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798118114 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798141956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798151970 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798155069 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798166990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798198938 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798213959 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798217058 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798266888 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798290014 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798300982 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798316956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798325062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798332930 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798358917 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798366070 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798376083 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798383951 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798384905 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798407078 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798410892 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798415899 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798427105 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798440933 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798449993 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798454046 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798470974 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798480034 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798495054 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798504114 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798507929 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798512936 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798541069 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798552990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798562050 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798571110 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798584938 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798594952 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798597097 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798640966 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798648119 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798650980 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798667908 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798676968 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798705101 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798706055 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798713923 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798719883 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798744917 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798749924 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798754930 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798768997 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798783064 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798808098 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798830986 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798835993 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798866987 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798878908 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798887968 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798899889 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798907995 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798919916 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798937082 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798938990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798949003 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798949957 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.798964024 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.798973083 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799006939 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799007893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799016953 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799034119 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799052954 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799052954 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799062014 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799086094 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799113035 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799114943 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799124956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799134016 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799149990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799158096 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799166918 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799171925 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799175024 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799187899 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799221992 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799232960 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799242973 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799257994 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799266100 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799284935 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799308062 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799309015 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799324989 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799357891 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799366951 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799376965 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799407959 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799442053 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799463034 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799490929 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799514055 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799557924 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799566984 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799575090 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799582958 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799587011 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799591064 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799606085 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799613953 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799617052 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799633980 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799654007 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799669027 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799678087 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799685955 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799694061 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799710989 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799719095 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799730062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799740076 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799760103 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799765110 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799781084 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799801111 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799806118 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799809933 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799834013 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799843073 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799858093 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799879074 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799880028 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.799887896 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.799925089 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.804404974 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.804414988 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.804471016 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.804553986 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.804904938 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.804914951 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.804966927 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.805042028 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.805088997 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.805360079 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.805428028 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.805520058 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.805675030 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.805726051 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.806139946 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.806149960 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.806195021 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.806461096 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.806471109 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.806519032 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.806603909 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.806777000 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.806828976 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.806968927 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807116032 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807166100 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.807435989 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807571888 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807579994 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807627916 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.807913065 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807921886 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.807977915 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.819562912 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819572926 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819581032 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819590092 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819597006 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819605112 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819665909 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.819899082 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819910049 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819917917 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819927931 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819936991 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819946051 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819953918 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819957972 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819967985 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819968939 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.819977999 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819987059 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.819994926 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820003986 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820012093 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820014000 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820019960 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820028067 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820036888 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820041895 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820044994 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820049047 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820053101 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820055962 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820060015 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820067883 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820075989 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820081949 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820086002 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820095062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820103884 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820111990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820120096 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820127964 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820137024 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820141077 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820143938 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820154905 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820167065 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820174932 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820184946 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820199966 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820242882 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820857048 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820867062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820875883 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820883989 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820892096 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820900917 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820909977 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820914984 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820918083 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820925951 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820926905 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820935965 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820939064 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820945024 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820950985 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820954084 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820962906 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820971012 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820980072 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820981979 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.820987940 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.820997953 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821006060 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821014881 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821018934 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821023941 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821031094 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821042061 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821048021 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821053028 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821060896 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821069002 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821072102 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821077108 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821080923 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821084976 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821088076 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821096897 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821100950 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821105003 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821114063 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821122885 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821130991 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821136951 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821139097 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821149111 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821157932 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821166992 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821170092 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821177959 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821180105 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821187019 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821194887 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821203947 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821212053 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821218967 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821221113 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821230888 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821233988 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821243048 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821250916 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821259022 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821263075 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821268082 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821275949 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821284056 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821293116 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821295977 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821300983 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821310043 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821317911 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821326971 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821333885 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821335077 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821342945 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821351051 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.821356058 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821371078 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.821398020 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.845834970 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.847296000 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847398043 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847451925 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847515106 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847579002 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847656965 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847719908 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847805023 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847872019 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.847948074 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.848005056 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.848088980 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.848120928 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.893822908 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.894603014 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.894855022 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.894939899 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.895000935 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.895059109 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.895114899 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.895179033 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.899894953 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.902256012 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.908582926 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.909677982 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.909756899 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.909807920 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.909859896 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.909907103 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.909964085 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910006046 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910063982 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910118103 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910190105 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910243988 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910314083 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.910348892 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:30.957847118 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:30.958005905 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.009814024 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.009881973 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.047966003 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.048755884 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.048831940 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.048880100 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.048958063 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.053808928 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.054306030 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.102195978 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.102264881 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.143343925 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.143506050 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.143584967 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.143630981 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.143733025 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.143889904 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.143944979 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.143990040 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.144042015 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.144067049 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.189824104 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.189891100 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228177071 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.228302956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.228358984 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228449106 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228693008 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228748083 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228792906 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228844881 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228898048 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.228960037 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.233498096 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.233695030 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.233781099 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.233822107 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.273866892 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.275053978 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.309051037 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.309254885 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.309340000 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.309379101 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.309441090 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.309461117 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.310698986 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.310766935 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.310831070 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.310894012 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.310918093 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.314260960 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.314677954 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.314795971 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.314866066 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.314937115 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.315004110 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.315068007 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.361635923 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.361819029 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.361901999 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.361947060 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.393538952 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.393789053 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.393887043 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.393944025 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394001007 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394054890 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394104004 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394159079 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394222021 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394273996 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394335985 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394383907 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394449949 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394494057 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394561052 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.394598961 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.401559114 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.401571035 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.401644945 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.401866913 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.401906967 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.401993990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402004004 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402014017 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402024031 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402031898 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402035952 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402050972 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402053118 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402060986 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402062893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402070045 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402071953 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402080059 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402090073 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402098894 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402103901 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402107954 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402117014 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402132034 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402160883 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402170897 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402182102 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402189970 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402198076 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402205944 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402215004 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402215958 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402226925 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402239084 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402245998 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402270079 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402285099 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402759075 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402767897 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402776003 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402785063 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402792931 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402815104 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402820110 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402825117 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402832985 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402841091 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402844906 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402851105 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402859926 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402859926 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402868986 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402877092 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402879953 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402885914 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402887106 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402889967 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402894974 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402898073 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402901888 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402906895 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402909994 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402916908 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.402918100 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402923107 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402968884 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.402997017 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403023005 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403506041 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403516054 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403523922 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403532982 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403542042 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403551102 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403556108 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403559923 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403570890 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403574944 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403579950 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403589010 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403598070 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403605938 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403609991 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403626919 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403633118 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403637886 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403645992 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403655052 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403656960 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403662920 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403673887 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403678894 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403682947 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403691053 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.403717041 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.403731108 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404033899 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404043913 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404052019 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404061079 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404068947 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404077053 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404082060 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404093981 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404103041 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404109001 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404110909 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404119015 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404124022 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404128075 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404136896 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404145002 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404154062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404162884 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404162884 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404187918 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404192924 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404196978 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404206038 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404222965 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404247999 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404362917 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404403925 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404656887 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404700041 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404736042 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404747963 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404756069 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404764891 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404774904 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404798985 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404809952 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404819012 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404827118 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404834986 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404844046 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404851913 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404856920 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404861927 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404870033 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404870987 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404880047 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.404887915 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.404923916 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.405309916 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405318975 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405327082 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405334949 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405344009 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405352116 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405359983 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405359983 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.405401945 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.405435085 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405443907 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405452013 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.405469894 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.405482054 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406276941 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406318903 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406604052 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406613111 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406620979 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406630039 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406657934 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406672955 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406673908 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406682968 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406691074 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406699896 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406708956 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406713009 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406717062 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406721115 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406725883 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406733990 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406738043 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406740904 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406745911 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406749964 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406758070 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406766891 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406802893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.406959057 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406969070 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.406976938 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407013893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407061100 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407069921 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407104969 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407233000 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407247066 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407254934 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407283068 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407358885 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407370090 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407377958 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407387018 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407399893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407423019 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407547951 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407557011 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407565117 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407572985 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407581091 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407589912 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407598972 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407603025 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407604933 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407623053 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407655001 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407677889 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407687902 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407696009 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407705069 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.407721996 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.407744884 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.454142094 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.454305887 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.454781055 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.454862118 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.454916000 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.454971075 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455023050 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455091953 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455146074 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455204964 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455257893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455327988 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455380917 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455454111 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455517054 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455588102 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455641031 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455703020 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.455727100 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.459990978 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460145950 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460236073 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460320950 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460330963 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460366964 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460386038 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460645914 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460655928 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460664988 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460685015 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460704088 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460867882 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460877895 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460886955 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460896015 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460905075 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460916996 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460926056 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460936069 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460946083 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460947990 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460954905 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460954905 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460967064 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460980892 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.460980892 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.460988998 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461008072 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461009026 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461018085 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461028099 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461030006 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461035967 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461045027 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461045027 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461054087 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461054087 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461062908 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461064100 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461101055 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461116076 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461152077 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461191893 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461289883 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461299896 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461308002 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461323977 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461333036 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461337090 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461340904 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461349964 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461359024 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461359024 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461369038 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461383104 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461385965 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461395025 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461404085 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461411953 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461419106 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461421013 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461430073 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461437941 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461447001 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461455107 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461457014 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461462975 CET	15666	49710	193.3.19.151	192.168.2.6
Nov 18, 2024 14:28:31.461478949 CET	49710	15666	192.168.2.6	193.3.19.151
Nov 18, 2024 14:28:31.461492062 CET	49710	15666	192.168.2.6	193.3.19.151

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 18, 2024 14:28:24.254170895 CET	192.168.2.6	1.1.1.1	0x8908	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 18, 2024 14:28:24.261068106 CET	1.1.1.1	192.168.2.6	0x8908	No error (0)	api.ipify.org	104.26.12.205	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:28:24.261068106 CET	1.1.1.1	192.168.2.6	0x8908	No error (0)	api.ipify.org	172.67.74.152	A (IP address)	IN (0x0001)	false
Nov 18, 2024 14:28:24.261068106 CET	1.1.1.1	192.168.2.6	0x8908	No error (0)	api.ipify.org	104.26.13.205	A (IP address)	IN (0x0001)	false

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49711	104.26.12.205	443	4896	C:\Users\user\Desktop\8F0oMWUhg7.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-18 13:28:25 UTC	100	OUT	GET / HTTP/1.1 Accept: text/html; text/plain; / Host: api.ipify.org Cache-Control: no-cache
2024-11-18 13:28:25 UTC	399	IN	HTTP/1.1 200 OK Date: Mon, 18 Nov 2024 13:28:25 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8e484db65a924770-DFW server-timing: cfL4;desc="?proto=TCP&rtt=1943&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=738&delivery_rate=1501296&cwnd=251&unsent_bytes=0&cid=f8aa546fb6ac57aa&ts=540&x=0"
2024-11-18 13:28:25 UTC	14	IN	Data Raw: 31 35 35 2e 39 34 2e 32 34 31 2e 31 38 37 Data Ascii: 155.94.241.187

Target ID:	0
Start time:	08:28:22
Start date:	18/11/2024
Path:	C:\Users\user\Desktop\8F0oMWUhg7.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\8F0oMWUhg7.exe"
Imagebase:	0x7ff6ebf50000
File size:	1'292'800 bytes
MD5 hash:	AC6323CFB95CC48955949B4D2E7F91A5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MeduzaStealer, Description: Yara detected Meduza Stealer, Source: 00000000.00000002.2288125378.00000170CDF3C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.6%
Total number of Nodes:	1274
Total number of Limit Nodes:	50

Executed Functions

Function 00007FF6EBFD8330 Relevance: 50.4, APIs: 19, Strings: 9, Instructions: 1376
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EBFD6540: EnumDisplayDevicesW.USER32 ref: 00007FF6EBFD6657
Part of subcall function 00007FF6EBFD6540: EnumDisplayDevicesW.USER32 ref: 00007FF6EBFD66FB

Part of subcall function 00007FF6EBFD6460: RegGetValueA.KERNEL32 ref: 00007FF6EBFD64C9

Part of subcall function 00007FF6EBFD6150: GetUserNameW.ADVAPI32 ref: 00007FF6EBFD6195

Part of subcall function 00007FF6EBFD61F0: GetComputerNameW.KERNEL32 ref: 00007FF6EBFD6235

Part of subcall function 00007FF6EBF91900: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF919D4

Part of subcall function 00007FF6EBF93FF0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9447D

GlobalMemoryStatusEx.KERNEL32 ref: 00007FF6EBFD87BC
wcsftime.LIBCMT ref: 00007FF6EBFD8FB2
GetModuleFileNameA.KERNEL32 ref: 00007FF6EBFD9146
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B2D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B5D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD9B63

Strings

time, xrefs: 00007FF6EBFD9081
%d-%m-%Y, %H:%M:%S, xrefs: 00007FF6EBFD8F9F
timezone, xrefs: 00007FF6EBFD9454
computer_name, xrefs: 00007FF6EBFD8994
ram, xrefs: 00007FF6EBFD889B
user_name, xrefs: 00007FF6EBFD846F
system, xrefs: 00007FF6EBFD8424, 00007FF6EBFD8513, 00007FF6EBFD8609, 00007FF6EBFD8703, 00007FF6EBFD884B, 00007FF6EBFD8945, 00007FF6EBFD8A38, 00007FF6EBFD8BBF, 00007FF6EBFD8DB0, 00007FF6EBFD9031, 00007FF6EBFD91F4, 00007FF6EBFD940E, 00007FF6EBFD95AD, 00007FF6EBFD9757, 00007FF6EBFD981D
cpu, xrefs: 00007FF6EBFD8658
gpu, xrefs: 00007FF6EBFD8562

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Name$DevicesDisplayEnum$ComputerFileGlobalMemoryModuleStatusUserValuewcsftime
String ID: %d-%m-%Y, %H:%M:%S$computer_name$cpu$gpu$ram$system$time$timezone$user_name
API String ID: 4122120932-1182675529
Opcode ID: 144dd6f8b04f88af25308643b4b5e8a4b2b864948436e5f9f7b139f435a0641b
Instruction ID: 059098e3d428038ffd7e35c47a0d664bd7e772bb1d16dcd1b1066a2d9227f7d1
Opcode Fuzzy Hash: 144dd6f8b04f88af25308643b4b5e8a4b2b864948436e5f9f7b139f435a0641b
Instruction Fuzzy Hash: EFE29333A18BC195DB21CF65E8403ED77A1FB89798F009225EA8D47BA9DF39D284C705

Function 00007FF6EBF84B70 Relevance: 46.8, APIs: 21, Strings: 5, Instructions: 1343registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBF8509B
RegQueryValueExA.ADVAPI32 ref: 00007FF6EBF850E9
RegCloseKey.ADVAPI32 ref: 00007FF6EBF85186
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF86384
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863AB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863B1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863B7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863BD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF863F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF86420
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF86426
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8642C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8644E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF86454
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8645A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF86466
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF86487

Strings

filename, xrefs: 00007FF6EBF8549A, 00007FF6EBF85A28, 00007FF6EBF85F59
content, xrefs: 00007FF6EBF855A3, 00007FF6EBF85BF6, 00007FF6EBF86120
status, xrefs: 00007FF6EBF86403, 00007FF6EBF86413
exists, xrefs: 00007FF6EBF86398, 00007FF6EBF863E3, 00007FF6EBF8647A
directory_iterator::directory_iterator, xrefs: 00007FF6EBF86441

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 1254564140-3429737954
Opcode ID: 55c2bb045bb96185970b24680b3c0d0404c05ffe49abc176e468b77682173e3f
Instruction ID: 7097a1ccaa93d1fded14a95a941da76685b5b0d78db4b6555aad8f60734b87ce
Opcode Fuzzy Hash: 55c2bb045bb96185970b24680b3c0d0404c05ffe49abc176e468b77682173e3f
Instruction Fuzzy Hash: A5E28F73A14BC18AEB218F75D8803ED3365FB89758F504235EA5C8BAA9DF79D284C305

Function 00007FF6EBFB6350 Relevance: 46.6, APIs: 20, Strings: 6, Instructions: 1136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

status, xrefs: 00007FF6EBFBA600, 00007FF6EBFBA6D9, 00007FF6EBFBA790, 00007FF6EBFBA863, 00007FF6EBFBA885, 00007FF6EBFBA89B, 00007FF6EBFBA8BD
exists, xrefs: 00007FF6EBFBA5DE, 00007FF6EBFBA6AC, 00007FF6EBFBA76E, 00007FF6EBFBA83C
recursive_directory_iterator::operator++, xrefs: 00007FF6EBFBA678, 00007FF6EBFBA745, 00007FF6EBFBA808
cannot use push_back() with , xrefs: 00007FF6EBFBA625, 00007FF6EBFBA6FE, 00007FF6EBFBA7B5
directory_iterator::directory_iterator, xrefs: 00007FF6EBFBA853, 00007FF6EBFBA875, 00007FF6EBFBA8AD
recursive_directory_iterator::recursive_directory_iterator, xrefs: 00007FF6EBFBA68F, 00007FF6EBFBA6C9, 00007FF6EBFBA81F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: __std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 3645842244-1862120484
Opcode ID: b85098497e29e174e5e0d125e38a865b4444aacdb133920c5e87522b3c1c6480
Instruction ID: 63c7990759061a6ac2e2b104242239598be81c0e5c3a8222dff5f3ca560cd018
Opcode Fuzzy Hash: b85098497e29e174e5e0d125e38a865b4444aacdb133920c5e87522b3c1c6480
Instruction Fuzzy Hash: E9D21473919BC985D6708B19F4813AAB3A0FB9C784F405225EACC93B69EF7DD254CB04

Function 00007FF6EBFD5B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00007FF6EBFD5BB1
GetSystemMetrics.USER32 ref: 00007FF6EBFD5BBF
GetSystemMetrics.USER32 ref: 00007FF6EBFD5BCD
GetSystemMetrics.USER32 ref: 00007FF6EBFD5BDB
GetDC.USER32 ref: 00007FF6EBFD5BE5
GetDeviceCaps.GDI32 ref: 00007FF6EBFD5BFB
GetDeviceCaps.GDI32 ref: 00007FF6EBFD5C0B
CreateCompatibleDC.GDI32 ref: 00007FF6EBFD5C18
CreateCompatibleBitmap.GDI32 ref: 00007FF6EBFD5C30
SelectObject.GDI32 ref: 00007FF6EBFD5C46
BitBlt.GDI32 ref: 00007FF6EBFD5C7C
SHCreateMemStream.SHLWAPI ref: 00007FF6EBFD5CB2
SelectObject.GDI32 ref: 00007FF6EBFD5CC8
DeleteDC.GDI32 ref: 00007FF6EBFD5CD1
ReleaseDC.USER32 ref: 00007FF6EBFD5CDC
DeleteObject.GDI32 ref: 00007FF6EBFD5CE5
EnterCriticalSection.KERNEL32 ref: 00007FF6EBFD5DDC
LeaveCriticalSection.KERNEL32 ref: 00007FF6EBFD5DEE
IStream_Size.SHLWAPI ref: 00007FF6EBFD5E25
IStream_Reset.SHLWAPI ref: 00007FF6EBFD5E36
IStream_Read.SHLWAPI ref: 00007FF6EBFD5EBB
SelectObject.GDI32 ref: 00007FF6EBFD5F15
DeleteDC.GDI32 ref: 00007FF6EBFD5F1E
ReleaseDC.USER32 ref: 00007FF6EBFD5F2B
DeleteObject.GDI32 ref: 00007FF6EBFD5F34

Strings

, xrefs: 00007FF6EBFD5C51

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Object$DeleteMetricsSystem$CreateSelectStream_$CapsCompatibleCriticalDeviceReleaseSection$BitmapEnterLeaveReadResetSizeStream
String ID:
API String ID: 3214587331-3916222277
Opcode ID: b4a9d957edc9c5224d8b964fe23b4a119de3175bf205accea35f2dd7d15a2983
Instruction ID: a21de02c23ba1453c4d8af16ce631e0f3d02d6f68a48fed9d71e0dfe2b77be11
Opcode Fuzzy Hash: b4a9d957edc9c5224d8b964fe23b4a119de3175bf205accea35f2dd7d15a2983
Instruction Fuzzy Hash: 0BB16633608BC185E764DB21F8643AAB3A5FB89B90F404535DA8E83B65DF3DD084CB49

Function 00007FF6EBF8D570 Relevance: 35.9, APIs: 17, Strings: 3, Instructions: 862
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF6EBF8D65C
GetProcAddress.KERNEL32 ref: 00007FF6EBF8D767
GetProcAddress.KERNEL32 ref: 00007FF6EBF8D829
GetProcAddress.KERNEL32 ref: 00007FF6EBF8D8A3
GetProcAddress.KERNEL32 ref: 00007FF6EBF8D925
GetProcAddress.KERNEL32 ref: 00007FF6EBF8D99F
GetProcAddress.KERNEL32 ref: 00007FF6EBF8DA23
FreeLibrary.KERNEL32 ref: 00007FF6EBF8E551
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E587
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5E7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5ED
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5F3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E5FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8E605

Strings

vault, xrefs: 00007FF6EBF8E3B3
system, xrefs: 00007FF6EBF8E35D
cannot use push_back() with , xrefs: 00007FF6EBF8E59F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$AddressProc$Library$FreeLoad
String ID: cannot use push_back() with $system$vault
API String ID: 2463004387-1741236777
Opcode ID: 02ed4c03ae5195d23b1ec4d987f7dc12a0391b494a2e0b00b14e86e221b1b524
Instruction ID: 1bf4401dcb705a94f5db71f40f700a1524a2412962c910e8be8fbf509853b8b6
Opcode Fuzzy Hash: 02ed4c03ae5195d23b1ec4d987f7dc12a0391b494a2e0b00b14e86e221b1b524
Instruction Fuzzy Hash: 89925D33605BC589DB608F69E8943ED73A0FB49798F104225DB9C9BBA9EF39D644C304

Function 00007FF6EBF82CA0 Relevance: 32.3, APIs: 13, Strings: 5, Instructions: 789
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBF83022
RegQueryValueExA.ADVAPI32 ref: 00007FF6EBF8306A
RegCloseKey.ADVAPI32 ref: 00007FF6EBF830F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF839B0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF839CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF839D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF839EA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF839F0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF83A06
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF83A0C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF83A12
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF83A1E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF83A24

Strings

filename, xrefs: 00007FF6EBF83500
content, xrefs: 00007FF6EBF83694
status, xrefs: 00007FF6EBF839F9
exists, xrefs: 00007FF6EBF839BE
directory_iterator::directory_iterator, xrefs: 00007FF6EBF839DD

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 1254564140-3429737954
Opcode ID: cca0d0ff4b654a582c9538a666395e913b528b61201c86974eb431a7376eaa37
Instruction ID: 904517c3eb2c136bd475b89a57673064efea97e7480bbf6b64f3ff619ee37366
Opcode Fuzzy Hash: cca0d0ff4b654a582c9538a666395e913b528b61201c86974eb431a7376eaa37
Instruction Fuzzy Hash: B3829D73A15BC589EB208F35D8803ED73A1FB89798F105221EA9D87BA9DF39D580C345

Function 00007FF6EBF820B0 Relevance: 28.7, APIs: 12, Strings: 4, Instructions: 684
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBF82409
RegQueryValueExA.ADVAPI32 ref: 00007FF6EBF8244E
RegCloseKey.ADVAPI32 ref: 00007FF6EBF824F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C2E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C4F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C55
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C7D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C83
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C8F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF82C95

Strings

filename, xrefs: 00007FF6EBF82787
content, xrefs: 00007FF6EBF82915
exists, xrefs: 00007FF6EBF82C42
directory_iterator::directory_iterator, xrefs: 00007FF6EBF82C64

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenQueryValue
String ID: content$directory_iterator::directory_iterator$exists$filename
API String ID: 1254564140-1400943384
Opcode ID: 72bc06b4c23dae53119d17e32e2d83f94c8cf5b542223a1ca38e21ddfdc9481e
Instruction ID: 1cbdd76de5dacdbdeea046ce2e5a7e2de84b8a09c46b1e9d2cb3abd804ed2943
Opcode Fuzzy Hash: 72bc06b4c23dae53119d17e32e2d83f94c8cf5b542223a1ca38e21ddfdc9481e
Instruction Fuzzy Hash: FC729273A14BC589DB208F35D8803ED77A0FB89798F109225EA9C57BA9DF39D680C345

Function 00007FF6EBFBD080 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 599
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

prefs.js, xrefs: 00007FF6EBFBE5E2
status, xrefs: 00007FF6EBFBDE11, 00007FF6EBFBDE33, 00007FF6EBFBDE5B, 00007FF6EBFBDE83
exists, xrefs: 00007FF6EBFBF48D
cannot use push_back() with , xrefs: 00007FF6EBFBDDD5
directory_iterator::directory_iterator, xrefs: 00007FF6EBFBDE23, 00007FF6EBFBF4A4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: cannot use push_back() with $directory_iterator::directory_iterator$exists$prefs.js$status
API String ID: 0-2713369562
Opcode ID: aa60501c34197aa9be3dc6d7d78cee9937bc4b4afc7b8e28a6d077cabfff3da7
Instruction ID: 5a80bec37c048b0581733c5358ecbef02e544f341982dad401f2e2f264d8c033
Opcode Fuzzy Hash: aa60501c34197aa9be3dc6d7d78cee9937bc4b4afc7b8e28a6d077cabfff3da7
Instruction Fuzzy Hash: 95525733919FC184E6B19B14E8813EEB3A4FB89754F504226DACC93B69EF79C194CB05

Function 00007FF6EC00B5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF6EC00B65D
GetLastError.KERNEL32 ref: 00007FF6EC00B667
FindFirstFileW.KERNEL32 ref: 00007FF6EC00B67E
GetLastError.KERNEL32 ref: 00007FF6EC00B68A
FindClose.KERNEL32 ref: 00007FF6EC00B698
__std_fs_open_handle.LIBCPMT ref: 00007FF6EC00B72B
CloseHandle.KERNEL32 ref: 00007FF6EC00B741
CloseHandle.KERNEL32 ref: 00007FF6EC00B8B4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction ID: 96395411a5eb9b04f828a4fc712c2179f5287a141aa046fb86e1d55e5ceea5d4
Opcode Fuzzy Hash: ae06ef96b620ec177ea6819a3a1ac38214177ad565b87e13f1ccf53398ca1eb7
Instruction Fuzzy Hash: 94918333A08A0246E6748F25A8267792290AF447B4F594B30D97EC77E4EF3FE505C70A

Function 00007FF6EBF8CA10 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CredEnumerateA.ADVAPI32 ref: 00007FF6EBF8CA72
CredFree.ADVAPI32 ref: 00007FF6EBF8D496
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D4CC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D520
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D526
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D52C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D532
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D538
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D53E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D544
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8D54A

Strings

cannot use push_back() with , xrefs: 00007FF6EBF8D4E4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Cred$EnumerateFree
String ID: cannot use push_back() with
API String ID: 1347986415-4122110429
Opcode ID: 397a3b11ec9aefb8a90e43e1be536f4e1bfcecda5c7bfe9a44244f3446273e2b
Instruction ID: 6a613110d039665eae4ed4b2ec83355fd6879ff8b2f3d77b5782b71b982f3a64
Opcode Fuzzy Hash: 397a3b11ec9aefb8a90e43e1be536f4e1bfcecda5c7bfe9a44244f3446273e2b
Instruction Fuzzy Hash: 6E628273A04BC589EB208F65E8803ED7761FB89798F104325EA9C57BA9DF39D284C305

Function 00007FF6EBF99F80 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 417
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF9A134
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF9A142
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF9A3C5
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF9A3D3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A570
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A576
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A599
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A59F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A5A5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A5C8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9A5CE

Strings

value, xrefs: 00007FF6EBF9A05A, 00007FF6EBF9A2F3

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy
String ID: value
API String ID: 1346393832-494360628
Opcode ID: 6393ec53b8289c00639532b8d15cf4b8dcd6fc4cbd1acde857b26dc4558d973b
Instruction ID: 55131f31d19022f60150a623e0a424a72f07ad65b0aba212ea1be3dfcf526ffb
Opcode Fuzzy Hash: 6393ec53b8289c00639532b8d15cf4b8dcd6fc4cbd1acde857b26dc4558d973b
Instruction Fuzzy Hash: 4B028F63A18BC185EB00DFB8D4803ED6761EF897A4F105231EA9D83AEADF2DD185C745

Function 00007FF6EBFD4A30 Relevance: 19.9, APIs: 13, Instructions: 417
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32 ref: 00007FF6EBFD4C0C
recv.WS2_32 ref: 00007FF6EBFD50EC
closesocket.WS2_32 ref: 00007FF6EBFD50FE
WSACleanup.WS2_32 ref: 00007FF6EBFD5104
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD51FC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5202
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5208
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD520E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5214
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD521A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5226
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD522C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5232

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$recv$Cleanupclosesocket
String ID:
API String ID: 3402187201-0
Opcode ID: 7da1f52dcf02eec2e376e397382e74fdcf212ce6f330cc234e01b66058b24776
Instruction ID: 32414643eb5cab97b3b23e9227a7263d6f1de4765fda8cde6c8ecfc1ba6484cf
Opcode Fuzzy Hash: 7da1f52dcf02eec2e376e397382e74fdcf212ce6f330cc234e01b66058b24776
Instruction Fuzzy Hash: B4129573A1CBC181EA209B14F4543EE6761FB89790F104631DAAC87AEADF7ED484CB05

Function 00007FF6EBFCC600 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EBFCF820: GetCurrentProcess.KERNEL32 ref: 00007FF6EBFCF85B
Part of subcall function 00007FF6EBFCF820: OpenProcessToken.ADVAPI32 ref: 00007FF6EBFCF86E
Part of subcall function 00007FF6EBFCF820: GetTokenInformation.KERNELBASE ref: 00007FF6EBFCF8AA
Part of subcall function 00007FF6EBFCF820: CloseHandle.KERNEL32 ref: 00007FF6EBFCF8CB

ExitProcess.KERNEL32 ref: 00007FF6EBFCC647
OpenMutexA.KERNEL32 ref: 00007FF6EBFCC762
ExitProcess.KERNEL32 ref: 00007FF6EBFCC772

Part of subcall function 00007FF6EBFCFB60: GetModuleFileNameW.KERNEL32 ref: 00007FF6EBFCFBAA

Part of subcall function 00007FF6EBFDA780: CoInitializeEx.OLE32 ref: 00007FF6EBFDA7EA

Strings

SeDebugPrivilege, xrefs: 00007FF6EBFCC64E
SeImpersonatePrivilege, xrefs: 00007FF6EBFCC65A

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Process$ExitOpenToken$CloseCurrentFileHandleInformationInitializeModuleMutexName
String ID: SeDebugPrivilege$SeImpersonatePrivilege
API String ID: 3348294976-3768118664
Opcode ID: ba67cdc4a9eadfff59423ebbf1ec18657226234c36bf65d0b363ddb74215bdc7
Instruction ID: 7ff5f06d4f67977007f2226b058ac71e6fbbaa15f541c1a61a4f3045400ec44d
Opcode Fuzzy Hash: ba67cdc4a9eadfff59423ebbf1ec18657226234c36bf65d0b363ddb74215bdc7
Instruction Fuzzy Hash: C8617F23D1CA8641EA10AB65A4553FAA250FF8D740F504135E68DC76F7EF2EE081CB4E

Function 00007FF6EBFB5970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

content, xrefs: 00007FF6EBFB6EB7, 00007FF6EBFB79CA, 00007FF6EBFB845D, 00007FF6EBFB8F0A, 00007FF6EBFB98AE, 00007FF6EBFBA03E, 00007FF6EBFBD6B3, 00007FF6EBFBDB94
status, xrefs: 00007FF6EBFBA5B5, 00007FF6EBFBA600, 00007FF6EBFBA6D9, 00007FF6EBFBA790, 00007FF6EBFBA863, 00007FF6EBFBA885, 00007FF6EBFBA89B, 00007FF6EBFBA8BD, 00007FF6EBFBCA99, 00007FF6EBFBDE11, 00007FF6EBFBDE33, 00007FF6EBFBDE5B, 00007FF6EBFBDE83, 00007FF6EBFBF764
exists, xrefs: 00007FF6EBFB5F90, 00007FF6EBFBA58E, 00007FF6EBFBA5DE, 00007FF6EBFBA6AC, 00007FF6EBFBA76E, 00007FF6EBFBA83C, 00007FF6EBFBCA70, 00007FF6EBFBD060, 00007FF6EBFBF48D, 00007FF6EBFBF779
@, xrefs: 00007FF6EBFB9B9B
cannot use push_back() with , xrefs: 00007FF6EBFBA625, 00007FF6EBFBA6FE, 00007FF6EBFBA7B5, 00007FF6EBFBDDD5
directory_iterator::directory_iterator, xrefs: 00007FF6EBFBA5A5, 00007FF6EBFBA853, 00007FF6EBFBA875, 00007FF6EBFBA8AD, 00007FF6EBFBCA83, 00007FF6EBFBDE23, 00007FF6EBFBF4A4, 00007FF6EBFBF78C
filename, xrefs: 00007FF6EBFB6D9C, 00007FF6EBFB78E3, 00007FF6EBFB8376, 00007FF6EBFB8E23, 00007FF6EBFB9793, 00007FF6EBFB9F35, 00007FF6EBFBD5FC, 00007FF6EBFBDAE0
chrome_key, xrefs: 00007FF6EBFBC851, 00007FF6EBFBC97F
prefs.js, xrefs: 00007FF6EBFBE5E2
recursive_directory_iterator::operator++, xrefs: 00007FF6EBFBA678, 00007FF6EBFBA745, 00007FF6EBFBA808
@, xrefs: 00007FF6EBFBA32B
., xrefs: 00007FF6EBFB5C70
recursive_directory_iterator::recursive_directory_iterator, xrefs: 00007FF6EBFBA68F, 00007FF6EBFBA6C9, 00007FF6EBFBA81F
key, xrefs: 00007FF6EBFBC60E, 00007FF6EBFBC740

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: .$@$@$cannot use push_back() with $chrome_key$content$directory_iterator::directory_iterator$exists$filename$key$prefs.js$recursive_directory_iterator::operator++$recursive_directory_iterator::recursive_directory_iterator$status
API String ID: 0-4287193513
Opcode ID: 8adc91dd6644a2bfb7387dc78b72df08f999bd5353c1b7ff9b33895fcf5abe12
Instruction ID: 9cd13c2637172fdaed848d64398b71b5a0f5da84ba5905421fe00dc20002748d
Opcode Fuzzy Hash: 8adc91dd6644a2bfb7387dc78b72df08f999bd5353c1b7ff9b33895fcf5abe12
Instruction Fuzzy Hash: AAC1D373A08B8286EB609F25D4A43B963A1FB4C795F544232DA5D837A8DF3EE841C705

Function 00007FF6EBFD5240 Relevance: 16.9, APIs: 11, Instructions: 408networkfileCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET ref: 00007FF6EBFD540B
InternetOpenUrlA.WININET ref: 00007FF6EBFD54E8
HttpQueryInfoW.WININET ref: 00007FF6EBFD5549
HttpQueryInfoW.WININET ref: 00007FF6EBFD55E2
InternetQueryDataAvailable.WININET ref: 00007FF6EBFD5626
InternetReadFile.WININET ref: 00007FF6EBFD56E9
InternetQueryDataAvailable.WININET ref: 00007FF6EBFD57B4
InternetCloseHandle.WININET ref: 00007FF6EBFD585E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD58AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD58B5
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFD58BB

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Internet$Query$AvailableDataHttpInfoOpen_invalid_parameter_noinfo_noreturn$CloseConcurrency::cancel_current_taskFileHandleRead
String ID:
API String ID: 1352168858-0
Opcode ID: f0f06bfc5229ad43a134cc2e5cf5d57c8af5ef26157f18d200528da81e841abb
Instruction ID: 56e68fb3c93065cbbd47ec5938d6128cd262f5bba1a54cba2145493e86dd4687
Opcode Fuzzy Hash: f0f06bfc5229ad43a134cc2e5cf5d57c8af5ef26157f18d200528da81e841abb
Instruction Fuzzy Hash: F7028233A18B9585EB10CB69F8403AE77B5FB99794F104225EE9C57BA8DF79D080CB04

Function 00007FF6EBF8E610 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 328processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6EBF8E65A
Process32FirstW.KERNEL32 ref: 00007FF6EBF8E69C
Process32NextW.KERNEL32 ref: 00007FF6EBF8E893
CloseHandle.KERNEL32 ref: 00007FF6EBF8EB0A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8EBA3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8EBA9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8EBAF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8EBB5

Strings

[PID: , xrefs: 00007FF6EBF8E6DE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID: [PID:
API String ID: 1946380282-2210602247
Opcode ID: 775278d011838b3c82a30bd51d8c922216805a17ad3d78b1e9f84401a34e296d
Instruction ID: e0f6bb6124462294699d490304d9fc74cea1f010c487f93baf4ba08dcf842eba
Opcode Fuzzy Hash: 775278d011838b3c82a30bd51d8c922216805a17ad3d78b1e9f84401a34e296d
Instruction Fuzzy Hash: 18E1C633A18BC185EB20DF25E8903ED77A1F7897A4F504225EA9D47BA9DF39D240C705

Function 00007FF6EBF8ECB0 Relevance: 15.7, APIs: 10, Instructions: 715COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9A7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9AD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9B3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9B9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9BF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9D1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8F9D7

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: a81d8968a17a13dc277e57e3dc7582a2f7565247fbcd59ce3d43ce117267cb21
Instruction ID: 95a7757adf3beed97151d13303a63ed8bff803190ac6e60ccbc58841b66d1c20
Opcode Fuzzy Hash: a81d8968a17a13dc277e57e3dc7582a2f7565247fbcd59ce3d43ce117267cb21
Instruction Fuzzy Hash: E0725B73A18B8589EB208F69E8403ED63A1F78D798F504325EADC57BA9DF39D240C705

Function 00007FF6EBFCF020 Relevance: 14.5, APIs: 4, Strings: 4, Instructions: 451fileCOMMON

Download Yara Rule

APIs

GetFileSize.KERNEL32 ref: 00007FF6EBFCF261
SetFilePointer.KERNEL32 ref: 00007FF6EBFCF314
ReadFile.KERNEL32 ref: 00007FF6EBFCF343
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCF7D7

Strings

ios_base::eofbit set, xrefs: 00007FF6EBFCF784
ios_base::failbit set, xrefs: 00007FF6EBFCF77D
exists, xrefs: 00007FF6EBFCF7CA
ios_base::badbit set, xrefs: 00007FF6EBFCF771, 00007FF6EBFCF7EF

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: File$PointerReadSize_invalid_parameter_noinfo_noreturn
String ID: exists$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2478245620-15404121
Opcode ID: 66a69ea613784884e0830e2cf4cd3502bd24be5abfc7ae4b6da5a38c28b90bd3
Instruction ID: c1074a549446ae3d64cea58d974c3f56452218beed0dca80c6a1631dc5c36e2a
Opcode Fuzzy Hash: 66a69ea613784884e0830e2cf4cd3502bd24be5abfc7ae4b6da5a38c28b90bd3
Instruction Fuzzy Hash: 1B322933A14BC589EB20CF24D8803ED77A1FB44748F508226DA8D9BBA9DF7AD645C705

Function 00007FF6EBFF2E3C Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6EBFF2E81

Part of subcall function 00007FF6EBFF24E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF24FC

Part of subcall function 00007FF6EBFED3C8: RtlFreeHeap.NTDLL ref: 00007FF6EBFED3DE
Part of subcall function 00007FF6EBFED3C8: GetLastError.KERNEL32 ref: 00007FF6EBFED3E8

Part of subcall function 00007FF6EBFE8284: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6EBFE8233,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFE828D
Part of subcall function 00007FF6EBFE8284: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6EBFE8233,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFE82B2

Part of subcall function 00007FF6EBFFBA84: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFFB9CF

_get_daylight.LIBCMT ref: 00007FF6EBFF2E70

Part of subcall function 00007FF6EBFF2548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF255C

_get_daylight.LIBCMT ref: 00007FF6EBFF30E6
_get_daylight.LIBCMT ref: 00007FF6EBFF30F7
_get_daylight.LIBCMT ref: 00007FF6EBFF3108
GetTimeZoneInformation.KERNEL32(00007FF6EBFF33F8), ref: 00007FF6EBFF312F

Strings

Eastern Summer Time, xrefs: 00007FF6EBFF31ED
Eastern Standard Time, xrefs: 00007FF6EBFF31D5

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: 6ff4704e37b1592320c13e659d1f856dd22dc212be1b833c6838491f576543a9
Instruction ID: a0e514d3ef693e3db5cd3ed27aba9c2484dcce8ae8809dad09ab5d384cda702b
Opcode Fuzzy Hash: 6ff4704e37b1592320c13e659d1f856dd22dc212be1b833c6838491f576543a9
Instruction Fuzzy Hash: 16D1D123E0860286EB209F25D9507FD6761FF48B94F548036EA1DC7AA6DF3EE441C34A

Function 00007FF6EC010658 Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EC01023C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EC01027D
Part of subcall function 00007FF6EC01023C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EC0102FB
Part of subcall function 00007FF6EC01023C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EC01034C

CreateFileW.KERNEL32 ref: 00007FF6EC01075E
CreateFileW.KERNEL32 ref: 00007FF6EC0107AE
GetLastError.KERNEL32 ref: 00007FF6EC0107DE
GetFileType.KERNEL32 ref: 00007FF6EC0107F3
GetLastError.KERNEL32 ref: 00007FF6EC0107FD
CloseHandle.KERNEL32 ref: 00007FF6EC010830
CloseHandle.KERNEL32 ref: 00007FF6EC010993
CreateFileW.KERNEL32 ref: 00007FF6EC0109C8
GetLastError.KERNEL32 ref: 00007FF6EC0109D7

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction ID: 28b96ce90c458595f8eff05c31ec59ef1e7c09a739561339bf16f2f58829311f
Opcode Fuzzy Hash: 9219a76bbf5b0a68fd8075754a2c2160bfaa822f6e476498c8a23ea95eed312f
Instruction Fuzzy Hash: CBC1CF33B28A4285EB10CFA9C4902BC3761FB49BACF011225DE6E9B3A5DF3AD115C345

Function 00007FF6EBFF30B8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF6EBFF30E6

Part of subcall function 00007FF6EBFF2548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF255C

_get_daylight.LIBCMT ref: 00007FF6EBFF30F7

Part of subcall function 00007FF6EBFF24E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF24FC

_get_daylight.LIBCMT ref: 00007FF6EBFF3108

Part of subcall function 00007FF6EBFF2518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF252C

Part of subcall function 00007FF6EBFED3C8: RtlFreeHeap.NTDLL ref: 00007FF6EBFED3DE
Part of subcall function 00007FF6EBFED3C8: GetLastError.KERNEL32 ref: 00007FF6EBFED3E8

GetTimeZoneInformation.KERNEL32(00007FF6EBFF33F8), ref: 00007FF6EBFF312F

Strings

Eastern Summer Time, xrefs: 00007FF6EBFF31ED
Eastern Standard Time, xrefs: 00007FF6EBFF31D5

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 12951480f3fe79566017d45e51369301be5158125170c6a9e6aaf334c955a331
Instruction ID: cd1c1a2b069b02abfe3287ae3d54a8efd81ad88f09d9c0303b67fa5711c0a10f
Opcode Fuzzy Hash: 12951480f3fe79566017d45e51369301be5158125170c6a9e6aaf334c955a331
Instruction Fuzzy Hash: 57518F33A0864286E720DF25E9906FD6760FB4CB84F559135EA1DC7AA6DF3EE400C749

Function 00007FF6EBFE918C Relevance: 9.2, APIs: 6, Instructions: 227COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE91AE
_get_daylight.LIBCMT ref: 00007FF6EBFE920E
_get_daylight.LIBCMT ref: 00007FF6EBFE921F
_get_daylight.LIBCMT ref: 00007FF6EBFE9230
_isindst.LIBCMT ref: 00007FF6EBFE9281
_isindst.LIBCMT ref: 00007FF6EBFE92D4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _get_daylight$_isindst$_invalid_parameter_noinfo
String ID:
API String ID: 1405656091-0
Opcode ID: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction ID: 8d8f5deb7f484c72c86eb23b1b069ad76fbc0d5ecc9671c4149e457f269bd2d1
Opcode Fuzzy Hash: cd6fea744430340711cd49b3e9bdbfdb1b852b0eb5a7692198664b91c055b650
Instruction Fuzzy Hash: 2281A3B3B042468BEB588F25C9413FC22A5EB58B98F04D039EA0D8B799EF3DE540C755

Function 00007FF6EBFD6860 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 268COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD6C4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD6C51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD6C57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD6C5D

Strings

cores, xrefs: 00007FF6EBFD6ABE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: cores
API String ID: 3668304517-2370456839
Opcode ID: a87a5c1c4029a56fc1ae84d797c8968129aed14d0dad27f13aedc116e44e4e04
Instruction ID: 925818fcc87b5c113f62752446fcaf4b22f61c2548bff3b233d4f4f215ff9345
Opcode Fuzzy Hash: a87a5c1c4029a56fc1ae84d797c8968129aed14d0dad27f13aedc116e44e4e04
Instruction Fuzzy Hash: 77C10663E18B818AF710CFB8D4403EC7761E7997A8F105325EA9C57AA6DF39D181C748

Function 00007FF6EBFDB9B0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6EBFDB9FE
OpenProcessToken.ADVAPI32 ref: 00007FF6EBFDBA11
LookupPrivilegeValueW.ADVAPI32 ref: 00007FF6EBFDBA32
AdjustTokenPrivileges.KERNELBASE ref: 00007FF6EBFDBA78
CloseHandle.KERNEL32 ref: 00007FF6EBFDBA98

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ProcessToken$AdjustCloseCurrentHandleLookupOpenPrivilegePrivilegesValue
String ID:
API String ID: 3038321057-0
Opcode ID: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction ID: fceeffa0599be5956c7197ec5dbb0cb3edb5293b20dc67f6a99eec677b9db5ff
Opcode Fuzzy Hash: d2de06470b4ed8e39d37734a47601b9eff7cf65b32299141bc4bcc42cf026e17
Instruction Fuzzy Hash: 94219132618B8186E720CF21F45436AB3A0FB88B80F958135EA8D83B58DF7ED544CB44

Function 00007FF6EBF7F730 Relevance: 4.8, APIs: 3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435728f26feb55d38dd2406e9396d00c3032b6853f4929e1a1c60f4ff5484234
Instruction ID: 1ce35b23f897dc84b8f64fe4e62a29829ebe865267247ca648fe48ef0c5acffa
Opcode Fuzzy Hash: 435728f26feb55d38dd2406e9396d00c3032b6853f4929e1a1c60f4ff5484234
Instruction Fuzzy Hash: AEF15C73A19BC58AEB208B69E4413AD77A0F78C798F100325EEDC57B99EF79C1808744

Function 00007FF6EBF7FE20 Relevance: 4.8, APIs: 3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0256dd7fc52a6c4b2d738b897fca39afb68c8f6f903d96dd625e41008a66197
Instruction ID: 607e6b69d1d0ea5e8026702a4ad42811c33292b3af610f30d97ddd49fcd1c123
Opcode Fuzzy Hash: a0256dd7fc52a6c4b2d738b897fca39afb68c8f6f903d96dd625e41008a66197
Instruction Fuzzy Hash: 60F14D33A09B858AEB208B69E44039D77A4F78C798F104325EEDC57B99EF78D190C744

Function 00007FF6EBF80450 Relevance: 4.8, APIs: 3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a763192257ec61e9adf52f6911b76a4d9ec981118bcce0b41448b20aa0983423
Instruction ID: a4da3c99be5486740fbc866e6424f38a3c05e8e8bf0e82d5089f7abd381811cd
Opcode Fuzzy Hash: a763192257ec61e9adf52f6911b76a4d9ec981118bcce0b41448b20aa0983423
Instruction Fuzzy Hash: E9F14D73A19B858AEB208B69E44039D77A4F78C7A8F100325EADC57B99EF38D190C744

Function 00007FF6EBFD76A0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 217timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32 ref: 00007FF6EBFD79D0

Strings

[UTC, xrefs: 00007FF6EBFD79A3

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: InformationTimeZone
String ID: [UTC
API String ID: 565725191-1715286942
Opcode ID: 6fe6f81e5b62afaa7baa2b9ab6ff81250fb1b9bc5dec80abcd354a2763d4484f
Instruction ID: f62c9395461f74d239a337a9ea56d48f7be07c519ccdfc2005e38f5b4c17c4d8
Opcode Fuzzy Hash: 6fe6f81e5b62afaa7baa2b9ab6ff81250fb1b9bc5dec80abcd354a2763d4484f
Instruction Fuzzy Hash: 54B13C32918BC889D7718F29E84129AB7A4F78D788F105325EACC57B59DF78D250CB44

Function 00007FF6EBFD73F0 Relevance: 3.1, APIs: 2, Instructions: 137COMMON

Download Yara Rule

APIs

GetLogicalDriveStringsW.KERNEL32 ref: 00007FF6EBFD7461

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: DriveLogicalStrings
String ID:
API String ID: 2022863570-0
Opcode ID: fb7d747b0e00fdc5bcf2296ff1af6a0a651aca07fcdd1d1013c1aaaac54d4c2a
Instruction ID: 479334b2a165b649aecd01be3a81f5aeeb8b39f8355f8ce83bca0e074bd8ec87
Opcode Fuzzy Hash: fb7d747b0e00fdc5bcf2296ff1af6a0a651aca07fcdd1d1013c1aaaac54d4c2a
Instruction Fuzzy Hash: 75519033E08B8082E7108F24E4803AE7765FB88798F105225EB9C57AA9DF7DE591DB44

Function 00007FF6EBFC7BA0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF6EBFC7BF8
LocalFree.KERNEL32 ref: 00007FF6EBFC7C8A

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect
String ID:
API String ID: 1561624719-0
Opcode ID: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction ID: 9f418e52aa4afbbf22a06f70928abd16db5753c7c53e166b287f32d6c6f66147
Opcode Fuzzy Hash: 3f0d2640eba4d0f7871c2ec703edcb503dbe0d7ea7d03094cd3af9045bbe76bf
Instruction Fuzzy Hash: 5A412633A18A818AE3208F74D4503ED37A4FB5878CF444229EB8C46A4ADF7AD5A4C748

Function 00007FF6EBF81B90 Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81FD2

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: a1a3130b3957abc88560b0093295f96a78c31b3c67a94cf5472d23aee1a1b46d
Instruction ID: 446d1e38eb6f81dea5cb211988981f4f8c7c7e5d3ac06ea76dcbd8673083fc54
Opcode Fuzzy Hash: a1a3130b3957abc88560b0093295f96a78c31b3c67a94cf5472d23aee1a1b46d
Instruction Fuzzy Hash: 3BD16B63F18B8189F711CB75D4403EC27B2EB5978CF005235EA4C67AAADF79A191C389

Function 00007FF6EBFD6150 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32 ref: 00007FF6EBFD6195

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 543acbdf146a9e7b635a600a3cba3d05f3b2ef6cd278b1f660c9ea2185c3ff0f
Instruction ID: 3cdc4b75336fd83ac48e21439f6744206c0d8a0d205d4182434acf91771b007d
Opcode Fuzzy Hash: 543acbdf146a9e7b635a600a3cba3d05f3b2ef6cd278b1f660c9ea2185c3ff0f
Instruction Fuzzy Hash: 2101613391878182E721CF21F8403AAB3A0FB9C788F540131E68D83659DFBDD194CB49

Function 00007FF6EBFDD050 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

\u%04x, xrefs: 00007FF6EBFDD242

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: \u%04x
API String ID: 0-2916071157
Opcode ID: b2b871009dddb1a89fd49cebdd6041a976c6c630323626df0c68259fe89b00fc
Instruction ID: f07a1daa87ebd1f8db33ffba73f63c4c317f5caa9fc749dd28f8f675a7e23ab1
Opcode Fuzzy Hash: b2b871009dddb1a89fd49cebdd6041a976c6c630323626df0c68259fe89b00fc
Instruction Fuzzy Hash: EE815627B0868691EA54DB25E0507FE6760FB89B80F448132DF0E93BA5DF3EE605C709

Function 00007FF6EBFDC5CB Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

": , xrefs: 00007FF6EBFDC6B1, 00007FF6EBFDC75E

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: ":
API String ID: 0-3662656813
Opcode ID: 319ab71c5f42aa37bb32eb00852f8e3ea5b886a469a470e3f8ed3cf71016280d
Instruction ID: a97fd1e734e3668d8c696008682a6a6476a80e8bcb17b2a5282639901b202b5e
Opcode Fuzzy Hash: 319ab71c5f42aa37bb32eb00852f8e3ea5b886a469a470e3f8ed3cf71016280d
Instruction Fuzzy Hash: 22912677708A8681DB209F2AE1947AD7761FB88FC8F409022CB5E47B65CF3AD558CB05

Function 00007FF6EBF95310 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/, xrefs: 00007FF6EBF95399

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
API String ID: 0-1713319389
Opcode ID: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction ID: f0b6aae499f3d5b48946f7ac5d35b5cf801428a1bbf866c1ce549c502db3ab67
Opcode Fuzzy Hash: a7242879f608aa47813c865fc74e262a7c273f84777ad565790803f492419e94
Instruction Fuzzy Hash: 2541156361D7E04AD702CB39841137D7FB2D36AB89B1CC162D7D887756CA2ED206CB11

Function 00007FF6EBFCEBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EBFCE970: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF6EBFCE9C1
Part of subcall function 00007FF6EBFCE970: GetLastError.KERNEL32 ref: 00007FF6EBFCE9CB

EnterCriticalSection.KERNEL32 ref: 00007FF6EBFCEC31
GdiplusStartup.GDIPLUS ref: 00007FF6EBFCEC58
LeaveCriticalSection.KERNEL32 ref: 00007FF6EBFCEC66
LeaveCriticalSection.KERNEL32 ref: 00007FF6EBFCEC94
GdipGetImageEncodersSize.GDIPLUS ref: 00007FF6EBFCECA2
GdipGetImageEncoders.GDIPLUS ref: 00007FF6EBFCED36
GdipCreateBitmapFromScan0.GDIPLUS ref: 00007FF6EBFCEE00
GdipSaveImageToStream.GDIPLUS ref: 00007FF6EBFCEE1E
GdipDisposeImage.GDIPLUS ref: 00007FF6EBFCEE83
GdipDisposeImage.GDIPLUS ref: 00007FF6EBFCEE97

Strings

&, xrefs: 00007FF6EBFCEDFA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Gdip$Image$CriticalSection$DisposeEncodersLeave$BitmapCreateEnterErrorFromGdiplusInitializeLastSaveScan0SizeStartupStream
String ID: &
API String ID: 1703174404-3042966939
Opcode ID: bf0236f101f8e21e317088f3cb88ff4920e04948ae26449d129670ccf4dc63a8
Instruction ID: 065b12599f3587357f3673c47a7ad6a9c8d1720ada37d353de338c61f9d9be0c
Opcode Fuzzy Hash: bf0236f101f8e21e317088f3cb88ff4920e04948ae26449d129670ccf4dc63a8
Instruction Fuzzy Hash: 59918133B04B4289E720CF20E8107E937A4FB58B98F554635DA0D8BBA4DF3AE595C749

Function 00007FF6EBFCFCA0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 226
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6EBFD58D0: GetUserGeoID.KERNEL32 ref: 00007FF6EBFD58F7
Part of subcall function 00007FF6EBFD58D0: GetGeoInfoA.KERNEL32 ref: 00007FF6EBFD5911
Part of subcall function 00007FF6EBFD58D0: GetGeoInfoA.KERNEL32 ref: 00007FF6EBFD5961

Part of subcall function 00007FF6EBF91900: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF919D4

WSAStartup.WS2_32 ref: 00007FF6EBFCFDBE
socket.WS2_32 ref: 00007FF6EBFCFDDB
htons.WS2_32 ref: 00007FF6EBFCFE00
inet_pton.WS2_32 ref: 00007FF6EBFCFE42
connect.WS2_32 ref: 00007FF6EBFCFE5C
closesocket.WS2_32 ref: 00007FF6EBFCFE7B
WSACleanup.WS2_32 ref: 00007FF6EBFCFE81
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD0025
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD002B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD0031

Strings

system, xrefs: 00007FF6EBFCFD2A
geo, xrefs: 00007FF6EBFCFD6B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Info$CleanupStartupUserclosesocketconnecthtonsinet_ptonsocket
String ID: geo$system
API String ID: 2440148987-2364779556
Opcode ID: 79ad5b3e3efdae5a5b2a0125b093c5025208262c15e6277f1057e95b232bf15d
Instruction ID: 44fe7282650a799c5f91a0d74ee495fabf358f5383f95305f01c9f5a6b053bb5
Opcode Fuzzy Hash: 79ad5b3e3efdae5a5b2a0125b093c5025208262c15e6277f1057e95b232bf15d
Instruction Fuzzy Hash: 1CB19163F18A4285EB009F74D4503FC2362AF58798F415236DA6C97BA9DF3AD549C309

Function 00007FF6EBFD7A84 Relevance: 16.9, APIs: 11, Instructions: 356COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD7FE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD7FE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD7FEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD7FF2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD7FF8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD7FFE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD8004
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD800A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD8010
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD8016
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD801C

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3ec2c6582c01c6f5f21d75f637b81b2b286b1884956eaace790e428f66b07f29
Instruction ID: 75c4e4c058fd8057d828e8be632d5406ba413cccb8f8eae716519a37445fa74a
Opcode Fuzzy Hash: 3ec2c6582c01c6f5f21d75f637b81b2b286b1884956eaace790e428f66b07f29
Instruction Fuzzy Hash: A7E1F0A3E18BC145EB119B38D4443FD2721EB9D7A8F105721EA6C4BAEADF7991C0C349

Function 00007FF6EBFF092C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF0D59

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 8d4d1184268d38eb40f1b2f8de77a3be335aedca5c603a4bb4196d88dea7cd4c
Instruction ID: c8abe67108ef98e9c24013029bc52cd24e3535316b564e05c81544b9f622d0df
Opcode Fuzzy Hash: 8d4d1184268d38eb40f1b2f8de77a3be335aedca5c603a4bb4196d88dea7cd4c
Instruction Fuzzy Hash: 4DC1DF23A0C68791EA608F2494403FD7B91FB89B90F654135DA4DC77B2DE7EE845C30A

Function 00007FF6EBFD7151 Relevance: 9.2, APIs: 6, Instructions: 163registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBFD7169
RegEnumKeyExA.KERNEL32 ref: 00007FF6EBFD71AE
RegCloseKey.ADVAPI32 ref: 00007FF6EBFD73A4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD73D7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD73E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD73E9

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseEnumOpen
String ID:
API String ID: 2177193445-0
Opcode ID: 335175d7de52c3cde64611ab16eb3cfcda64a9e8965c77d2a6e7e56c34a0b7bd
Instruction ID: c8ad44bf34b6cc35b2f07113c5e9df2c3bad2a368f61c512c7e1fa1bc6612ef5
Opcode Fuzzy Hash: 335175d7de52c3cde64611ab16eb3cfcda64a9e8965c77d2a6e7e56c34a0b7bd
Instruction Fuzzy Hash: EE719173E08B8685EB108B65E4403AD6760FB893A8F100225EFAD57AE5DF7DE091C705

Function 00007FF6EBFCEA50 Relevance: 9.0, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 00007FF6EBFCEA93
EnterCriticalSection.KERNEL32 ref: 00007FF6EBFCEAA5
EnterCriticalSection.KERNEL32 ref: 00007FF6EBFCEAB5
GdiplusShutdown.GDIPLUS ref: 00007FF6EBFCEAC3
LeaveCriticalSection.KERNEL32 ref: 00007FF6EBFCEAD0
LeaveCriticalSection.KERNEL32 ref: 00007FF6EBFCEADA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DeleteGdiplusObjectShutdown
String ID:
API String ID: 4268643673-0
Opcode ID: 46c865431367d1bada0cd35fb3685f35713bfb53898f18d72c1e296ca1b3c958
Instruction ID: b44a9b9cd2e9f095401facb3907a37cb17f85537ffd5d4cf7eb26673e3271ca2
Opcode Fuzzy Hash: 46c865431367d1bada0cd35fb3685f35713bfb53898f18d72c1e296ca1b3c958
Instruction Fuzzy Hash: A9116D33605B41C1EB148F24F8601687374FB48FA4B684235DA5E876F4DF3AD896C749

Function 00007FF6EBFBCAB0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBCE19
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBCE1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBCE25
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBCE2B

Strings

exists, xrefs: 00007FF6EBFBCDF7, 00007FF6EBFBCE0C

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: exists
API String ID: 3668304517-2996790960
Opcode ID: dd39506e3b16e7330b4abe6451600a7c0fd848cc8279869255eb7a7b046cd30c
Instruction ID: 1d79c42506d438ba73329fbc141cf212625658f6f1ad47d3f574f9cc9d3a2467
Opcode Fuzzy Hash: dd39506e3b16e7330b4abe6451600a7c0fd848cc8279869255eb7a7b046cd30c
Instruction Fuzzy Hash: B0A19473A14B8285EB10DF28E8803EE6361FB48798F105635EA6D97AACDF79D581C305

Function 00007FF6EBFBF7A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBFB09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBFB0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBFB15
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFBFB1B

Strings

exists, xrefs: 00007FF6EBFBFAE7, 00007FF6EBFBFAFC

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: exists
API String ID: 3668304517-2996790960
Opcode ID: a44ba3adb8b489534081c7e7143e4e360c22edcd45d63f06aad23b00fe7e26f9
Instruction ID: c62ee714d6bb5d88e6801cfd443db6785e355c92841dddf8e26353e4f5858714
Opcode Fuzzy Hash: a44ba3adb8b489534081c7e7143e4e360c22edcd45d63f06aad23b00fe7e26f9
Instruction Fuzzy Hash: FCA1A473A14B8295EB10DF28E8903ED6361FB48798F105632EA9C87AECDF39D581C305

Function 00007FF6EBFD70E0 Relevance: 7.6, APIs: 5, Instructions: 96registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBFD7169
RegEnumKeyExA.KERNEL32 ref: 00007FF6EBFD71AE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: EnumOpen
String ID:
API String ID: 3231578192-0
Opcode ID: d80f14cf87453080268adb68deae75d6ba4fc3d7dfc0e44dc0fd8621660a0c44
Instruction ID: 83448ceaffdbfade3a80ecefdd03842782604bad292369afd84c5938f394463f
Opcode Fuzzy Hash: d80f14cf87453080268adb68deae75d6ba4fc3d7dfc0e44dc0fd8621660a0c44
Instruction Fuzzy Hash: 95319F33A14B8685E7208FA1E850BAE7364FB48798F200225EF9D57B64DF3DD592C708

Function 00007FF6EBFD0040 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 333COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD064D

Strings

exists, xrefs: 00007FF6EBFD0663
ios_base::badbit set, xrefs: 00007FF6EBFD0685, 00007FF6EBFD06BC, 00007FF6EBFD06FA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: exists$ios_base::badbit set
API String ID: 3668304517-2074760687
Opcode ID: be5baf6a45f3388e1d191bb0d74bb8fda1e0b9d9c77acac1c5cb0ee964cc72c1
Instruction ID: 5c3fff6b809dfac781da71f66c7a35cb7fcba2e6d726cac70f3a38949d153d7d
Opcode Fuzzy Hash: be5baf6a45f3388e1d191bb0d74bb8fda1e0b9d9c77acac1c5cb0ee964cc72c1
Instruction Fuzzy Hash: 26F16273A1DBC291EA61DB14E4943EEA361FBC8744F804132DA8D83AA9DF7ED505CB05

Function 00007FF6EBFD0730 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 325COMMON

Download Yara Rule

Strings

exists, xrefs: 00007FF6EBFD0D3B
ios_base::badbit set, xrefs: 00007FF6EBFD0D5D, 00007FF6EBFD0D94, 00007FF6EBFD0DD2

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: exists$ios_base::badbit set
API String ID: 0-2074760687
Opcode ID: c0ba86726db1fc3d4dca897409d179d31dc2fc9af7ec50ae3b3b445d14058caa
Instruction ID: e66c202a8e140ccba35dd2c5d068c39d289b4029a66b572bf99fae3ead3da66a
Opcode Fuzzy Hash: c0ba86726db1fc3d4dca897409d179d31dc2fc9af7ec50ae3b3b445d14058caa
Instruction Fuzzy Hash: 08F17173A1DBC291EA20DB14E4943EEA360FBC8784F404132DA8D83AA9DF7ED545CB45

Function 00007FF6EBF87AA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFD73F0: GetLogicalDriveStringsW.KERNEL32 ref: 00007FF6EBFD7461

Part of subcall function 00007FF6EBF87AA0: FindFirstFileW.KERNEL32 ref: 00007FF6EBF86E8F

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF87C0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF87C15

Strings

filename, xrefs: 00007FF6EBF8746A
content, xrefs: 00007FF6EBF8755F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$DriveFileFindFirstLogicalStrings
String ID: content$filename
API String ID: 3820383557-474635906
Opcode ID: 20add7056d8b2eb03ca0bd7d4cb820fe4141accc525585ac0007d3c03aa2e00b
Instruction ID: 6088a125ef8e50af184ac159dd5ae6f7b0b49ef470e87fd4ae590cf30dd1eb8f
Opcode Fuzzy Hash: 20add7056d8b2eb03ca0bd7d4cb820fe4141accc525585ac0007d3c03aa2e00b
Instruction Fuzzy Hash: BF417663E1868141EA209B15F4413AEA752EB897F4F180331EBAD47BF9DE7DD181C709

Function 00007FF6EBF98560 Relevance: 6.2, APIs: 4, Instructions: 192COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF986A0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF986A6
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF9879F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF987A5

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: f3d20f7ff9aef2d20e099abdc6c0f644fad1f528a559c700ea0f51425dce6b11
Instruction ID: 134a31ecf59c19484dc2e7ca241d398c34bc13387d7ea21085c3612b957ba185
Opcode Fuzzy Hash: f3d20f7ff9aef2d20e099abdc6c0f644fad1f528a559c700ea0f51425dce6b11
Instruction Fuzzy Hash: 6F51EA63B0974245EE259F51E5003F96261AB0CBE4F580631DF6D8B7E6DE3EE582C30A

Function 00007FF6EBFCF820 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6EBFCF85B
OpenProcessToken.ADVAPI32 ref: 00007FF6EBFCF86E
GetTokenInformation.KERNELBASE ref: 00007FF6EBFCF8AA
CloseHandle.KERNEL32 ref: 00007FF6EBFCF8CB

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ProcessToken$CloseCurrentHandleInformationOpen
String ID:
API String ID: 215268677-0
Opcode ID: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction ID: 4576b5938152ba352cd11a0f10032030514175fe49b4b55b9d7c3062c1d506cd
Opcode Fuzzy Hash: 1c225c442ed3ae12c114120d81f2afce391d37106ff629cfd40a7a8c2f449ed4
Instruction Fuzzy Hash: 16112133618B4182E7509F11F85036AB3A0FB88B80F545135EB9D87B68DF3DD445CB49

Function 00007FF6EBF91EB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF9209C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF920A2

Strings

, xrefs: 00007FF6EBF91F33

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-3916222277
Opcode ID: e9ee0ea9cb05badcaafc3030dd89d403cff2b1080adc24c0eb6429b903a99815
Instruction ID: 460ee60fd52b958e3f565eb249d84e055f18ff96019ee7608026779cdc54427b
Opcode Fuzzy Hash: e9ee0ea9cb05badcaafc3030dd89d403cff2b1080adc24c0eb6429b903a99815
Instruction Fuzzy Hash: FB517833A08B4596EB158F6AD5503AC73A0FB88B94F544632CB5D83BB4CF7AE4A1C305

Function 00007FF6EBFD6460 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegGetValueA.KERNEL32 ref: 00007FF6EBFD64C9

Strings

SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 00007FF6EBFD64BB
ProductName, xrefs: 00007FF6EBFD64B4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Value
String ID: ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 3702945584-1787575317
Opcode ID: e129a29887b9f0183be8920cc3d2091bc8a651926bc5c4bdd94bfbca20363a4e
Instruction ID: 5f38c1402c81aa75e1308e99704924f173dcd1808065e2b1f1753e5eae750851
Opcode Fuzzy Hash: e129a29887b9f0183be8920cc3d2091bc8a651926bc5c4bdd94bfbca20363a4e
Instruction Fuzzy Hash: 1A11B13361CB8182E7208F21F4403AAB3A4FB88788F504235EA8C83B59CF7DD154CB44

Function 00007FF6EBFD4DB7 Relevance: 4.7, APIs: 3, Instructions: 182networkCOMMON

Download Yara Rule

APIs

recv.WS2_32 ref: 00007FF6EBFD50EC
closesocket.WS2_32 ref: 00007FF6EBFD50FE
WSACleanup.WS2_32 ref: 00007FF6EBFD5104
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD521A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5226
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD522C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5232

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Cleanupclosesocketrecv
String ID:
API String ID: 1729841683-0
Opcode ID: 423ce7c02498701cdf810b56ca2b3f2970b796b57fc3722cb109c0b0bb42e6c9
Instruction ID: 72d0311316521fd65af92e8ae6cce705599421b91dd6142b92c5a71d3620c892
Opcode Fuzzy Hash: 423ce7c02498701cdf810b56ca2b3f2970b796b57fc3722cb109c0b0bb42e6c9
Instruction Fuzzy Hash: F7918573E18BC141EA209B14E4543EE6761EB897A0F104331DAAC87AF9DF7ED481C745

Function 00007FF6EBF7E2A0 Relevance: 4.7, APIs: 3, Instructions: 175COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 00007FF6EBF7E3D3

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: __std_fs_directory_iterator_open
String ID:
API String ID: 4007087469-0
Opcode ID: bade2491281f1fef4aa2a3921fc5c81b18db9172341867c9daf41203c220b864
Instruction ID: 58f1cfcd5fe823be3edfbe69f4cb9542cb8d271fbd21cb7c68a431edb2651bd1
Opcode Fuzzy Hash: bade2491281f1fef4aa2a3921fc5c81b18db9172341867c9daf41203c220b864
Instruction Fuzzy Hash: 1961D373F24A5285FB10DF65E4A03FC22A5AB487A8F104632DE1D97AE5DE7ED481C309

Function 00007FF6EBFCEED0 Relevance: 4.6, APIs: 3, Instructions: 87COMMON

Download Yara Rule

APIs

SHGetKnownFolderPath.SHELL32 ref: 00007FF6EBFCEF29
CoTaskMemFree.OLE32 ref: 00007FF6EBFCEFEA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCF012

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: FolderFreeKnownPathTask_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2444108017-0
Opcode ID: 99fb8c2fe80d49c3e055109db2acc5069031cd252a507a967ec4545ab22d43bc
Instruction ID: b49e3c95dce5d0e856cc4e24dfdedc4531bde4d0f6d656e222802f93886d0572
Opcode Fuzzy Hash: 99fb8c2fe80d49c3e055109db2acc5069031cd252a507a967ec4545ab22d43bc
Instruction Fuzzy Hash: 74316473A18B8181E620CF25E45036AA761FB987B4F205325FAAC47AA5DF7DD181CB44

Function 00007FF6EBFFE244 Relevance: 4.6, APIs: 3, Instructions: 78COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EBFFD34F), ref: 00007FF6EBFFE25D
FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EBFFD34F), ref: 00007FF6EBFFE2CF

Part of subcall function 00007FF6EBFEE8BC: HeapAlloc.KERNEL32 ref: 00007FF6EBFEE8FA

FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF6EBFFD34F), ref: 00007FF6EBFFE32E

Part of subcall function 00007FF6EBFED3C8: RtlFreeHeap.NTDLL ref: 00007FF6EBFED3DE
Part of subcall function 00007FF6EBFED3C8: GetLastError.KERNEL32 ref: 00007FF6EBFED3E8

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: EnvironmentFreeStrings$Heap$AllocErrorLast
String ID:
API String ID: 3331406755-0
Opcode ID: 1d0bf75b071093d12094f7dee8fd8af945b062a2b8fd277503c0f7ab36c504b9
Instruction ID: 7455758f5d35e95a54bd008d3b29d878ce6338e56c9e2216bedb79f809a033cc
Opcode Fuzzy Hash: 1d0bf75b071093d12094f7dee8fd8af945b062a2b8fd277503c0f7ab36c504b9
Instruction Fuzzy Hash: DC31A132A0874285EA249F2574102BE7694BB4CBE0F585235EA4E97FE5EF3DE051C30A

Function 00007FF6EBFD6E1B Relevance: 4.6, APIs: 3, Instructions: 68registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBFD6E37
RegQueryValueExA.KERNEL32 ref: 00007FF6EBFD6E76
RegCloseKey.ADVAPI32 ref: 00007FF6EBFD6F14

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 17dee76c03d428f35d4c65fa7b9c3d7c2ee4daaffae04ff52252677660165fa7
Instruction ID: 04ce7ce5b6ae7f69180a4dffa6c5f56e9ce8b709fbd4140f0d8dd5c762417e03
Opcode Fuzzy Hash: 17dee76c03d428f35d4c65fa7b9c3d7c2ee4daaffae04ff52252677660165fa7
Instruction Fuzzy Hash: 9D21D873E18B8241EA10DB65F4503AEA350FBC97D4F105235EA8D83AA5EF3DD084CB09

Function 00007FF6EBFD58D0 Relevance: 4.6, APIs: 3, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserGeoID.KERNEL32 ref: 00007FF6EBFD58F7
GetGeoInfoA.KERNEL32 ref: 00007FF6EBFD5911
GetGeoInfoA.KERNEL32 ref: 00007FF6EBFD5961

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Info$User
String ID:
API String ID: 2017065092-0
Opcode ID: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction ID: 26bb40c429b49d09352fac18fc674dd52b2d0b634e44a9f06a34ffd22403ed3f
Opcode Fuzzy Hash: 877c1b4e073b3a87c3d7ac6068cbd316133fc0437c9f32c249d117db553f0db1
Instruction Fuzzy Hash: 31118B33A1878282D7108F61E42076EB3A2FB84F88F045135EB8943B59DF7DE490CB4A

Function 00007FF6EBFF4F60 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF6EBFF4F5C), ref: 00007FF6EBFF4F71
TerminateProcess.KERNEL32(?,?,?,00007FF6EBFF4F5C), ref: 00007FF6EBFF4F7C
ExitProcess.KERNEL32 ref: 00007FF6EBFF4F8B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 38c7b4f83e553420579c8e330882a64258dcf8d372290847a19fb81a50e45df1
Instruction ID: dadcab730ee444afef2478dcc0ec62bff95de6f1a5ab725074b48c5e75e66840
Opcode Fuzzy Hash: 38c7b4f83e553420579c8e330882a64258dcf8d372290847a19fb81a50e45df1
Instruction Fuzzy Hash: F4D09E12B1870252EF282B705CA52BC12556F9DB01F501438D80FC73F3DE2FA449C20E

Function 00007FF6EBFD6C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 00007FF6EBFD6CAC

Strings

Unknown, xrefs: 00007FF6EBFD6D66

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CurrentProfile
String ID: Unknown
API String ID: 2104809126-1654365787
Opcode ID: 4f76827918f10dd37431429cd59c3a5dad29082fcd72efb0a37b876298fa9b22
Instruction ID: 8c2c2b98620b93723ff6633c9422cc01c0d7d31b9c70adbd4bc9d256fccae525
Opcode Fuzzy Hash: 4f76827918f10dd37431429cd59c3a5dad29082fcd72efb0a37b876298fa9b22
Instruction Fuzzy Hash: 9331CD23A2CBC186E7108F20F4403AAA360FB99B44F545225EBCD47A5ADF7DD695CB04

Function 00007FF6EBFDC190 Relevance: 3.3, APIs: 2, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84cc3fcf227e02e52b61538abd4e65d466ccc1b3300c52dbbcf8ccaa401fe197
Instruction ID: 152d99064f66b1a23c05c29ffee6cd327b1d110a7ea58ff96a1c7310c7376ce8
Opcode Fuzzy Hash: 84cc3fcf227e02e52b61538abd4e65d466ccc1b3300c52dbbcf8ccaa401fe197
Instruction Fuzzy Hash: 3EA1B673A08B8186EB10DF25E8443AD77A0FB89B98F189135DA4D87765DF3ED481CB44

Function 00007FF6EBFDF150 Relevance: 3.2, APIs: 2, Instructions: 189COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDF394
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFDF3A0

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: ac9bef72bc1becd6db7cc4271beee6234b712f072e2808e18e88f5b5e70667f7
Instruction ID: 6f7201cb724231b88a0ebfa772dde016c7bd800568f460d0cd06a5c8a829af2f
Opcode Fuzzy Hash: ac9bef72bc1becd6db7cc4271beee6234b712f072e2808e18e88f5b5e70667f7
Instruction Fuzzy Hash: 6161CE27B08A8184EA149F15E1547BC23A1AB08FDCF548531CEAD877E5DF3ED856C709

Function 00007FF6EBFCD260 Relevance: 3.2, APIs: 2, Instructions: 162COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFCD510: RegOpenKeyExA.KERNEL32 ref: 00007FF6EBFCD561
Part of subcall function 00007FF6EBFCD510: RegCloseKey.ADVAPI32 ref: 00007FF6EBFCD573

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCD4F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCD4FE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpen
String ID:
API String ID: 3087652857-0
Opcode ID: 1c753be8555c0af407bbc24c1b8d0eba1ba72afc8dd8ae089e3295aa949478a4
Instruction ID: bde0e47aaeffa26a24f791f8453554cb2bcef1410b2d5c6dc8c8feb313d3a879
Opcode Fuzzy Hash: 1c753be8555c0af407bbc24c1b8d0eba1ba72afc8dd8ae089e3295aa949478a4
Instruction Fuzzy Hash: 2D71AF73A18B8185EB20CF64E4403ED77A1FB88798F104221EA9C97BA9DF7DD584CB05

Function 00007FF6EBF98E80 Relevance: 3.1, APIs: 2, Instructions: 129COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF99015
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9901B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 5b7d7fd70192a4e4944a2bb577c6d29a3e24d2c7cdd49feae3e27b0a8b6ea48b
Instruction ID: 3d1586c0be91e4554c558207aecb5804528f5a7f607a6b010d2c26c7bcf5077a
Opcode Fuzzy Hash: 5b7d7fd70192a4e4944a2bb577c6d29a3e24d2c7cdd49feae3e27b0a8b6ea48b
Instruction Fuzzy Hash: E241C163708A4185EA109F15E5043ADA262BB4DBD8F544631EE6D4B7A6CF3ED041C309

Function 00007FF6EBF99030 Relevance: 3.1, APIs: 2, Instructions: 118COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF991AC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF991B2

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: f229da4666ea8dff03910a5f1e3a89d98b16a4a07dd6be01f1c3f08d8ecc4d5b
Instruction ID: 6990f68e54af6eb6545921b90f96048659631f02731deec8a5669124cb3382e7
Opcode Fuzzy Hash: f229da4666ea8dff03910a5f1e3a89d98b16a4a07dd6be01f1c3f08d8ecc4d5b
Instruction Fuzzy Hash: 9641A173B0874285EE10AF56A9043E9A251BB0CBD4F548631DE6D4B7E6DE3ED185C30A

Function 00007FF6EBF94600 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF94745
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF94751

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: cff85fe953d420dccce08e1046e48035e46e767a6b7b4afb2ae039212143e7e5
Instruction ID: 305794cac83be8d4fff1c3d2084e3a7a54fa39c02fb221c7ff56b9a8734bf54a
Opcode Fuzzy Hash: cff85fe953d420dccce08e1046e48035e46e767a6b7b4afb2ae039212143e7e5
Instruction Fuzzy Hash: 93313763B0968644FE25AF91E5003F852819B19FE8F540231DE2D87BF6DE3EE481C34A

Function 00007FF6EBF98D10 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF98E6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF98E71

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: acb9e5508733fae1dd540759d6bda89f7ddf5a62efa39cfbafa2fb88ad30eaba
Instruction ID: 4bab2ca751c56ab643d915cc994728a69bbab6dbc4116fcd724e6d2f998363da
Opcode Fuzzy Hash: acb9e5508733fae1dd540759d6bda89f7ddf5a62efa39cfbafa2fb88ad30eaba
Instruction Fuzzy Hash: A9312733B0878284EE15AF51E5443EDA261EB08BD4F580631DE6D4BBE6DE3DE041C309

Function 00007FF6EBFD6290 Relevance: 3.1, APIs: 2, Instructions: 107COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNEL32 ref: 00007FF6EBFD6320
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD6457

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: InformationVolume_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4269842375-0
Opcode ID: 24033c2ac7bed2f4e8f15d55fcafd191dcb30c1665651ddb7ad32a86d71ab98b
Instruction ID: e3e566a292173c1c4d966531dfe042edc0ee500813025dbd75f7390034b909be
Opcode Fuzzy Hash: 24033c2ac7bed2f4e8f15d55fcafd191dcb30c1665651ddb7ad32a86d71ab98b
Instruction Fuzzy Hash: 81519033A18B8185E710CF64E4403ED7364FB89788F504221EB8C97AA9DF79D684CB45

Function 00007FF6EBF929B0 Relevance: 3.1, APIs: 2, Instructions: 93COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF92AB2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF92AB8

Part of subcall function 00007FF6EBF7B820: __std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBF7B868

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task__std_exception_copy_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2371198981-0
Opcode ID: 2d69a428c11ea821f27ff1f3d7374fd16da8ba22ab34fa477410b1d2b1653004
Instruction ID: 48e069e4f23dae8b6ea47153b6d170cf0f34cb69711277c5e763a1f84b3d79ee
Opcode Fuzzy Hash: 2d69a428c11ea821f27ff1f3d7374fd16da8ba22ab34fa477410b1d2b1653004
Instruction Fuzzy Hash: 3121F623E05B4241EA2DAF55E5403FC6290AB48BA4F244631DA7C43BE2EE7ED5D3C345

Function 00007FF6EBFE4648 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE466F

Part of subcall function 00007FF6EBFE4604: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE461B

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE4723

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction ID: 638c3dc327316168f0df3467d2c9e29debcf70edb271e6a5dbee44dd1b2f2c8f
Opcode Fuzzy Hash: 77ff38050bbf038ec147631c291faae903e00292372ea36fba1d268a897535c6
Instruction Fuzzy Hash: F431DF33A19A4282EE50EB10D4516FD6361AF99BA4F550139E61EC73F2EF3EE101C70A

Function 00007FF6EBFCD510 Relevance: 3.1, APIs: 2, Instructions: 69registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF6EBFCD561
RegCloseKey.ADVAPI32 ref: 00007FF6EBFCD573

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CloseOpen
String ID:
API String ID: 47109696-0
Opcode ID: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction ID: 367c6470f2066decc868d23dc882f1129748c09bb3da6af06491dace98581eb4
Opcode Fuzzy Hash: f1dca321947a1367f0d55f51290a78f41f5e328790fa86022a41bb21031095aa
Instruction Fuzzy Hash: 4D21D823B18A4145EA509B25E8403FAA350EF98BD8F545231FA4D97BA9DF2ED481CB09

Function 00007FF6EBF9AE50 Relevance: 3.1, APIs: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9AEA1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9AF0A

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 3d34ab0db7fb0990d57ac02bed3557035daf76a6fef70437342f33dff0a88ccb
Instruction ID: 521bbb28714e50fe9d0ed8b582a23875ad65e228a55854cb7f5e23f3da88f228
Opcode Fuzzy Hash: 3d34ab0db7fb0990d57ac02bed3557035daf76a6fef70437342f33dff0a88ccb
Instruction Fuzzy Hash: 4F1190A3B16A8544EF48AFB5E4543BC6391EF08F98F244930DA6C87795EF2DC4908345

Function 00007FF6EBFCC7CC Relevance: 3.1, APIs: 2, Instructions: 58synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBF8E610: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6EBF8E65A
Part of subcall function 00007FF6EBF8E610: Process32FirstW.KERNEL32 ref: 00007FF6EBF8E69C

Part of subcall function 00007FF6EBF8CA10: CredEnumerateA.ADVAPI32 ref: 00007FF6EBF8CA72

Part of subcall function 00007FF6EBFD4A30: recv.WS2_32 ref: 00007FF6EBFD4C0C

ReleaseMutex.KERNEL32 ref: 00007FF6EBFCC83B
CloseHandle.KERNEL32 ref: 00007FF6EBFCC844

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CloseCreateCredEnumerateFirstHandleMutexProcess32ReleaseSnapshotToolhelp32recv
String ID:
API String ID: 420082584-0
Opcode ID: f11b699a3200bdf963b6fe7cb1f436a7dd20cd12770bb3a4eed5e0f4a283c88b
Instruction ID: 0dc6204b4b31fb27427cfd49e34bcd9a4d965d983fd25fbff80c3ab58fe97012
Opcode Fuzzy Hash: f11b699a3200bdf963b6fe7cb1f436a7dd20cd12770bb3a4eed5e0f4a283c88b
Instruction Fuzzy Hash: 38216D13E0C68351F910B776A0663FE5240AF8D750F185A30E59ECB5F79E1FA0818A5F

Function 00007FF6EBFCC7FD Relevance: 3.0, APIs: 2, Instructions: 47synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFD4A30: recv.WS2_32 ref: 00007FF6EBFD4C0C

ReleaseMutex.KERNEL32 ref: 00007FF6EBFCC83B
CloseHandle.KERNEL32 ref: 00007FF6EBFCC844

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CloseHandleMutexReleaserecv
String ID:
API String ID: 2659716615-0
Opcode ID: 9d42044f10cd135358d729f1a28af767efc6d875bb591a1efa5037cd7f4a2a2c
Instruction ID: 7b89cca635fcaf9c1c7c0f0742dcdb6e2ef04a893b175129aeb9fedcdef1c638
Opcode Fuzzy Hash: 9d42044f10cd135358d729f1a28af767efc6d875bb591a1efa5037cd7f4a2a2c
Instruction Fuzzy Hash: 88118C13E0C68241FA10B775A0163FE5240AF8D750F185630EA9DCB6F79F2EA081CA5F

Function 00007FF6EBFF0E9C Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF6EBFF0E88,?,?,?,?,00000000,00007FF6EBFF0F91), ref: 00007FF6EBFF0EE8
GetLastError.KERNEL32(?,?,?,?,?,00007FF6EBFF0E88,?,?,?,?,00000000,00007FF6EBFF0F91), ref: 00007FF6EBFF0EF2

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction ID: 9b3b194f5e26f5b1dff1989f461b4ffd0688c84fd685f583c221115bac2729f1
Opcode Fuzzy Hash: 85342b8448b5f83962e520861b5040a532baca975cc467821ece28218af4e603
Instruction Fuzzy Hash: 9E11E763718B8281DE10CB25A4042A9A361EB48BF4F644331EE7D877E9DF7DD451C709

Function 00007FF6EBFFE888 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFFE8B8

Part of subcall function 00007FF6EBFFF8DC: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF6EBFFF8E5

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFFE8BE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::bad_alloc::bad_alloc
String ID:
API String ID: 1173176844-0
Opcode ID: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction ID: 82e21f0a1ad93b047de2d39f2cc34c440465fd48223aba2fe08c7c62b6e8945f
Opcode Fuzzy Hash: ad7fb39d7d0572768195cdb96d88edf57c93c5d00d8eaa663e4c704e5b7bea2c
Instruction Fuzzy Hash: 55E0EC12E1A10B15FD2835A265253F910400F8D770E3C1B70D97DCB3F3AE1EA496C15A

Function 00007FF6EBFED3C8 Relevance: 3.0, APIs: 2, Instructions: 18memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL ref: 00007FF6EBFED3DE
GetLastError.KERNEL32 ref: 00007FF6EBFED3E8

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction ID: f5a5c1e3fc5d6a930ea4efeeddeb8fa61a31818b531f006dfb9a2fa28a037fe1
Opcode Fuzzy Hash: b7253a55b1276d1b57d670979138b52c86c30a15e8b70f9b8b054cc625f4c6ce
Instruction Fuzzy Hash: FAE0C243F0A60282FE1867F2A8143BC02915F9C720F044034C90DD32B2FE2F6484C20E

Function 00007FF6EBF93FF0 Relevance: 1.8, APIs: 1, Instructions: 320COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFA0610: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFA0778
Part of subcall function 00007FF6EBFA0610: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA0784

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9447D

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 99a23dee99c3a2274b7ddeba9ef6eb76800722cce447ebe3384dcadd42dfb027
Instruction ID: 7214713a42a3aeb2efcc7cd97101d31bd253cf5159d5333fd080d26d7ce93ecd
Opcode Fuzzy Hash: 99a23dee99c3a2274b7ddeba9ef6eb76800722cce447ebe3384dcadd42dfb027
Instruction Fuzzy Hash: 35E15933A18A8184FB20CFA5E4503ED2761BB68B98F554136CF5D97BA9CF3AD490C349

Function 00007FF6EBF90CA0 Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF90FA7

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: d4dc96effbc9d42830f1952c9ee5ab7cd6b903e2a1abf0213b57e309d5a974ca
Instruction ID: 47a5b2939ccfdd1b36ddb252b5096dd309f02ea8a347bc35f4824d1c0aa4bb77
Opcode Fuzzy Hash: d4dc96effbc9d42830f1952c9ee5ab7cd6b903e2a1abf0213b57e309d5a974ca
Instruction Fuzzy Hash: 74B16973605A82CAEB208F75D0903EC73A1FB48B58F545632EA5D87BA8DF3AD555C304

Function 00007FF6EBFDD640 Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDD829

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 753ac6b25466ae8614fdc00e4c28624e9b5f05847843f991b0835b1cdb834e5b
Instruction ID: f582658e9b04942e3c2d108ed3e30242d90bcd0c0a0abfe0834c1872223e9030
Opcode Fuzzy Hash: 753ac6b25466ae8614fdc00e4c28624e9b5f05847843f991b0835b1cdb834e5b
Instruction Fuzzy Hash: E751BE27F08A818AFB118F78A4003FC6371AF58748F049721DE9D77AA5DF3AA5958349

Function 00007FF6EBFED8C8 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFED8F0

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction ID: c2b2485e0e378ce93a3c38789185e788a49f0078e5a229cd5c2770aad581553d
Opcode Fuzzy Hash: 506399ceb7efd258d9ee9312528a7fb0108d3bcc24f039aa6e7519c78468f3b6
Instruction Fuzzy Hash: 9D41C53390864587EB648F18D5413BD73A0FB5ABA0F105231DA9ED3AA1CF3EE502C75A

Function 00007FF6EBFD5FC0 Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD6147

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 1191e2e04b0b3c0e310dd91d7e63048de9958ccc4be8b9de566a62fb0c638077
Instruction ID: 0134d67eefbd26f36b63bca00992ea197913471944c85970807870f9ff9da400
Opcode Fuzzy Hash: 1191e2e04b0b3c0e310dd91d7e63048de9958ccc4be8b9de566a62fb0c638077
Instruction Fuzzy Hash: C9414973B15B488EE7008FB9E4403AC33B1E74C798F004625EE9C67B99EE3591648398

Function 00007FF6EBFF080C Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF0892

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction ID: b5f63fdbc8cadf3726d061ec0cf3175d9258bcd9128029cb4f35b36c140ac5d8
Opcode Fuzzy Hash: a24f7c79d48368e33d7deb9d4eeecb52ce7ec7a6106812cc151fd4020b53ad0d
Instruction Fuzzy Hash: 2031AF23E1864385FB516F6588413FC2690AB48BA0F620239E95D833F2DF7EE541C75A

Function 00007FF6EBF920B0 Relevance: 1.6, APIs: 1, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF921A7

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: f7c75751447ac11c5e35aee20a9c5d0e2d30382cc5caf270d6c91394aa1194c9
Instruction ID: 183fd25618d6dadd9763608e44e146fd49e4e517cca3e18a51b9d893afc69d6c
Opcode Fuzzy Hash: f7c75751447ac11c5e35aee20a9c5d0e2d30382cc5caf270d6c91394aa1194c9
Instruction Fuzzy Hash: 6B310277B09B4982EF098FA9E4902AC3365EB88F89B548432CF4D47768DF3AD495C345

Function 00007FF6EBFF4E91 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF6EBFF4EBF

Part of subcall function 00007FF6EBFF4FB8: GetModuleHandleExW.KERNEL32 ref: 00007FF6EBFF4FDD
Part of subcall function 00007FF6EBFF4FB8: GetProcAddress.KERNEL32 ref: 00007FF6EBFF4FF3
Part of subcall function 00007FF6EBFF4FB8: FreeLibrary.KERNEL32 ref: 00007FF6EBFF501A

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction ID: 203d2847bb6bab047e730766ae8d1ed3b288373f6f34aecdd0751533586fd491
Opcode Fuzzy Hash: 9e03c0276b42d0bae273c9ceb8b8abd1e24865752fa8da44abca3c0ffcb1668a
Instruction Fuzzy Hash: 11214C32A046468AEB648F68C4443EC37A0EB4871CF640635E72D87BE5DF79D584CB45

Function 00007FF6EC00FEF8 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EC00FF1B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction ID: 80e689f72d00035024adf00029e98b39192eb820bf486b1e0aaff37c7f40e256
Opcode Fuzzy Hash: 4bdd7c7df9abbb715da046ae302baf4d590079e7e30464498c50f0bf6b7ea38d
Instruction Fuzzy Hash: 48218073A18A4287DB618F18D44137A77A0EF85B94F554234E65D876D9EF3ED400CB05

Function 00007FF6EC00E200 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EC00E15D

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction ID: efd0cba991475629bb9ca069d2bb533cf6ac47a221cae4e746953613a4f4b58b
Opcode Fuzzy Hash: 277766cc613ac521deff1262cc5973a4c6dda0ce244441028124d0478fb53980
Instruction Fuzzy Hash: B7115133A1D64181EA609F1194013FEA260BF89F90F454835EADCA7AA7EF3FD500C74A

Function 00007FF6EBF7F380 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7F3E3

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 554b7db7ea9ca0f42748f15c58d51ccebd3c07419b982c2e64439f92371340d5
Instruction ID: ab29549aeda1cd1275b1b3b0d569933ae79717a86d93afe938ce93a80bd15acb
Opcode Fuzzy Hash: 554b7db7ea9ca0f42748f15c58d51ccebd3c07419b982c2e64439f92371340d5
Instruction Fuzzy Hash: 82F0AFA3A25AC541EB459B24E0043BC2351AB48F88F600471CA9C4B6E6DFBEC495C349

Function 00007FF6EBFD0E00 Relevance: 1.5, APIs: 1, Instructions: 38networkCOMMON

Download Yara Rule

APIs

send.WS2_32 ref: 00007FF6EBFD0E48

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction ID: b103b272d2bdb8854b20a32ce6537ed97fb42703d3edd7ed60ee7bd132d5cb7f
Opcode Fuzzy Hash: 10723b900c3d3fb221c2729e0f2ab508e71a113b43aaaf7fd55bda6ca2804ccb
Instruction Fuzzy Hash: 6A01F222B18A8181DB108F26F950669A7A0FB8CFD4F485234EE5D83B58DF39C8418B04

Function 00007FF6EBF87633 Relevance: 1.5, APIs: 1, Instructions: 33fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF6EBF87676

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 752fe5805e453647425062ce64daa4e53c54a82ad0d646f83825288564bb7983
Instruction ID: 75cf034b5c5251da4a6f0a033f3f1f1a85629eedd077bd93fee4c99a30ee87ad
Opcode Fuzzy Hash: 752fe5805e453647425062ce64daa4e53c54a82ad0d646f83825288564bb7983
Instruction Fuzzy Hash: C001442761C98190EA70CB56F4543AA6364F788B94F440032DE8D93B69DF3ED886CB04

Function 00007FF6EBFE7374 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE7393

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction ID: da3d01b67f426954d89b630fe96282046ea4798338273bb65c97dc11f07e17f7
Opcode Fuzzy Hash: 68ea0e6e30933e9dd76abf56f21314c638998a57c534cc3687c594a1fb5b02e7
Instruction Fuzzy Hash: 82E06D33E19A4285EBA56BA992412BC61506F487B0F544331EB3C836E6DE3A9460871A

Function 00007FF6EC00B4C0 Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,?,?,00007FF6EBF7E409), ref: 00007FF6EC00B4C4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction ID: 358172623b2513cb882f0d3c298832f85b6fa1bc66bfd9cc4d5bc71a532bc8be
Opcode Fuzzy Hash: 4104833be8186ecfced91f05a1dc286f8d4e1ac7fad94ea37a2bf5d234dce428
Instruction Fuzzy Hash: EBC04C16F1D542D1E6581B625C9226211D45B54B21F440430C508C1151EF1F91D6CA1A

Function 00007FF6EC00D0B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetNativeSystemInfo.KERNEL32 ref: 00007FF6EC00D0BD

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction ID: 976cf1bb6cc96f4ab8bc3e538abd6f49fb13df750a8eda4246582542b874af3e
Opcode Fuzzy Hash: ebb3c2d15c06801dfe805b6087078b0f501a5fe9f8c446694f4975735c5f9cad
Instruction Fuzzy Hash: 58B09B36E148C0C3C511EB04D8510157331F79470DFD00010D24D42615DF1DD515CE04

Function 00007FF6EBFEE8BC Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32 ref: 00007FF6EBFEE8FA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction ID: 2529c9a31ea8f646ec4b7b3e446893d5e6b7e6d3e94eed55a49ba5abc10a4a14
Opcode Fuzzy Hash: eba47d0c810211a009f984e3ce810decee2d7cb9fb39a7e87e15bbee8ef19542
Instruction Fuzzy Hash: 45F05E23B0920644FE9466A178207FD22815F8C770F484230D92EC72E2DE2EE480C21A

Non-executed Functions

Function 00007FF6EBFD0E90 Relevance: 63.9, APIs: 31, Strings: 4, Instructions: 2698COMMON

Download Yara Rule

Strings

type must be string, but is , xrefs: 00007FF6EBFD443D, 00007FF6EBFD44ED, 00007FF6EBFD45B1, 00007FF6EBFD460B
cannot compare iterators of different containers, xrefs: 00007FF6EBFD447F, 00007FF6EBFD452F, 00007FF6EBFD465F
cannot use push_back() with , xrefs: 00007FF6EBFD43D3
value, xrefs: 00007FF6EBFD16C8

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: cannot compare iterators of different containers$cannot use push_back() with $type must be string, but is $value
API String ID: 73155330-2711811579
Opcode ID: d0719c5418f008686ca9cf5146cdc412f2d75a86e3b203137f9a55923ab0c254
Instruction ID: a0f6b3fe0a6564f4785db6f1eb897b98cf004550227fb6d2adf9cc005dfad99b
Opcode Fuzzy Hash: d0719c5418f008686ca9cf5146cdc412f2d75a86e3b203137f9a55923ab0c254
Instruction Fuzzy Hash: 24538F73A04BC689DB709F24D8803ED23A0FB49758F409635DA5D9BBA9EF39D284C705

Function 00007FF6EBFA7CEB Relevance: 45.1, APIs: 11, Strings: 14, Instructions: 1339COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA9209
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA91DC

Part of subcall function 00007FF6EBF7BA80: __std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBF7BAC3

Part of subcall function 00007FF6EC000E88: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6EC00C3D2), ref: 00007FF6EC000ED8
Part of subcall function 00007FF6EC000E88: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6EC00C3D2), ref: 00007FF6EC000F19

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA92D2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA92D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA92DE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA92E4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFA9311
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA938C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA9392
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFA93E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA943A

Strings

key declared, but no value, xrefs: 00007FF6EBFA925D, 00007FF6EBFA9284, 00007FF6EBFA9398
unexpected '}', xrefs: 00007FF6EBFA9413
key opened, but never closed, xrefs: 00007FF6EBFA93BF
", xrefs: 00007FF6EBFA80D3
word wasnt properly ended, xrefs: 00007FF6EBFA9365, 00007FF6EBFA93EC
quote was opened but not closed., xrefs: 00007FF6EBFA9236, 00007FF6EBFA92AB
#include, xrefs: 00007FF6EBFA866A
/, xrefs: 00007FF6EBFA7ED3
#base, xrefs: 00007FF6EBFA8696
*, xrefs: 00007FF6EBFA7EFE
No closed word, xrefs: 00007FF6EBFA9317, 00007FF6EBFA933E
object is not closed with '}', xrefs: 00007FF6EBFA920F
Unexpected eof, xrefs: 00007FF6EBFA91E2
unexpected key without object, xrefs: 00007FF6EBFA92EA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task$ExceptionFileHeaderRaise__std_exception_copy
String ID: "$#base$#include$*$/$No closed word$Unexpected eof$key declared, but no value$key opened, but never closed$object is not closed with '}'$quote was opened but not closed.$unexpected '}'$unexpected key without object$word wasnt properly ended
API String ID: 1861853482-3561477107
Opcode ID: 799aef1f6f9097462206881b47845b806dc41db112fb01f7a86afa31b7bee32f
Instruction ID: b2d5d21502d9a55efa77f2da736000d653b25057c6e8d61ad41c9ebd67389c99
Opcode Fuzzy Hash: 799aef1f6f9097462206881b47845b806dc41db112fb01f7a86afa31b7bee32f
Instruction Fuzzy Hash: 65D2C473A09BC685EB759F24C8503FC23A1FB48788F448131CA5D8BAA9DF79D685C706

Function 00007FF6EBF87E70 Relevance: 31.1, APIs: 15, Strings: 2, Instructions: 1357COMMON

Download Yara Rule

Strings

Software, xrefs: 00007FF6EBF882ED, 00007FF6EBF884BB
exists, xrefs: 00007FF6EBF89441

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: Software$exists
API String ID: 0-2364128853
Opcode ID: 3b7153b56b37cf3a74ea77418dd2f4322d64642f8a990d637fac1f4450f4d51d
Instruction ID: 1804148c5ad7abb8413aa67a68cdef2f2d7eec0b8e6b79281b6d2b5a970ac6bb
Opcode Fuzzy Hash: 3b7153b56b37cf3a74ea77418dd2f4322d64642f8a990d637fac1f4450f4d51d
Instruction Fuzzy Hash: 81D29073A14BC58AEB21CF25D8403ED73A0FB89798F105221EA9D97BA9DF79D580C305

Function 00007FF6EBF8ADD0 Relevance: 28.9, APIs: 10, Strings: 6, Instructions: 919COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BEA3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BEDF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BEE5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BEEB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BEF1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BEF7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BF03
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BF09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BF0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8BF31

Strings

filename, xrefs: 00007FF6EBF8B939
files, xrefs: 00007FF6EBF8BC35
content, xrefs: 00007FF6EBF8BAB2
exists, xrefs: 00007FF6EBF8BEB7, 00007FF6EBF8BED2
directory_iterator::directory_iterator, xrefs: 00007FF6EBF8BF24
key, xrefs: 00007FF6EBF8B33D, 00007FF6EBF8B51D

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: content$directory_iterator::directory_iterator$exists$filename$files$key
API String ID: 3668304517-2980817763
Opcode ID: 9649f2ffd3fee09ab759c6b265c90b8e1995531e4d45c1de8a47d26890731f80
Instruction ID: 0d16db9190ac610bd422c617fb4131ec272696c0cb808d306e9ecdfdc0cd9e68
Opcode Fuzzy Hash: 9649f2ffd3fee09ab759c6b265c90b8e1995531e4d45c1de8a47d26890731f80
Instruction Fuzzy Hash: A1A29F73A14BC589DB218F35D8843ED33A1FB89758F404625EA9C4BBAADF79D280C345

Function 00007FF6EBFD9D30 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 351nativelibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF6EBFD9D76
GetProcAddress.KERNEL32 ref: 00007FF6EBFD9D86
OpenProcess.KERNEL32 ref: 00007FF6EBFD9DB8
NtQuerySystemInformation.NTDLL ref: 00007FF6EBFD9DE0
NtQuerySystemInformation.NTDLL ref: 00007FF6EBFD9E0E
GetCurrentProcess.KERNEL32 ref: 00007FF6EBFD9ED3
NtQueryObject.NTDLL ref: 00007FF6EBFD9F19
GetFinalPathNameByHandleA.KERNEL32 ref: 00007FF6EBFDA00D
CloseHandle.KERNEL32 ref: 00007FF6EBFDA128
CloseHandle.KERNEL32 ref: 00007FF6EBFDA1B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDA245
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDA24B

Strings

File, xrefs: 00007FF6EBFD9F4A
NtDuplicateObject, xrefs: 00007FF6EBFD9D7F
ntdll.dll, xrefs: 00007FF6EBFD9D6F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Handle$Query$CloseInformationProcessSystem_invalid_parameter_noinfo_noreturn$AddressCurrentFinalModuleNameObjectOpenPathProc
String ID: File$NtDuplicateObject$ntdll.dll
API String ID: 1269246921-3955674919
Opcode ID: 7f25dccb0f32d932e33b43ccaed584e183ce49f1311762ec94acd30fa40f03ec
Instruction ID: 14678251f1e65acaf61395a8300803ec1185a1474b8f30e6bb2ddd56b7c23589
Opcode Fuzzy Hash: 7f25dccb0f32d932e33b43ccaed584e183ce49f1311762ec94acd30fa40f03ec
Instruction Fuzzy Hash: 69E1CF63B18A8589FB00CBA5E4143FC23A1AB49B98F008131DF5D97BA9DF3ED549C749

Function 00007FF6EBF55DB0 Relevance: 25.2, Strings: 20, Instructions: 202COMMON

Download Yara Rule

Strings

$windows.~bt, xrefs: 00007FF6EBF55F0E
Windows.old, xrefs: 00007FF6EBF55EE8
$winreagent, xrefs: 00007FF6EBF55F5D
ProgramData, xrefs: 00007FF6EBF56045
$windows.~ws, xrefs: 00007FF6EBF55F89
Program Files (x86), xrefs: 00007FF6EBF56101
ntldr, xrefs: 00007FF6EBF56016
Boot, xrefs: 00007FF6EBF55E50
Windows, xrefs: 00007FF6EBF55E01
Application Data, xrefs: 00007FF6EBF55E9C
config.msi, xrefs: 00007FF6EBF55EC2
Windows.~bt, xrefs: 00007FF6EBF55FB8
#recycle, xrefs: 00007FF6EBF55E29
System Volume Information, xrefs: 00007FF6EBF55E76
All users, xrefs: 00007FF6EBF56074
bootmgr, xrefs: 00007FF6EBF560A3
AppData, xrefs: 00007FF6EBF55FE7
Program Files, xrefs: 00007FF6EBF560D2
PerfLogs, xrefs: 00007FF6EBF55F34
$recycle.bin, xrefs: 00007FF6EBF55DD8

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: #recycle$$recycle.bin$$windows.~bt$$windows.~ws$$winreagent$All users$AppData$Application Data$Boot$PerfLogs$Program Files$Program Files (x86)$ProgramData$System Volume Information$Windows$Windows.old$Windows.~bt$bootmgr$config.msi$ntldr
API String ID: 73155330-2722463023
Opcode ID: 7d392a795bfbfd6594683dd8fb9872c8abf8b0b593989480866b32def73f354a
Instruction ID: f0aff3c9386e26ee966810e8caa3d37a3cd9e3e95cab68d4444350a6d2a45b65
Opcode Fuzzy Hash: 7d392a795bfbfd6594683dd8fb9872c8abf8b0b593989480866b32def73f354a
Instruction Fuzzy Hash: 3FA1A263D64FCA94E710CB35D8823F55361FBEA344F506326E98CA2866EF69E2C0C345

Function 00007FF6EBFC4D40 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 219COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32 ref: 00007FF6EBFC4D9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFC513A

Strings

@, xrefs: 00007FF6EBFC4F26

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Initialize_invalid_parameter_noinfo_noreturn
String ID: @
API String ID: 3490963316-2766056989
Opcode ID: 6301cce65992a297ac26bc8e5f4cb950baf5d96f16c96050c5b4453803ed6c23
Instruction ID: e241a8b6fe969ec2a9580680dc82f46a481f20bf37504200360d1b49c0314fe8
Opcode Fuzzy Hash: 6301cce65992a297ac26bc8e5f4cb950baf5d96f16c96050c5b4453803ed6c23
Instruction Fuzzy Hash: 0BA18E33B18A418AE710CF64E4113AD77B1FB88758F004235DE5E97AA5EF3AD194C749

Function 00007FF6EBF80E80 Relevance: 23.5, APIs: 8, Strings: 5, Instructions: 747COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81AD3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81AEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81B05
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81B1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81B21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81B3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81B45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF81B4B

Part of subcall function 00007FF6EBF7D370: __std_fs_code_page.LIBCPMT ref: 00007FF6EBF7D3A7
Part of subcall function 00007FF6EBF7D370: __std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF6EBF7D3EE
Part of subcall function 00007FF6EBF7D370: __std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF6EBF7D42A

Strings

filename, xrefs: 00007FF6EBF8142E
content, xrefs: 00007FF6EBF814E6
status, xrefs: 00007FF6EBF81AF8, 00007FF6EBF81B0E
exists, xrefs: 00007FF6EBF81AC6
directory_iterator::directory_iterator, xrefs: 00007FF6EBF81AE2, 00007FF6EBF81B32

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_convert_wide_to_narrow$__std_fs_code_page
String ID: content$directory_iterator::directory_iterator$exists$filename$status
API String ID: 2212124024-3429737954
Opcode ID: 91316b43dceaabf7e04d41864d2dd13ee4932e04657a8589823a74b24cde9157
Instruction ID: aec3ac0eb712618bb56fc98343ca3b9d674ab75c153705eca900b67e9cc3e4f6
Opcode Fuzzy Hash: 91316b43dceaabf7e04d41864d2dd13ee4932e04657a8589823a74b24cde9157
Instruction Fuzzy Hash: 61729033A15BC285EB219F25D8803ED6360FB8D798F444232DA9D87BA9DF79D684C305

Function 00007FF6EBF8BF40 Relevance: 21.6, APIs: 8, Strings: 4, Instructions: 609COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9C4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9E0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9E6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9EC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9F2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9F8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF8C9FE

Strings

filename, xrefs: 00007FF6EBF8C4F9
content, xrefs: 00007FF6EBF8C69F
exists, xrefs: 00007FF6EBF8C9B7
directory_iterator::directory_iterator, xrefs: 00007FF6EBF8C9D3

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: content$directory_iterator::directory_iterator$exists$filename
API String ID: 3668304517-1400943384
Opcode ID: f854aea802de4000c67eb3354c4d53a8e90241fa0fafa1c2e9f1c207d3dd868d
Instruction ID: f2432cf4ab33b2dcaede8741bd3f6c076bde00ac396d0e60cb12978955cec8be
Opcode Fuzzy Hash: f854aea802de4000c67eb3354c4d53a8e90241fa0fafa1c2e9f1c207d3dd868d
Instruction Fuzzy Hash: 8052A173A18BC189EB608F25E8803ED73A1FB89798F005231EA9D57BA9DF79D540C345

Function 00007FF6EBFDA780 Relevance: 16.6, APIs: 8, Strings: 1, Instructions: 839stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFDA430: RtlAcquirePebLock.NTDLL ref: 00007FF6EBFDA473
Part of subcall function 00007FF6EBFDA430: NtAllocateVirtualMemory.NTDLL ref: 00007FF6EBFDA4AB
Part of subcall function 00007FF6EBFDA430: lstrcpyW.KERNEL32 ref: 00007FF6EBFDA50D
Part of subcall function 00007FF6EBFDA430: lstrcatW.KERNEL32 ref: 00007FF6EBFDA5C2

CoInitializeEx.OLE32 ref: 00007FF6EBFDA7EA
lstrcpyW.KERNEL32 ref: 00007FF6EBFDA9C9
lstrcatW.KERNEL32 ref: 00007FF6EBFDABCE
CoGetObject.OLE32 ref: 00007FF6EBFDABEC
lstrcpyW.KERNEL32 ref: 00007FF6EBFDB269
lstrcatW.KERNEL32 ref: 00007FF6EBFDB48C
CoGetObject.OLE32 ref: 00007FF6EBFDB4AA
CoUninitialize.OLE32 ref: 00007FF6EBFDB972

Strings

0, xrefs: 00007FF6EBFDB0AA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: lstrcatlstrcpy$Object$AcquireAllocateInitializeLockMemoryUninitializeVirtual
String ID: 0
API String ID: 3636535045-4108050209
Opcode ID: 0902a0343fdc6246b23ac9e8b2963860140ecb12f80d28b06803a63a8b2f31ad
Instruction ID: 4569b13846addacd6eef49ecbf69989a2d05ed625102050f611ab22e4cbc3aea
Opcode Fuzzy Hash: 0902a0343fdc6246b23ac9e8b2963860140ecb12f80d28b06803a63a8b2f31ad
Instruction Fuzzy Hash: B4B2893662AF988AD7808F69F88165EB3B5F788B84B106215FECD57B18EF38C154C744

Function 00007FF6EBFA1AF0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBFA1D4E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA1DE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA1DE9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA1DEF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA1DF5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA1DFB

Strings

parse_error, xrefs: 00007FF6EBFA1B7E

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: parse_error
API String ID: 1944019136-3903021949
Opcode ID: 6a65c25fb3c11bf1777165cb4e3ab94cb82028f61fa7738f7c2cb4c2b260b402
Instruction ID: 9eafc4fcf410c2cae63ebe0499bc1bbe64cbff4c56861802f388bee5d3808341
Opcode Fuzzy Hash: 6a65c25fb3c11bf1777165cb4e3ab94cb82028f61fa7738f7c2cb4c2b260b402
Instruction Fuzzy Hash: 72A18063F14B8189EB10DF65E4403ED6361EB49798F105731EA5C57AEAEF3AD280C349

Function 00007FF6EBFF8C04 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFE9EEC: GetLastError.KERNEL32 ref: 00007FF6EBFE9EFB
Part of subcall function 00007FF6EBFE9EEC: FlsGetValue.KERNEL32 ref: 00007FF6EBFE9F10
Part of subcall function 00007FF6EBFE9EEC: SetLastError.KERNEL32 ref: 00007FF6EBFE9F9B

TranslateName.LIBCMT ref: 00007FF6EBFF8C6E
TranslateName.LIBCMT ref: 00007FF6EBFF8CA9
GetACP.KERNEL32 ref: 00007FF6EBFF8CF0
IsValidCodePage.KERNEL32 ref: 00007FF6EBFF8D28
GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFF8EE5

Strings

utf8, xrefs: 00007FF6EBFF8E0C

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 41343eb44851c0e8f8055f3926715ba520ae6846787d1c3cb08d70e80e5c003e
Instruction ID: 3978e831d22657132478252404c708bae0a38af9f89b8245e7b495681fe45b44
Opcode Fuzzy Hash: 41343eb44851c0e8f8055f3926715ba520ae6846787d1c3cb08d70e80e5c003e
Instruction Fuzzy Hash: 0891AB33A08742C5EB66AF21D4513F923A5EF48B80F648131DA5C877A6EF3EE541C30A

Function 00007FF6EBFF964C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFE9EEC: GetLastError.KERNEL32 ref: 00007FF6EBFE9EFB
Part of subcall function 00007FF6EBFE9EEC: FlsGetValue.KERNEL32 ref: 00007FF6EBFE9F10
Part of subcall function 00007FF6EBFE9EEC: SetLastError.KERNEL32 ref: 00007FF6EBFE9F9B

Part of subcall function 00007FF6EBFE9EEC: FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F31

GetUserDefaultLCID.KERNEL32 ref: 00007FF6EBFF97BC

Part of subcall function 00007FF6EBFE9EEC: FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F5E
Part of subcall function 00007FF6EBFE9EEC: FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F6F
Part of subcall function 00007FF6EBFE9EEC: FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F80

EnumSystemLocalesW.KERNEL32 ref: 00007FF6EBFF97A3
ProcessCodePage.LIBCMT ref: 00007FF6EBFF97E6
IsValidCodePage.KERNEL32 ref: 00007FF6EBFF97F8
IsValidLocale.KERNEL32 ref: 00007FF6EBFF980E
GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFF986A
GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFF9886

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction ID: 32a4494f1588e198a2280bae9af4392c15d208187bcd7dfcb5ea86406e07a9c3
Opcode Fuzzy Hash: 35311c5f5cbb088db9cafc063da405a92d1dac0a49a1e36eea51d3b328654a2c
Instruction Fuzzy Hash: B6714733F0870289EF549F60D8507F823A5AF48B48FA48535CA1D936A5EF3EE845C35A

Function 00007FF6EBFE7F68 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF6EBFE7FE1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF6EBFE7FF9
RtlVirtualUnwind.KERNEL32 ref: 00007FF6EBFE8034
IsDebuggerPresent.KERNEL32 ref: 00007FF6EBFE806D
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF6EBFE8077
UnhandledExceptionFilter.KERNEL32 ref: 00007FF6EBFE8082

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: 518a55c6435702555d938cb12e0853557d9473da796008457dbc6bc20602c87e
Instruction ID: e84c7f38b3b3868bffdef0f8da0c1be31ff0e7b2a992c1a9c486f4a9a79e2477
Opcode Fuzzy Hash: 518a55c6435702555d938cb12e0853557d9473da796008457dbc6bc20602c87e
Instruction Fuzzy Hash: 31317F33608B8185DB64CF25E8503AE73A4FB89798F500136EB8D83BA5EF3AD545CB05

Function 00007FF6EBF570E0 Relevance: 8.7, Strings: 2, Instructions: 6192COMMON

Download Yara Rule

Strings

0| , xrefs: 00007FF6EBF5A83D
\| , xrefs: 00007FF6EBF5C52D

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: 0| $\|
API String ID: 0-2050777373
Opcode ID: ad8b8a06ee8e7dbd9eb0ed87f328e0d9eefed4ef2557dac10ab3baeca558fbf1
Instruction ID: 7b399740a6a304b916e75aff972e4728dfea9e484d1e864382b445168961d446
Opcode Fuzzy Hash: ad8b8a06ee8e7dbd9eb0ed87f328e0d9eefed4ef2557dac10ab3baeca558fbf1
Instruction Fuzzy Hash: 2104E032915BC489D7359F39EC853E977A4F79978CF006225EB8C5AB29EF3493A08305

Function 00007FF6EBFB0AC0 Relevance: 8.0, APIs: 5, Instructions: 470COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFB0B3B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFB0B41

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 18f67507a347af2e506a4d9ce346a33afe5810cc4d1d15b5aba21bf871a9060d
Instruction ID: 50cbe0f8c1fbc8c8ee492430741847a8dca2591251c5100f49c12bace5fc5c42
Opcode Fuzzy Hash: 18f67507a347af2e506a4d9ce346a33afe5810cc4d1d15b5aba21bf871a9060d
Instruction Fuzzy Hash: 0102CD63B15B8285EB20CF65D4803EE7361EB4CB98F048232DE9C977A9DE39E591C345

Function 00007FF6EBF83A30 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 699COMMON

Download Yara Rule

Strings

filename, xrefs: 00007FF6EBF84624
content, xrefs: 00007FF6EBF84749
ios_base::badbit set, xrefs: 00007FF6EBF84A48, 00007FF6EBF84A8C

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Crypt$AlgorithmProvider$CloseGenerateOpenPropertySymmetric_invalid_parameter_noinfo_noreturn
String ID: content$filename$ios_base::badbit set
API String ID: 3077847781-879919306
Opcode ID: 6e94e060122cfcc206018a54e50cb69dc838f32e9354242d1e19bd33f96211b6
Instruction ID: bb2c86fc9c53f07f4451b2e70a11b9e4e6c6d3ccaed9a44bc9c7122470badda7
Opcode Fuzzy Hash: 6e94e060122cfcc206018a54e50cb69dc838f32e9354242d1e19bd33f96211b6
Instruction Fuzzy Hash: 3E82F13251DBC595EAB18B14E8803EAB3A4F7C8340F505226DACD83BA9EF79C594CB04

Function 00007FF6EBFC8B00 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 529COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFC8E11
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFC912D

Strings

%, xrefs: 00007FF6EBFC9164
+, xrefs: 00007FF6EBFC917F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %$+
API String ID: 3668304517-2626897407
Opcode ID: 2a9587413e2d48aa4d17cad7d7e1d710b4a5cce885f46ec7b2e442a08a5377da
Instruction ID: 9b3eae2d85245859912c00f689ce34ea1a7e6b451275fbf4c38f59cfb21cd927
Opcode Fuzzy Hash: 2a9587413e2d48aa4d17cad7d7e1d710b4a5cce885f46ec7b2e442a08a5377da
Instruction Fuzzy Hash: 8D221423B18A818AFB22CB65D4403FD6761AB58788F044231DE4D9BBE9DF3DD485C74A

Function 00007FF6EBFE9038 Relevance: 6.1, APIs: 4, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 00007FF6EBFE908F
GetSystemInfo.KERNEL32 ref: 00007FF6EBFE90A8
VirtualAlloc.KERNEL32 ref: 00007FF6EBFE9116
VirtualProtect.KERNEL32 ref: 00007FF6EBFE9131

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 6131e7ac5c004b666fb02de1823fa69e50ababb2f1d6eff18536aed83fe204ab
Instruction ID: a47bb95a8bd3531b3e4d4c5094dd10e7083c87fb06c7cefdf43f4fd92b2d60e3
Opcode Fuzzy Hash: 6131e7ac5c004b666fb02de1823fa69e50ababb2f1d6eff18536aed83fe204ab
Instruction Fuzzy Hash: BC316833714A819EEB20CF31D8547E823A5FB48B98F948025EA4D87B59DF3AE645C705

Function 00007FF6EBFF36A8 Relevance: 5.5, APIs: 3, Instructions: 1005COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF3ADE
_get_daylight.LIBCMT ref: 00007FF6EBFF3B79
_get_daylight.LIBCMT ref: 00007FF6EBFF3B92

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID:
API String ID: 1286766494-0
Opcode ID: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction ID: 601c1c84671ae73e17a93e783c9320756db177eb86274432b4ef9ca44314a3ca
Opcode Fuzzy Hash: 91154ea289c3556cf103cf6e37fc2ba0624cd5322ab1aec8ddf48183395d8b30
Instruction Fuzzy Hash: F392D133A0868686EB648F2596502BD77A5FF49784F244135DB8D87BB4DF3ED510C30A

Function 00007FF6EBFC8020 Relevance: 4.7, APIs: 3, Instructions: 248COMMON

Download Yara Rule

APIs

BCryptDecrypt.BCRYPT ref: 00007FF6EBFC81E0

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CryptDecrypt
String ID:
API String ID: 2620231605-0
Opcode ID: 53ff8f15f52a4dad002d02071431e1ae472ef2918a40c303ed80889b4daa44ad
Instruction ID: 68df2f4ce992d2b214dd1171a2dc081775614261493978bea9490416edb6e08c
Opcode Fuzzy Hash: 53ff8f15f52a4dad002d02071431e1ae472ef2918a40c303ed80889b4daa44ad
Instruction Fuzzy Hash: F4B18A73E08B819AE711CB64E4143BD37A1E74878CF018226DE4C4BAA9DF7AD199C709

Function 00007FF6EBFD6540 Relevance: 4.7, APIs: 3, Instructions: 187COMMON

Download Yara Rule

APIs

EnumDisplayDevicesW.USER32 ref: 00007FF6EBFD6657
EnumDisplayDevicesW.USER32 ref: 00007FF6EBFD66FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD684F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: DevicesDisplayEnum$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2655931952-0
Opcode ID: c108eed3e8d4d35de98e63ec076e666f2f7a86b78baa1b258911472a2c54d96a
Instruction ID: 9fedefb9b5b182a94ec6cf47563513cd7d17f711608afc8e90b255e0ad8e85c9
Opcode Fuzzy Hash: c108eed3e8d4d35de98e63ec076e666f2f7a86b78baa1b258911472a2c54d96a
Instruction Fuzzy Hash: 8881DD33A18B8586E720CF25E8403AE77A5F788788F505225EE9C57BA8DF3DD181CB04

Function 00007FF6EBFF90C8 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFE9EEC: GetLastError.KERNEL32 ref: 00007FF6EBFE9EFB
Part of subcall function 00007FF6EBFE9EEC: FlsGetValue.KERNEL32 ref: 00007FF6EBFE9F10
Part of subcall function 00007FF6EBFE9EEC: SetLastError.KERNEL32 ref: 00007FF6EBFE9F9B

Part of subcall function 00007FF6EBFE9EEC: FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F31

GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFF9134

Part of subcall function 00007FF6EBFDFBA0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFDFBBD

GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFF917D

Part of subcall function 00007FF6EBFDFBA0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFDFC16

GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFF9245

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 8cdfe7f1b5fd9999da327c4f4609675d5690c7bae2d768c40d9912784c01383a
Instruction ID: 15029595dbce43ab05f0d041b6e970067d33a3cdf0e1a9142c99bff0c6316ce7
Opcode Fuzzy Hash: 8cdfe7f1b5fd9999da327c4f4609675d5690c7bae2d768c40d9912784c01383a
Instruction Fuzzy Hash: 45618D33A085428AEB249F11E5503F973A2FB98744F548135CB9ED3AA1DF3EE551C70A

Function 00007FF6EBF87C20 Relevance: 4.6, APIs: 3, Instructions: 145encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32 ref: 00007FF6EBF87CAD
LocalFree.KERNEL32 ref: 00007FF6EBF87D3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF87E26

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CryptDataFreeLocalUnprotect_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2610421622-0
Opcode ID: e5360f3d140a921f7379d2b2b326bf004e0d324b5271c99d0bbab57465024cd6
Instruction ID: c3262c417120355dc704713b2b2d8ec139537c250734e40f33f1fb67276ae4c1
Opcode Fuzzy Hash: e5360f3d140a921f7379d2b2b326bf004e0d324b5271c99d0bbab57465024cd6
Instruction Fuzzy Hash: 42617733F18A808AE710DF75E4413EC73A1EB5978CF008225EA8C57A9ADF7AD594C348

Function 00007FF6EBFEF0D8 Relevance: 3.9, Strings: 3, Instructions: 144COMMON

Download Yara Rule

Strings

-, xrefs: 00007FF6EBFEF237
e+000, xrefs: 00007FF6EBFEF1E5
gfff, xrefs: 00007FF6EBFEF262

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: -$e+000$gfff
API String ID: 0-2620144452
Opcode ID: c7e19593615f5b016f33edca04d76eabfb088503034d3aa1c419b3a715446e94
Instruction ID: c45b93bdf922c9ebc230979f85c1d4028c50081962d76b55918a5ab98dbe65a9
Opcode Fuzzy Hash: c7e19593615f5b016f33edca04d76eabfb088503034d3aa1c419b3a715446e94
Instruction Fuzzy Hash: E0516867B286C546F7258E35D8007BDB791E748BA4F488231DBA8C7AE5CF3ED4008706

Function 00007FF6EBFEE020 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32 ref: 00007FF6EBFEE094

Strings

GetLocaleInfoEx, xrefs: 00007FF6EBFEE03C, 00007FF6EBFEE04D

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 099550578a3a416ea78b7fa52ed638fc0f733537aeae7f3447c0ea0cdfd8c17a
Instruction ID: f59f1cbd85e2e0252bc29c267ea3e0053525356a973aadcb62485829ff8604f8
Opcode Fuzzy Hash: 099550578a3a416ea78b7fa52ed638fc0f733537aeae7f3447c0ea0cdfd8c17a
Instruction Fuzzy Hash: 0801A726B0C68185EB848B5AF4102BAA761FF8CBD0F544035DE4D93BAACF3ED501C349

Function 00007FF6EBFFC128 Relevance: 3.2, APIs: 2, Instructions: 208COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6EBFFC1CD
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFFC38F

Part of subcall function 00007FF6EBFEDA30: HeapAlloc.KERNEL32(?,?,00000000,00007FF6EBFEA0C6,?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEDA85

Part of subcall function 00007FF6EBFED3C8: RtlFreeHeap.NTDLL ref: 00007FF6EBFED3DE
Part of subcall function 00007FF6EBFED3C8: GetLastError.KERNEL32 ref: 00007FF6EBFED3E8

Part of subcall function 00007FF6EBFFD894: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFFD8C7

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorHeapLast_invalid_parameter_noinfo$AllocFree
String ID:
API String ID: 749460637-0
Opcode ID: 27640a1b4452658f619c330b6942f42c57ed7cbddb1e0b5935f25c2a2fe2ad05
Instruction ID: 74cf48da633deaaba1109c99192da6bd1613a04f4d2ae9e246c4a008c380fa51
Opcode Fuzzy Hash: 27640a1b4452658f619c330b6942f42c57ed7cbddb1e0b5935f25c2a2fe2ad05
Instruction Fuzzy Hash: A9611823B0865242E7209F66A4107FD7290BF8CBC0F144131EE4D87BA6EE3EE401C709

Function 00007FF6EBFC7EC0 Relevance: 3.1, APIs: 2, Instructions: 86encryptionCOMMON

Download Yara Rule

APIs

CryptProtectData.CRYPT32(?,?,?,?,?,?,?,?,1E5E0F68EF71A387,00007FF6EBFC7E98), ref: 00007FF6EBFC7F18
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,1E5E0F68EF71A387,00007FF6EBFC7E98), ref: 00007FF6EBFC7FAA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CryptDataFreeLocalProtect
String ID:
API String ID: 2714945720-0
Opcode ID: a2378fc87af65e51448867ee86bab5adaeca8e4500ced070fe446fae58ae31d0
Instruction ID: 0577d35691e542b3ce27c516178c1e38d6247ee0953c09f9783728d697d83b14
Opcode Fuzzy Hash: a2378fc87af65e51448867ee86bab5adaeca8e4500ced070fe446fae58ae31d0
Instruction Fuzzy Hash: 8E412633A18A818AE3208F74D4503ED77A4FB5878CF044229EA8C46A4ADF7AD5A4C748

Function 00007FF6EBFF46E4 Relevance: 2.9, Strings: 2, Instructions: 358COMMONLIBRARYCODE

Download Yara Rule

Strings

a/p, xrefs: 00007FF6EBFF49FE
am/pm, xrefs: 00007FF6EBFF4993

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: a/p$am/pm
API String ID: 0-3206640213
Opcode ID: 3aa2d18b96f53096dafde024e84d8e74b450cb229927da4525f6c74ea8e41481
Instruction ID: f944e2b184ae913b7b47efb043c4af56d2aea06d12be2553e4231b49ed02f46a
Opcode Fuzzy Hash: 3aa2d18b96f53096dafde024e84d8e74b450cb229927da4525f6c74ea8e41481
Instruction Fuzzy Hash: 28E1A923A0868281EF748F2591547F922A4FF58794F654132EB5D87BB5EF3EE940C30A

Function 00007FF6EBF80A80 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

dumps, xrefs: 00007FF6EBF80AC8
emoji, xrefs: 00007FF6EBF80AF0

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: dumps$emoji
API String ID: 0-2873254224
Opcode ID: 9c1d1d90ca4f88bc8268b0322e863aaa792dfa8aa99b6ae742cb4d4f1446b717
Instruction ID: 4bd903d0b63107745ee2c61dc3ece84ba05432ffea97f31a81d23158bc45a277
Opcode Fuzzy Hash: 9c1d1d90ca4f88bc8268b0322e863aaa792dfa8aa99b6ae742cb4d4f1446b717
Instruction Fuzzy Hash: F3B11A23928BC586E661CB25E8802AAB7B4F79D788F505325FACD53B59DF3CD250CB04

Function 00007FF6EBFF6A68 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF6EBFF6BB0

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 90946a6b15058c528e056b8d8cd1a92ef4f6d2102c32f556ef9c06fc4cf9f037
Instruction ID: 386b781b675a06504762380b7b44c1c431aa73d85aa19485af057d4f5d05e1e0
Opcode Fuzzy Hash: 90946a6b15058c528e056b8d8cd1a92ef4f6d2102c32f556ef9c06fc4cf9f037
Instruction Fuzzy Hash: 6A12AB23A08BC186E751CF2894053FD73A4FB59748F159235EB9C876A2EF3AE294C705

Function 00007FF6EBFAC0F0 Relevance: 1.7, APIs: 1, Instructions: 232COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFAC40B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 77270c227ffeb004b750eba44a016f14a5b20c8e9565abcba5683151d7bf73c1
Instruction ID: 3ed671b064092663c391501c9dc4f9d62aa38171a1039aea27fdf68e9507da59
Opcode Fuzzy Hash: 77270c227ffeb004b750eba44a016f14a5b20c8e9565abcba5683151d7bf73c1
Instruction Fuzzy Hash: B5A18823A09B9989EB04CBA9D8803EC27B0F719B48F548426CF8D93B65DF39D091C315

Function 00007FF6EBFABDD0 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFAC0E4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 19769e847731a8f3ae8f2781323fac765a50851832732306f59deb7ca3333fae
Instruction ID: e50902977192af358fd95eaf86fbdcdcbf4d3aad3346e0f16af69a62fbfeb7a3
Opcode Fuzzy Hash: 19769e847731a8f3ae8f2781323fac765a50851832732306f59deb7ca3333fae
Instruction Fuzzy Hash: 92A19C23A19B9989EB04CBA9D4803EC37B0F758B88F548426DF8D93766DF39D091C751

Function 00007FF6EBFABAB0 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFABDC4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: ee8b0f9f2e73586f7a4fc3912ce6b8e3a620c06cd61257d921c36885d417bf64
Instruction ID: 5004350d7def9ef8dec98d2fe7b0fd66ea10f1c91bb8fbf0601586cdb2ae0bf3
Opcode Fuzzy Hash: ee8b0f9f2e73586f7a4fc3912ce6b8e3a620c06cd61257d921c36885d417bf64
Instruction Fuzzy Hash: 58A18B23A19B9A89EB04CBA9D4803EC3770F759788F544426DF8D93BAADF39D091C311

Function 00007FF6EBFAB780 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFABAA9

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: a0e78a6ef54e2a893f1caef4e4e4ab9343fbc453b4b6cae2b4af0f6514b75cbd
Instruction ID: 36e1f56279bf7ebab8cf0caa9e7641af9a821080c3212728750706d074fbd786
Opcode Fuzzy Hash: a0e78a6ef54e2a893f1caef4e4e4ab9343fbc453b4b6cae2b4af0f6514b75cbd
Instruction Fuzzy Hash: ACA19A23A18B9989EB04CBA9D4803EC67B0FB48788F544126DF8D97B66DF39E091C304

Function 00007FF6EBFF8F60 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFE9EEC: GetLastError.KERNEL32 ref: 00007FF6EBFE9EFB
Part of subcall function 00007FF6EBFE9EEC: FlsGetValue.KERNEL32 ref: 00007FF6EBFE9F10
Part of subcall function 00007FF6EBFE9EEC: SetLastError.KERNEL32 ref: 00007FF6EBFE9F9B

EnumSystemLocalesW.KERNEL32 ref: 00007FF6EBFF8FFE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: b863ec2cec9009a3af30c9a1a615a32510d45c83cc126c9469ae93d30e306958
Instruction ID: b6eebf12ebd1ad23efab762c0af32795390ad7184b3db9cbaef3f620a42f926e
Opcode Fuzzy Hash: b863ec2cec9009a3af30c9a1a615a32510d45c83cc126c9469ae93d30e306958
Instruction Fuzzy Hash: 8E110263A08645CAEB158F2AD4407EC7BA2FB94BA0F548131D629833E4CE79D6D1C745

Function 00007FF6EBFF9030 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFE9EEC: GetLastError.KERNEL32 ref: 00007FF6EBFE9EFB
Part of subcall function 00007FF6EBFE9EEC: FlsGetValue.KERNEL32 ref: 00007FF6EBFE9F10
Part of subcall function 00007FF6EBFE9EEC: SetLastError.KERNEL32 ref: 00007FF6EBFE9F9B

EnumSystemLocalesW.KERNEL32 ref: 00007FF6EBFF90AE

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: 0c241287891358d20c5c1590d81d3974ae3e0a48a457f3cbc01ffa927b921278
Instruction ID: 8a37e7878a09153c7320dcb3c146fb4bddc63a92b0497d6a1d3bc905ba3dfb80
Opcode Fuzzy Hash: 0c241287891358d20c5c1590d81d3974ae3e0a48a457f3cbc01ffa927b921278
Instruction Fuzzy Hash: EF01B573E0824546EB144F2AE8407F97692EB44BA4F55C231D669873E4DF7AD481C70A

Function 00007FF6EBFEDAE0 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32 ref: 00007FF6EBFEDB2F

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 17140df511fe09419b9fc83be2d2c34c2fb9fdba42dd4bc62a26aeb66c77a399
Instruction ID: ca10826eea7792ee47b646c6391be62be0835b3354014e132a7278d08a911618
Opcode Fuzzy Hash: 17140df511fe09419b9fc83be2d2c34c2fb9fdba42dd4bc62a26aeb66c77a399
Instruction Fuzzy Hash: CCF08C73B08B4182E704DB25F8906B96361EB88B90F149035EA5DC7366CF3ED5A1C309

Function 00007FF6EBFF9EEC Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF6EBFF9EF0

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 9736d98ff4c00b43741f239e002f48ba729bdd9c0db5a1f9682fb9dc510a38ab
Instruction ID: 45ebf314685048d76cbf22dd93213eff3967f9efda14ef407488a22143cb3b31
Opcode Fuzzy Hash: 9736d98ff4c00b43741f239e002f48ba729bdd9c0db5a1f9682fb9dc510a38ab
Instruction Fuzzy Hash: 41B09222E07A06C6EA482B516C86B1823A47F88720F994178C20C81320EF2E20A9971A

Function 00007FF6EBFB2750 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction ID: b51522c8191b9d47f0b3e8f108ed8025879a33973fff8ea65a5c19a0ba8e3ffa
Opcode Fuzzy Hash: ff8ff783da37649173626c7f7158936b22345755ff077d27462f74136c1878ba
Instruction Fuzzy Hash: 73C12573B2869587EB16CF12D9846A9BB62F7D8BD0B55C134DE4A47B98CE3CD802C704

Function 00007FF6EBF56610 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ec180874deb86fd7714d37a9704177cb1ddf6bae5bd7525a532394d6be90ec0
Instruction ID: fa64da84deb5e9d002de8df61b7b77e48a18f475a959888d303a9b1891e4dd40
Opcode Fuzzy Hash: 4ec180874deb86fd7714d37a9704177cb1ddf6bae5bd7525a532394d6be90ec0
Instruction Fuzzy Hash: 4812D433919BC98AD7618F29E84139AB7A4F78D788F505325EACC57B19EF38D250CB04

Function 00007FF6EBFC5AB0 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34fb1097c6f2363caac24c1e5b45ae24c1a6ca50cb597d280e611698873f3a91
Instruction ID: 605526383a6b88ae65967e97439eee0468e569ecba62453400a53e69ed1a4d99
Opcode Fuzzy Hash: 34fb1097c6f2363caac24c1e5b45ae24c1a6ca50cb597d280e611698873f3a91
Instruction Fuzzy Hash: B1C1D3B3A146948BE355CF2DD40195D7BA0F398B84F40A629EB56C3B01E778E9A5CF80

Function 00007FF6EBFE0D14 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9192222adae4e2f0070c299c0844eec1f899de7045819fce69bb7a8004539528
Instruction ID: 4f8c0764004646b65f7417029c2872cfe75bc475bac1a95f24f1b0d51169346a
Opcode Fuzzy Hash: 9192222adae4e2f0070c299c0844eec1f899de7045819fce69bb7a8004539528
Instruction Fuzzy Hash: 67915923B1828746EA344E3AA0127FD1690AF487A4F040639DE5ECB7E5DD3EF5059B0A

Function 00007FF6EBFE666C Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction ID: 03d870374ec5ebe0bcccccfadc526436bdad545f679ced8ab3c14868497a5106
Opcode Fuzzy Hash: f0c2dc1868310f7be340402d514fcc5ddbcaaf30b09b4b1a75e66e521b583746
Instruction Fuzzy Hash: 79C1F033A0864A96EB28CF65C4403BD37A0EB49B68F144235CE1D977E5DF3AE845C34A

Function 00007FF6EBFF8674 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction ID: e2e8cf9b057547aa7886dc01ab78fe97f7c54a8c13275060d7cb75be92f65d88
Opcode Fuzzy Hash: 468b93f19c7ca54f8d79ce9aecab092ca155e8bca1880fa3cbddf3014db9fedd
Instruction Fuzzy Hash: B6B1F633A18646C2EB659F21D4117F933A0FB88B88F244231DA49C36E9DF7EE541C74A

Function 00007FF6EBFE8D50 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b2222bd4161aa0df81311004b32476a3e68bf497272c3efca11fb2e46f97a06
Instruction ID: cfb08e23b1a2f46626ce8d028227d4460cc110db1dd654c6b8a61bbc27f75223
Opcode Fuzzy Hash: 6b2222bd4161aa0df81311004b32476a3e68bf497272c3efca11fb2e46f97a06
Instruction Fuzzy Hash: E881D133A04A5186EB61DE25D4813BD2360FB88BA8F144636EF1ED7BA4CF3AD151C349

Function 00007FF6EBFA4720 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction ID: 908555259f6f59ec163113d9edc8f8f4937ac7afc07db916b0c00c3939a76e7d
Opcode Fuzzy Hash: 8096616a82d0af589e55529d9e21aaaddb0a4067eb04550f42ec58ec897b5e0e
Instruction Fuzzy Hash: AC61F623B18BC982DE14CB19E0402E9A361E75D7D4F549231DB9D87BA8EF7DE190C744

Function 00007FF6EC00FFBC Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 6b3816cb3a988972d41337c60df476b316031ac7a58811eca424fd60ba025d64
Instruction ID: 6ac220829cee5e3dc46e15ac437632801659c818a1de37d558bf6884364eecfc
Opcode Fuzzy Hash: 6b3816cb3a988972d41337c60df476b316031ac7a58811eca424fd60ba025d64
Instruction Fuzzy Hash: 2B61E423E1824246F7658A2C845077DA680BF4077CF144239EABEC76D5DF2FEA48C70A

Function 00007FF6EBFC5EF0 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b24077aedd3f9e8a449d09c4eafcb8d5ede4dcad30c6275166c395dfd1882a
Instruction ID: 3e2ee553ccc26651c5d6aa930ab6f4bfd09c411c85c637b61ff4c93870bff125
Opcode Fuzzy Hash: 35b24077aedd3f9e8a449d09c4eafcb8d5ede4dcad30c6275166c395dfd1882a
Instruction Fuzzy Hash: 0361E12321E2C48FD30DDF7C589106D7F61D3A7908388469DEAC5EB74BC504C91ACBA6

Function 00007FF6EBFE5598 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction ID: 4e1fce9abf10485501c62346c190b28ffc6a6be26e18f3b3ed707e483a8cde7d
Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction Fuzzy Hash: 3451A277A2865586EB248B28C1403BC37A1EB4CB69F244131CE4E977B5CF3BE852C785

Function 00007FF6EBFFBB90 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: d05f01d9c7e6d1227e296b3139dc3c4d5665c446069bb1063acdd8e7d0dd9ca1
Instruction ID: 3ef392957dc665b3a360a43174b9e5acdd410ae58c0f0190b091b8f35a37dfdf
Opcode Fuzzy Hash: d05f01d9c7e6d1227e296b3139dc3c4d5665c446069bb1063acdd8e7d0dd9ca1
Instruction Fuzzy Hash: 9141EF63714A5582EF04CF2AE9546A963A1BB48FD4F19A032EE0D97B68DE3ED142C305

Function 00007FF6EBFA7C00 Relevance: 30.0, APIs: 9, Strings: 8, Instructions: 202COMMON

Download Yara Rule

Strings

key declared, but no value, xrefs: 00007FF6EBFA925D, 00007FF6EBFA9284, 00007FF6EBFA9398
unexpected '}', xrefs: 00007FF6EBFA9413
key opened, but never closed, xrefs: 00007FF6EBFA93BF
No closed word, xrefs: 00007FF6EBFA9317, 00007FF6EBFA933E
word wasnt properly ended, xrefs: 00007FF6EBFA9365, 00007FF6EBFA93EC
quote was opened but not closed., xrefs: 00007FF6EBFA9236, 00007FF6EBFA92AB
object is not closed with '}', xrefs: 00007FF6EBFA920F
unexpected key without object, xrefs: 00007FF6EBFA92EA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: No closed word$key declared, but no value$key opened, but never closed$object is not closed with '}'$quote was opened but not closed.$unexpected '}'$unexpected key without object$word wasnt properly ended
API String ID: 0-2700065129
Opcode ID: 2f769f3a61af26de02fdc7094952ae9039798cd0f5a8ea2391996b067ad7b2a7
Instruction ID: 2d63fb5403f8420f186bc80c8352c28dd4db35675307d56358985d68ec276ceb
Opcode Fuzzy Hash: 2f769f3a61af26de02fdc7094952ae9039798cd0f5a8ea2391996b067ad7b2a7
Instruction Fuzzy Hash: 61B11F73919BC694EB60EF20DC517E83364FB54348F805532D64C8B9AAEF6AD399C309

Function 00007FF6EBFC4A30 Relevance: 28.7, APIs: 19, Instructions: 177processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF6EBFC4A86
Process32FirstW.KERNEL32 ref: 00007FF6EBFC4ACA
Process32NextW.KERNEL32 ref: 00007FF6EBFC4ADF
OpenProcess.KERNEL32 ref: 00007FF6EBFC4B1B
OpenProcessToken.ADVAPI32 ref: 00007FF6EBFC4B42
GetTokenInformation.ADVAPI32 ref: 00007FF6EBFC4B6E
GetLastError.KERNEL32 ref: 00007FF6EBFC4B7C
GetTokenInformation.ADVAPI32 ref: 00007FF6EBFC4BBC
ConvertSidToStringSidA.ADVAPI32 ref: 00007FF6EBFC4BD3
CloseHandle.KERNEL32 ref: 00007FF6EBFC4C46
CloseHandle.KERNEL32 ref: 00007FF6EBFC4C51
CloseHandle.KERNEL32 ref: 00007FF6EBFC4CB6
Process32NextW.KERNEL32 ref: 00007FF6EBFC4CC3
CloseHandle.KERNEL32 ref: 00007FF6EBFC4CE9
CloseHandle.KERNEL32 ref: 00007FF6EBFC4CF2
CloseHandle.KERNEL32 ref: 00007FF6EBFC4D07

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: CloseHandle$Process32Token$InformationNextOpenProcess$ConvertCreateErrorFirstLastSnapshotStringToolhelp32
String ID:
API String ID: 3925315391-0
Opcode ID: b7cdb7a7c6588e50aaab37c0fa57b8db1cd1071ffc72c1321cf755afb8342ce3
Instruction ID: 4be7bf851d1f5b60bf14864702492317e0fa8aab29fedb6c0123b59338d6ad2a
Opcode Fuzzy Hash: b7cdb7a7c6588e50aaab37c0fa57b8db1cd1071ffc72c1321cf755afb8342ce3
Instruction Fuzzy Hash: DD817133A18B4182EB54DB16E8507BAA3A4FB88B94F404035DE4D87B79EF7ED445CB09

Function 00007FF6EBF9B780 Relevance: 17.9, APIs: 5, Strings: 5, Instructions: 365COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9BCDA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9BCE0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9BCE6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9BCEC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9BCF2

Strings

; last read: ', xrefs: 00007FF6EBF9B9AC
; expected , xrefs: 00007FF6EBF9BC37
while parsing , xrefs: 00007FF6EBF9B828
syntax error , xrefs: 00007FF6EBF9B7BF
unexpected , xrefs: 00007FF6EBF9BB37

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
API String ID: 3668304517-4239264347
Opcode ID: e61819bdb5c2b5145de86d6a00541d87f1f8e50f84490c57d63a8f3144ea801d
Instruction ID: d5a02360a2f20b2d9e92d67bed2cc4c214c3fc1a51cf2df78c790130fea18409
Opcode Fuzzy Hash: e61819bdb5c2b5145de86d6a00541d87f1f8e50f84490c57d63a8f3144ea801d
Instruction Fuzzy Hash: 9AF1A363F14A8189FB00DFE4D5403EC2B72AB087A8F504235DE1D9BAEADF799485D345

Function 00007FF6EBF7DCE0 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 281COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF6EBF7DD3F

Part of subcall function 00007FF6EC00B260: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF6EBFA5C46,?,?,00000000,00000000,?,00000000,?,00007FF6EBF8786D), ref: 00007FF6EC00B272

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7DF52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7DF58
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF7DFE7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7E00D
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF7E0A1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7E0AD

Strings

", ", xrefs: 00007FF6EBF7DE2D
: ", xrefs: 00007FF6EBF7DDFA

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_destroy$ApisFile__std_fs_code_page
String ID: ", "$: "
API String ID: 1991941009-747220369
Opcode ID: c4991a261102bd4fcc0315cd5d52d9dfb8c9e4714ac4c9995ffdcacead30aef8
Instruction ID: acb39da4205eaf9ec83b77512f675128a0986af526545e3a17a4d6f126c3d6d0
Opcode Fuzzy Hash: c4991a261102bd4fcc0315cd5d52d9dfb8c9e4714ac4c9995ffdcacead30aef8
Instruction Fuzzy Hash: 8CB1E0B3B14A4185EB00EF64E0503FC2362EB48B88F504531DE5D97BAADF7AD595C389

Function 00007FF6EBFCAEA0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 159COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBFCAF1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6EBFCAF65
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFCB0E1
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFCB0F4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFCB0FA

Strings

true, xrefs: 00007FF6EBFCB01C
false, xrefs: 00007FF6EBFCAFED
bad locale name, xrefs: 00007FF6EBFCB0E7

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Concurrency::cancel_current_task$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name$false$true
API String ID: 164343898-1062449267
Opcode ID: 752f03881db0d34c5be6f162abf39008bebade7dbabb6014c0db619d265bd8c1
Instruction ID: 408b174eb00c006b6c039e2160bb5faa5d4f600b973688413a896182ed8bc601
Opcode Fuzzy Hash: 752f03881db0d34c5be6f162abf39008bebade7dbabb6014c0db619d265bd8c1
Instruction Fuzzy Hash: 4B715A23B0AB418AEB41DF64E4503FC33A5EF88718F144135DA4DA7AAADF3A9451C34A

Function 00007FF6EBFD9B70 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00007FF6EBFD9BA1
GetProcessId.KERNEL32 ref: 00007FF6EBFD9BAA
RmStartSession.RSTRTMGR ref: 00007FF6EBFD9BCA
RmRegisterResources.RSTRTMGR ref: 00007FF6EBFD9BF5
RmGetList.RSTRTMGR ref: 00007FF6EBFD9C2E
RmGetList.RSTRTMGR ref: 00007FF6EBFD9C90
RmEndSession.RSTRTMGR ref: 00007FF6EBFD9CCB
RmEndSession.RSTRTMGR ref: 00007FF6EBFD9D02
RmEndSession.RSTRTMGR ref: 00007FF6EBFD9D17

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Session$ListProcess$CurrentRegisterResourcesStart
String ID:
API String ID: 3299295986-0
Opcode ID: 4ddc3a5b4f8c6342cd3dcf0c0e78daa6693b2bbe667ef408570da53bc05ca548
Instruction ID: 265cf4de7ae2af98c8d2296e2fc67beb14cc5ec4657c0f448f8ba67823bbd3e2
Opcode Fuzzy Hash: 4ddc3a5b4f8c6342cd3dcf0c0e78daa6693b2bbe667ef408570da53bc05ca548
Instruction Fuzzy Hash: 86510C33B18A528AF714CFA5E4507ED33A1BB48758F504139DA0EA7B94DF3A9805CB49

Function 00007FF6EBF99990 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF99A00
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6EBF99A48
_Getcoll.LIBCPMT ref: 00007FF6EBF99A7C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF99B7B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF99BF6

Strings

bad locale name, xrefs: 00007FF6EBF99B81

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnstd::_$GetcollLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 2486341784-1405518554
Opcode ID: bff3b163910ba8b525fbd19bc746e20794f2b3bdbc9240d59d620adf475c1be6
Instruction ID: fb3678cdcfa3d85524933863de2504e7f460437a25b325ef5958162dfe8afaf0
Opcode Fuzzy Hash: bff3b163910ba8b525fbd19bc746e20794f2b3bdbc9240d59d620adf475c1be6
Instruction Fuzzy Hash: BB91AD33B09A818AEB149FA5E4503EC3361EF48788F048535DA4D97AA9DF3ED451C34A

Function 00007FF6EBFEDB5C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,00000000,00007FF6EBFEE206,?,?,00000030,00007FF6EBFF5408,?,?,?,?,?,?,?,?), ref: 00007FF6EBFEDCD8
GetProcAddress.KERNEL32(?,00000000,00007FF6EBFEE206,?,?,00000030,00007FF6EBFF5408,?,?,?,?,?,?,?,?), ref: 00007FF6EBFEDCE4

Strings

ext-ms-, xrefs: 00007FF6EBFEDC35
api-ms-, xrefs: 00007FF6EBFEDC22

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: ca7c09baf792878f96d911292d21648074434898d998409f668d6f16be7d0add
Instruction ID: ae3be86564a5cc71947d6979b6788a6f3758784d52349f8ef852e64c02a8f56f
Opcode Fuzzy Hash: ca7c09baf792878f96d911292d21648074434898d998409f668d6f16be7d0add
Instruction Fuzzy Hash: 7441F527B19A1281EA198B1A98107BA2395BF48BE0F445635DD0DD7BA4EF3EE405C30A

Function 00007FF6EBFDE0C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBFDE2A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDE32D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDE333
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDE339
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFDE33F

Strings

out_of_range, xrefs: 00007FF6EBFDE132

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: out_of_range
API String ID: 1944019136-3053435996
Opcode ID: 7282e88c707efd82a2a4641735d606e4b68e22d667b574cd1ede7d770373114b
Instruction ID: ac566be3fa062e3c03d07464428f1622882b9f9d36bd3f511dc94b953a30c799
Opcode Fuzzy Hash: 7282e88c707efd82a2a4641735d606e4b68e22d667b574cd1ede7d770373114b
Instruction Fuzzy Hash: 60718173F18B8288FB00DF74E4513EC2361AB597A8F105331EA5C57AE9DE3A9185C349

Function 00007FF6EBFA9970 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBFA9B53
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA9BDD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA9BE3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA9BE9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFA9BEF

Strings

out_of_range, xrefs: 00007FF6EBFA99E2

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: out_of_range
API String ID: 1944019136-3053435996
Opcode ID: 52929eb672d255f4dc8f3a29923393050b952fc81a1d2ccb85de26b65a84be6a
Instruction ID: c82311104f2cace1fffa90bba26c6d91a1757a70b1883c730b0a0acf356123d9
Opcode Fuzzy Hash: 52929eb672d255f4dc8f3a29923393050b952fc81a1d2ccb85de26b65a84be6a
Instruction Fuzzy Hash: CA719073F18B8288FB00DF64D4503EC2361AB597A8F009331EA5C57AE9DE3A9185C349

Function 00007FF6EBF97AC0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBF97C9F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF97D24
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF97D2A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF97D30
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF97D36

Strings

type_error, xrefs: 00007FF6EBF97B34

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: type_error
API String ID: 1944019136-1406221190
Opcode ID: 27d4ea6155a7175561f26f74a55a22754afd6e3558035c21fb0bce210540d754
Instruction ID: c0372ea28fb9a94870c10523a6a67899fb11c3e0562f9b4102802ec87d1647e9
Opcode Fuzzy Hash: 27d4ea6155a7175561f26f74a55a22754afd6e3558035c21fb0bce210540d754
Instruction Fuzzy Hash: 6271A263F19B8288FB00DFB5D4513EC2361AB49798F105231DE6C57AE9EF39A185C349

Function 00007FF6EBFACB00 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__std_exception_copy.LIBVCRUNTIME ref: 00007FF6EBFACCDF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFACD64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFACD6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFACD70
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFACD76

Strings

invalid_iterator, xrefs: 00007FF6EBFACB74

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: invalid_iterator
API String ID: 1944019136-2508626007
Opcode ID: 399a224074fd632ffd11ec39e9541ffd9d18d7573fa0b2a288f4ab9197235c05
Instruction ID: 4eb4981c8ed153fbc402e2f9bf75850a950ca3209c3c72cd0442b9344c5e23e2
Opcode Fuzzy Hash: 399a224074fd632ffd11ec39e9541ffd9d18d7573fa0b2a288f4ab9197235c05
Instruction Fuzzy Hash: F5718363F19B8288FB00DF75D4503EC2361AB49798F105731DE6C57AE9EE3AA185C349

Function 00007FF6EBF7EF10 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7F0B2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF7F0B8
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF7F0F0
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF6EBF7F0FD

Strings

at line , xrefs: 00007FF6EBF7EF9A
, column , xrefs: 00007FF6EBF7EFC8

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 729085983-191570568
Opcode ID: 5eb50482a23a13387e4ba2c98b03166af1b9dba654dc704b1591e29ab17620d3
Instruction ID: c3a15f27178c07116427f0a814e803c335adc5ecc6afa29e7fe8b18789584447
Opcode Fuzzy Hash: 5eb50482a23a13387e4ba2c98b03166af1b9dba654dc704b1591e29ab17620d3
Instruction Fuzzy Hash: 1951D473A18B8141EA109F19E5403AE6761FB89BD0F104231EBAC47BE6DF7EE581C349

Function 00007FF6EBFE9EEC Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF6EBFE9EFB
FlsGetValue.KERNEL32 ref: 00007FF6EBFE9F10
FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F31
FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F5E
FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F6F
FlsSetValue.KERNEL32 ref: 00007FF6EBFE9F80
SetLastError.KERNEL32 ref: 00007FF6EBFE9F9B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 393d71075e39267f9418b9d8d6d74273635a9a8691926b1b96f338eff6d5f6ad
Instruction ID: 1ad23d8de4308668194774058973c488ff2f2628b362fea2e111b27ee7d5b2eb
Opcode Fuzzy Hash: 393d71075e39267f9418b9d8d6d74273635a9a8691926b1b96f338eff6d5f6ad
Instruction Fuzzy Hash: 9A217F37A0D28242FA58A76165513BD52824F4CBB0F049734E93E9FAE6DE3FF441821A

Function 00007FF6EC00D0CC Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF6EC00D13C
MultiByteToWideChar.KERNEL32 ref: 00007FF6EC00D1DA
LCMapStringEx.KERNEL32 ref: 00007FF6EC00D243
LCMapStringEx.KERNEL32 ref: 00007FF6EC00D295
LCMapStringEx.KERNEL32 ref: 00007FF6EC00D33A
WideCharToMultiByte.KERNEL32 ref: 00007FF6EC00D394

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 7d9f455a94f84a05f587d57d339c879795f99f0f1217d4298ff39db3fa6ba98e
Instruction ID: addabf8c622173316a884108925a3a235dac9e98adf83dfc81bea69015fd64eb
Opcode Fuzzy Hash: 7d9f455a94f84a05f587d57d339c879795f99f0f1217d4298ff39db3fa6ba98e
Instruction Fuzzy Hash: 4E81A173A0878186EB208F25A8413B972A5FF84BA8F154635EA5D87BD9EF3ED400C715

Function 00007FF6EBFEA064 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEA073
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEA0A9
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEA0D6
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEA0E7
FlsSetValue.KERNEL32(?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEA0F8
SetLastError.KERNEL32(?,?,-2723E8D8DEBC5093,00007FF6EBFE4E71,?,?,?,?,00007FF6EBFED3FC), ref: 00007FF6EBFEA113

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 9171995ea5c336ae991c260a04bbd1332f14451c84c9f4660891b61a794840d0
Instruction ID: 3e2faa07945249d4def6a0332378c7098c89cef8031562ebd7eff1176023feff
Opcode Fuzzy Hash: 9171995ea5c336ae991c260a04bbd1332f14451c84c9f4660891b61a794840d0
Instruction Fuzzy Hash: 84119027B0D28642FA14A7255A513BD62825F4C7B0F045334E93EDBBE6DE2FF840864B

Function 00007FF6EBFD6F40 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 00007FF6EBFD6FCB

Strings

?, xrefs: 00007FF6EBFD6F80

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Open
String ID: ?
API String ID: 71445658-1684325040
Opcode ID: 208e14def8f7a52b27832f13a9a4675c2dd0128cefc550b82194dbe05051c383
Instruction ID: da64a70fd88036dd427540b59cd0695132b3310e89eff57617fe22d4578c58b9
Opcode Fuzzy Hash: 208e14def8f7a52b27832f13a9a4675c2dd0128cefc550b82194dbe05051c383
Instruction Fuzzy Hash: 6841B433A18B8181EA508B25F48436EA360FB89794F104235FB9D87BA9DF3DD084CB49

Function 00007FF6EBFF4FB8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF6EBFF4FDD
GetProcAddress.KERNEL32 ref: 00007FF6EBFF4FF3
FreeLibrary.KERNEL32 ref: 00007FF6EBFF501A

Strings

CorExitProcess, xrefs: 00007FF6EBFF4FEC
mscoree.dll, xrefs: 00007FF6EBFF4FD4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 780b3f1f3aecbe1eb4b75bb10cd40d76e1f940e32b271abccdf7c11bca0f4dbd
Instruction ID: 8419150b92a5329f5bc47a486672a97b9dd3bf4be7579ae40956478dc77be4e5
Opcode Fuzzy Hash: 780b3f1f3aecbe1eb4b75bb10cd40d76e1f940e32b271abccdf7c11bca0f4dbd
Instruction Fuzzy Hash: 4EF06223A1970681EB188B64E46437A5320BF88BA5F940235D96DC72F5EF3FD045C74A

Function 00007FF6EBFD59A0 Relevance: 7.6, APIs: 5, Instructions: 106COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 00007FF6EBFD59D2
GetWindowRect.USER32 ref: 00007FF6EBFD59E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5B5C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5B62
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD5B68

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Window$DesktopRect
String ID:
API String ID: 1991322523-0
Opcode ID: 0c09b0636b7a4a74a671a8d5e0a4a232b23c6647649f34c84a78b3815982ffaa
Instruction ID: 7e47e0ea006d19438a44e37ce186c3c4e53944b852f2e55a84e9cd9bc03e5a83
Opcode Fuzzy Hash: 0c09b0636b7a4a74a671a8d5e0a4a232b23c6647649f34c84a78b3815982ffaa
Instruction Fuzzy Hash: 5D419963E1878545EA109B14F4513BEA351EBC97A4F104331E6AC87BEADF2ED080CB49

Function 00007FF6EBFEA12C Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF6EBFE7EF7,?,?,00000000,00007FF6EBFE8192,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFEA14B
FlsSetValue.KERNEL32(?,?,?,00007FF6EBFE7EF7,?,?,00000000,00007FF6EBFE8192,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFEA16A
FlsSetValue.KERNEL32(?,?,?,00007FF6EBFE7EF7,?,?,00000000,00007FF6EBFE8192,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFEA192
FlsSetValue.KERNEL32(?,?,?,00007FF6EBFE7EF7,?,?,00000000,00007FF6EBFE8192,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFEA1A3
FlsSetValue.KERNEL32(?,?,?,00007FF6EBFE7EF7,?,?,00000000,00007FF6EBFE8192,?,?,?,?,-2723E8D8DEBC5093,00007FF6EBFE811E), ref: 00007FF6EBFEA1B4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 899af4340b37942fc89d2eda1bd92b937099c6712e87118af2802e5ac3ca3c8d
Instruction ID: 6f1255d788b1d70bca81365cc8f0e7d3d5380f06152d198ec9dc7d860c375d36
Opcode Fuzzy Hash: 899af4340b37942fc89d2eda1bd92b937099c6712e87118af2802e5ac3ca3c8d
Instruction Fuzzy Hash: 97117F27F0D28A41FA58932169517BD11414F487B0F045334E93EDBAF6DE2EF901864B

Function 00007FF6EBFE9FC0 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF6EBFE9FD1
FlsSetValue.KERNEL32 ref: 00007FF6EBFE9FF0
FlsSetValue.KERNEL32 ref: 00007FF6EBFEA018
FlsSetValue.KERNEL32 ref: 00007FF6EBFEA029
FlsSetValue.KERNEL32 ref: 00007FF6EBFEA03A

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 27a8d680a01718b2f16bf98748d9030277dcffc577ce5399e3a087c28c18192a
Instruction ID: cf0ad2a421bffc96322263e2995ab255984e23f940f8fbcdce0febc6585468c4
Opcode Fuzzy Hash: 27a8d680a01718b2f16bf98748d9030277dcffc577ce5399e3a087c28c18192a
Instruction Fuzzy Hash: E2115727A0D24742F968A22518517FD11824F48770F08A734EA3EDF6F2DE2FB900825B

Function 00007FF6EBFB0BD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 248COMMON

Download Yara Rule

Strings

ios_base::eofbit set, xrefs: 00007FF6EBFB0C49
ios_base::failbit set, xrefs: 00007FF6EBFB0C42
ios_base::badbit set, xrefs: 00007FF6EBFB0C37

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 0-1866435925
Opcode ID: 58c131a224e6ab11856af939a775decd2d344bb436384685c14c7c404b401b05
Instruction ID: c5d24c30f283ea5840ea498929f2f00a8ed0c7c57d0728e0fb418f1a1be2d45c
Opcode Fuzzy Hash: 58c131a224e6ab11856af939a775decd2d344bb436384685c14c7c404b401b05
Instruction Fuzzy Hash: 4891AE73A08B8682EB64CB11E4503ADB7A5FB48BD4F554032EA5D87BA8DF3ED481C345

Function 00007FF6EC00F0DC Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EC00F3BB

Part of subcall function 00007FF6EBFFC4AC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFFC4C9

Strings

UTF-16LEUNICODE, xrefs: 00007FF6EC00F359
ccs, xrefs: 00007FF6EC00F2F6
UTF-8, xrefs: 00007FF6EC00F33A

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: a61b9dafeebeef71c778538e02d1dd93d241f4be75a88b4b5df5efb2b9ec5def
Instruction ID: b59bc83e19a2357f2cf480402ac309777a5d35ffe6ff53ed5044708bc0df99d1
Opcode Fuzzy Hash: a61b9dafeebeef71c778538e02d1dd93d241f4be75a88b4b5df5efb2b9ec5def
Instruction Fuzzy Hash: 9581C377D0C60286F7A58E25C11237A36A0AB11B58F578835CB09D7295EF3FE842E30B

Function 00007FF6EBF7EBF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

[json.exception., xrefs: 00007FF6EBF7ED2B

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID:
String ID: [json.exception.
API String ID: 0-791563284
Opcode ID: 6a4279c4ab6d3c4d22781d422e23e4c9bae50b78e4f0ddac313b26c6f69d5c85
Instruction ID: b2e8032a43dbe91bde7899245f934703b7014617842b63c776455ff365ba0852
Opcode Fuzzy Hash: 6a4279c4ab6d3c4d22781d422e23e4c9bae50b78e4f0ddac313b26c6f69d5c85
Instruction Fuzzy Hash: BB71ED73F24A9185F700CF69E8503EC27A1EB99B98F104236DE5D57AAACF7AD081C345

Function 00007FF6EBF7CA60 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF7CACF
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6EBF7CB17
_Getctype.LIBCPMT ref: 00007FF6EBF7CB55

Strings

bad locale name, xrefs: 00007FF6EBF7CC0E

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: std::_$GetctypeLocinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 1612978173-1405518554
Opcode ID: cb25b9fab8f2b540b2e1f80e552673d1662e08701ae7d8b7d6e9bc1a0f0fedaa
Instruction ID: a7f1c320a9a82659b88d57b1cec89074ed84aa9026829ead43ce996782314075
Opcode Fuzzy Hash: cb25b9fab8f2b540b2e1f80e552673d1662e08701ae7d8b7d6e9bc1a0f0fedaa
Instruction Fuzzy Hash: 56514833B09A418AEB10DFA4E4503ED3364AF48748F044435DA4DA7AA5DF3A9565C34A

Function 00007FF6EBFD0BFF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD0D1F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFD0D25

Part of subcall function 00007FF6EC000E88: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6EC00C3D2), ref: 00007FF6EC000ED8
Part of subcall function 00007FF6EC000E88: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6EC00C3D2), ref: 00007FF6EC000F19

Strings

exists, xrefs: 00007FF6EBFD0D3B
ios_base::badbit set, xrefs: 00007FF6EBFD0D5D, 00007FF6EBFD0D94, 00007FF6EBFD0DD2

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExceptionFileHeaderRaise
String ID: exists$ios_base::badbit set
API String ID: 240014264-2074760687
Opcode ID: a5a59e918b60e0c8ffbbc047f386daa408d0b82dfff3e722bcb7dc2d295da79a
Instruction ID: 22418524d89a484953b6fb87859e9628149f75d1e901e64607741d5fd35702c8
Opcode Fuzzy Hash: a5a59e918b60e0c8ffbbc047f386daa408d0b82dfff3e722bcb7dc2d295da79a
Instruction Fuzzy Hash: 7C417173A19BC694EA20DF14E4943EE7361FB88754F804132CA8C83AA9EF7ED145CB45

Function 00007FF6EBFCD620 Relevance: 6.4, APIs: 4, Instructions: 370COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCDB64
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCDB6A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBFCDB76
SysFreeString.OLEAUT32 ref: 00007FF6EBFCDB97

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FreeString
String ID:
API String ID: 1965679434-0
Opcode ID: ac0ba30e2cecf2f5c947f9ac700c2fa436c4031c6f388644c168f7db9c4a35da
Instruction ID: fd6b50ec48a3069705064fcc58320a88e0de7d05e2d9684956288881ff0b1a70
Opcode Fuzzy Hash: ac0ba30e2cecf2f5c947f9ac700c2fa436c4031c6f388644c168f7db9c4a35da
Instruction Fuzzy Hash: 10E1AF63F18A818AFB00DFA5D4503EC2372AB49798F404635DE1DABBAADF39D144C349

Function 00007FF6EBFEC578 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF6EBFEC5F7
WriteFile.KERNEL32 ref: 00007FF6EBFEC8BF
WriteFile.KERNEL32 ref: 00007FF6EBFEC905
GetLastError.KERNEL32 ref: 00007FF6EBFEC9BB

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction ID: 995f07392248fd56ceee5b3354f6bcfb796a184304805c330a41a519e43e2e9b
Opcode Fuzzy Hash: 51ca5d62aa19301a18794717acfbf1a46562df65ce568f5fb7798e040ec77a5b
Instruction Fuzzy Hash: 56D1EE33B18A8189E711CF65D4406FC3BB1FB58BA8B004236DE9D97BA9DE39E406C345

Function 00007FF6EBFECF38 Relevance: 6.2, APIs: 4, Instructions: 218COMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,00007FF6EBFECF23), ref: 00007FF6EBFED054
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,00007FF6EBFECF23), ref: 00007FF6EBFED0DF

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 3f62383259c36c84ae499e9679ffdb2c1832cde853ef017496f7ee74174e2e70
Instruction ID: 94fad34a8aad4b8ea1a749484bd9510d33d331494b0c80102045f3e9d2b8608e
Opcode Fuzzy Hash: 3f62383259c36c84ae499e9679ffdb2c1832cde853ef017496f7ee74174e2e70
Instruction Fuzzy Hash: 9F91FA37F1865185F7509F6594403FD2BA0BB49BA8F145239EE0EA7AA4CF3EE442C306

Function 00007FF6EBF9CAD0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF9CC02
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9CC08
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9CC65
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6EBF9CCAC

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID:
API String ID: 3936042273-0
Opcode ID: 37b5a384d894ce52b23881f2ba836fa197112d377954dcc88dc1db7d4ed38b02
Instruction ID: 6343bf9c18249cda4acb5e5c741d6c055c05289c25df660cdaaa327031232346
Opcode Fuzzy Hash: 37b5a384d894ce52b23881f2ba836fa197112d377954dcc88dc1db7d4ed38b02
Instruction Fuzzy Hash: 9441E363B0668581FD189FA5D1043BC6291DF4CBF0F544631CE7D877E5DE6EA4928309

Function 00007FF6EBF92C80 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF6EC00C5EC: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EC00C609
Part of subcall function 00007FF6EC00C5EC: std::locale::_Setgloballocale.LIBCPMT ref: 00007FF6EC00C62C

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF92CC1
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF92CE6
std::_Facet_Register.LIBCPMT ref: 00007FF6EBF92D92
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF92DF4

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_RegisterSetgloballocalestd::locale::_
String ID:
API String ID: 3698853521-0
Opcode ID: 4fc220db6eaac0443d91f4384fb0f2b142d491479135c28509da1aa1f4e14997
Instruction ID: a2af49add391f418d11bf4257a356a0c485a4aa95efdf1272d63692e87b95f6c
Opcode Fuzzy Hash: 4fc220db6eaac0443d91f4384fb0f2b142d491479135c28509da1aa1f4e14997
Instruction Fuzzy Hash: BC41CF33A18B4181EA54DF55E4417B933A0FB88B84F154532EA9D837A9DF3FE446C70A

Function 00007FF6EBFE06FC Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE0775
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE07D1
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE080C
_invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFE0831

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction ID: 236fc849b4a1250aef88aff402d141c718ff72bf64e4576c5c2cdbf1f0da7b8a
Opcode Fuzzy Hash: f1f9df1a05da3301ed415653e8360f7cb12179a044a2575d07df28b1a0800ec9
Instruction Fuzzy Hash: 94416023909A8685EB529F34C4213FD3BA0EB49F94F49C071CA8C973A5DE3E9445C75A

Function 00007FF6EBF94E10 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF94E3B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF94E60
std::_Facet_Register.LIBCPMT ref: 00007FF6EBF94F0B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBF94F56

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: acbc9ea0ed55ab8395d29e3490695ccec0bb7a6dea11a1816461c93234175631
Instruction ID: 4ee454ba60e73f45092a96d405b515cada7d97436c93f827a5ea31a2adc78ff4
Opcode Fuzzy Hash: acbc9ea0ed55ab8395d29e3490695ccec0bb7a6dea11a1816461c93234175631
Instruction Fuzzy Hash: 0A41BF23A18A4280EE25DF15E4403BD6760FB98B98F590531EA8D877B5DF3FE581C70A

Function 00007FF6EBFCAB80 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBFCABAB
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBFCABD0
std::_Facet_Register.LIBCPMT ref: 00007FF6EBFCAC7B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6EBFCACC6

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: std::_$LockitLockit::_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 1168246061-0
Opcode ID: 73d040060e39de7473f733929aeeb815445ca65359d0c265211a911782271014
Instruction ID: a9b46842e3a062b91426131db5d5820e10fc6b25db45cd828bdb44487ef6b3d3
Opcode Fuzzy Hash: 73d040060e39de7473f733929aeeb815445ca65359d0c265211a911782271014
Instruction Fuzzy Hash: 8141C623A18A4181EB15DF15E4413B96760FF48B94F194531EA4D8B7B9DF3FE481CB0A

Function 00007FF6EBFCB100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBFCB16F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6EBFCB1B7

Strings

bad locale name, xrefs: 00007FF6EBFCB28C

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: cd45b69d38e937e2b2c105ad083e3fa59ee127999d26fb8e2da05732c8aec6bf
Instruction ID: a59f175837aef3b29f2a2e2b9c7193b2d4245f8c2c4f272e4ed9dc3c6d7e58e6
Opcode Fuzzy Hash: cd45b69d38e937e2b2c105ad083e3fa59ee127999d26fb8e2da05732c8aec6bf
Instruction Fuzzy Hash: 77517A33B09A4189EB55DF70E4903FC2364EF88748F040435EA4DABAA6DF3AD452C34A

Function 00007FF6EBF9A600 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6EBF9A66F
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF6EBF9A6B7

Strings

bad locale name, xrefs: 00007FF6EBF9A796

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: fc0e6e2b9b421333c13244ee569d98d54f4ff8361596dcdfacd00c0aeb48e991
Instruction ID: cc56fee29d448455648aa74de3670de840a6f011d5306c69933c8fe9cb7c3fc6
Opcode Fuzzy Hash: fc0e6e2b9b421333c13244ee569d98d54f4ff8361596dcdfacd00c0aeb48e991
Instruction Fuzzy Hash: A1514933A0AA4189EB54DFA0E4913FC33A4EF48748F044435EE4DA7AA5DF3AD515C38A

Function 00007FF6EBFF2D58 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF6EBFF8138: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6EBFF816B

_get_daylight.LIBCMT ref: 00007FF6EBFF2E70
_get_daylight.LIBCMT ref: 00007FF6EBFF2E81

Strings

?, xrefs: 00007FF6EBFF2E01

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: 9cb3a800b4e5433171cdfee83524aba1d0ffe5a917aa16eb1e5a6d3dafcd7e64
Instruction ID: 70451986c44d33e5e69b0e0f686c4c05e8be218fad19d9264120141add040145
Opcode Fuzzy Hash: 9cb3a800b4e5433171cdfee83524aba1d0ffe5a917aa16eb1e5a6d3dafcd7e64
Instruction Fuzzy Hash: D441E823A0878245FB649B25E8113BE6651EB88BA4F344235FE6C87AF5DF3ED441C706

Function 00007FF6EBFECC10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF6EBFECD27
GetLastError.KERNEL32 ref: 00007FF6EBFECD49

Strings

U, xrefs: 00007FF6EBFECCD3

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 136ebf252562798dd94b0934f5b608a87eddbdd1c89cb1577b5bf7720501d192
Instruction ID: 746bcd6665c92fe5db3f26b029e36f7d8a6cdc3182dd92a3e51a6c7ceac41cd7
Opcode Fuzzy Hash: 136ebf252562798dd94b0934f5b608a87eddbdd1c89cb1577b5bf7720501d192
Instruction Fuzzy Hash: B0419123A19A8182DB208F25E4443FE67A1FB88794F544031EE4DC7794EF7EE441C745

Function 00007FF6EC000E88 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6EC00C3D2), ref: 00007FF6EC000ED8
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,-2723E8D8DEBC5094,00007FF6EC00C3D2), ref: 00007FF6EC000F19

Strings

csm, xrefs: 00007FF6EC000F06

Memory Dump Source

Source File: 00000000.00000002.2288962032.00007FF6EBF51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6EBF50000, based on PE: true

Associated: 00000000.00000002.2288936587.00007FF6EBF50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289049035.00007FF6EC025000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289106509.00007FF6EC080000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289138075.00007FF6EC082000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289169667.00007FF6EC085000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2289201118.00007FF6EC088000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6ebf50000_8F0oMWUhg7.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: b70c8f01ca01e1ec4819aea0aadbf8579bb2f3e39c9b562f706c3da26c2f4cc1
Instruction ID: 716416e88447e29c2c5fbe4a2a2845b12a851fef67ff705237b005ee9f0d1a24
Opcode Fuzzy Hash: b70c8f01ca01e1ec4819aea0aadbf8579bb2f3e39c9b562f706c3da26c2f4cc1
Instruction Fuzzy Hash: D4115B32608B8182EB608F15F400369B7E5FB88B88F594634DB8D47B95EF3ED651CB04

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8F0oMWUhg7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Meduza Stealer

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
8F0oMWUhg7.exe

Function 00007FF6EBFD8330 Relevance: 50.4, APIs: 19, Strings: 9, Instructions: 1376
COMMON

Function 00007FF6EBFB6350 Relevance: 46.6, APIs: 20, Strings: 6, Instructions: 1136
COMMON

Function 00007FF6EBFD5B70 Relevance: 45.7, APIs: 25, Strings: 1, Instructions: 225
windowCOMMON

Function 00007FF6EBF8D570 Relevance: 35.9, APIs: 17, Strings: 3, Instructions: 862
libraryloaderCOMMON

Function 00007FF6EBF82CA0 Relevance: 32.3, APIs: 13, Strings: 5, Instructions: 789
registryCOMMON

Function 00007FF6EBF820B0 Relevance: 28.7, APIs: 12, Strings: 4, Instructions: 684
registryCOMMON

Function 00007FF6EBFBD080 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 599
COMMON

Function 00007FF6EC00B5B0 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Function 00007FF6EBF8CA10 Relevance: 21.7, APIs: 11, Strings: 1, Instructions: 671
COMMON

Function 00007FF6EBF99F80 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 417
COMMON

Function 00007FF6EBFD4A30 Relevance: 19.9, APIs: 13, Instructions: 417
networkCOMMON

Function 00007FF6EBFCC600 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 170
COMMON

Function 00007FF6EBFB5970 Relevance: 17.8, Strings: 14, Instructions: 304
COMMON

Function 00007FF6EBFCEBF0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 194
windowCOMMON

Function 00007FF6EBFCFCA0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 226
networkCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre